Saad Maniar FCCA, senior partner at Crowe and chairman of ACCA’s member advisory committee in UAE

The Dubai International Financial Centre (DIFC) has recently enacted a new data protection law (DIFC Law No. 5 of 2020), which came into force on 1 July 2020. The new law enhances data protection practices and strengthens the DIFC’s existing data protection regime.

Companies and organisations have a three-month transition period to ensure they are compliant with the new law. The law applies to all businesses incorporated in the DIFC that process personal data (regardless of where that data is processed).

The law combines best practices from a variety of global data protection laws, such as the EU’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act. It also includes appropriate data-sharing structures between government authorities to enhance data-sharing standards in the region.

Important changes

Highlights of the new law include:

  • the requirement for clear, unambiguous and free consent from a data subject (who has the right to withdraw that consent at any time) for processing their personal data
  • the introduction of the concept of ‘high-risk processing activities’, and a requirement that data controllers must conduct a data protection impact assessment prior to conducting such activities
  • the requirement for data protection officers to be appointed where high-risk processing activities are conducted regularly and systematically
  • the list of approved countries that meet the adequacy requirements for data transfers outside the DIFC has been withdrawn, and there is no longer a requirement to obtain a permit or other written authorisation from the DIFC commissioner of data protection prior to making transfers of data or processing special category personal data outside the DIFC
  • for data transfers to countries having inadequate levels of protection, the commissioner’s written authorisation or permit is also no longer obligatory. The controllers/processors must have in place appropriate safeguards, ie the use of standard data protection clauses as adopted by the commissioner, or an approved code of conduct or approved certification together with the controller/processor’s commitment to provide appropriate safeguards
  • the enhancement of the rights of data subjects in line with the corresponding GDPR provisions
  • the introduction of general and administrative fines for breaches of the new law, as well as higher maximum fines.