On 1 June 2020, the Dubai International Financial Centre (DIFC) passed the Data Protection Law No.5 of 2020 in a bid to enhance the hub’s practices.
The law will come into effect from 1 July 2020 and will replace the current law, Data Protection Law DIFC Law No. 1 of 2007, which will remain in effect until this date.
But due to the coronavirus, the requirements of the law will be enforced from 1 October 2020 to give firms more time to adapt.
The Data Protection Law has combined the best practices from a variety of current, data protection laws around the world, such as the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act.
Key changes for the DIFC’s law include; direct obligations on data processors, enhanced provisions dealing with processing on the basis of consent and legitimate interests, and enhanced accountability requirements.
Enhanced rights of individuals are clarified in terms of data usage by entities that collect and manage personal data, including contractual clarity of such rights when engaging with providers of emerging technology, such as Blockchain and Artificial Intelligence (AI).
The law also imposes obligations on controllers and processors to appoint a data protection officer if certain criteria are met, as well as enhanced obligations where a controller appoints a processor.
It also offers clarification regarding international transfers and removal of the permit-to-transfer process under the previous law.
There will be general fines for serious breaches of the Data Protection Law, in addition to or instead of administrative fines, as well as increased maximum fine limits.
Paul Smith, chief risk officer at Quilter International: “It is a natural progression as a number of countries in the region have enhanced their data protection legislation over the last 12 months or so.
“Firms that have already implemented GDPR across their group should already have a number of these concepts in place.
“Whilst it follows GDPR in the main, there are some differences, such as allowing for technology development that may cause friction with data protection requirements and provisions for non-discrimination where data subjects exercise their rights.”