The Dubai International Financial Centre (DIFC) Data Protection Law (DIFC Law No. 5 of 2020) is a comprehensive legal framework that regulates the collection, processing, and transfer of personal data within the DIFC. It serves to align the UAE’s data protection practices with international standards and gives individuals more control over their personal information.

The DIFC Data Protection Law represents a critical step forward in protecting personal data within the UAE’s business hub. By adopting a framework similar to the GDPR, it helps ensure that businesses operating in the DIFC uphold the highest standards of data protection while giving individuals greater control over their personal data. Organizations must comply with the law to avoid penalties and safeguard their reputation while ensuring the privacy and trust of their clients and customers.

The DIFC Commissioner of Data Protection is responsible for enforcing the law, conducting audits, and taking corrective actions when necessary.

Who Does it Apply to?

The law applies to any business or entity that processes the personal data of individuals within the DIFC, which includes financial institutions, professional services firms, and other businesses operating in the region. It also extends to entities outside of the DIFC if they process the personal data of individuals located within the centre.

Key Features of the Regulation

The law grants data subjects various rights, providing individuals more control over their personal data. These rights include:

• Right to Access: Individuals have the right to access the personal data held by organizations.
• Right to Rectification: Individuals can request corrections to inaccurate or incomplete data.
• Right to Erasure: Data subjects can request the deletion of their personal data under certain circumstances.
• Right to Restrict Processing: Individuals may request restrictions on how their data is processed.
• Right to Data Portability: Data subjects can request that their data be transferred to another organization in a machine-readable format.
• Right to Object: Individuals can object to the processing of their data in specific contexts.

Organizations covered under the DIFC Data Protection Law are required to implement data protection policies and procedures to ensure compliance such as conducting Data Protection Impact Assessments (DPIAs) for high-risk data processing activities and appointing a Data Protection Officer (DPO) to oversee data protection practices. Additionally, entities must maintain records of processing activities and ensure that their data handling practices align with the law’s requirements.

The DIFC Data Protection Law mandates that data controllers and processors implement robust security measures to protect personal data from unauthorized access, loss, or misuse. This includes technical measures such as encryption, secure storage, and access controls, as well as organizational practices such as staff training and internal audits.

Personal data may be transferred to other countries or regions under the DIFC Data Protection Law, but only to those with adequate data protection laws or when appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or explicit consent from the data subjects.

Similar to other privacy legislations, organizations covered under this legislation must notify the DIFC Data Protection Authority of any data breaches within 72 hours of becoming aware of them. If the breach poses a significant risk to individuals’ rights and freedoms, affected individuals must also be notified.

Penalties for Non-Compliance

Non-compliance with the DIFC Data Protection Law can result in substantial fines. Penalties can range from USD 25,000 to USD 100,000, depending on the nature of the breach. Failure to implement required measures, conduct DPIAs, or comply with data subject rights may result in fines of up to USD 50,000.

DIFC DPL Solutions

Advoke International provides comprehensive solutions tailored to support your organization in achieving full compliance with the DIFC DPL.

• DIFC DPL Gap Analysis
• Privacy Framework Implementation
• DIFC DPL Readiness Assessment
• Complete DIFC DPL Compliance Review

Frequently Answered Questions

Who does the DIFC Data Protection Law apply to?

The law applies to all businesses and entities operating within the DIFC, as well as those outside DIFC that process personal data of individuals located within the centre or who interact with entities in DIFC. This includes financial institutions, professional services firms, and any organization processing personal data in the DIFC jurisdiction.

What should I do if my personal data is mishandled or a breach occurs?

If your personal data is mishandled or if a data breach occurs, you have the right to file a complaint with the DIFC Data Protection Authority. Additionally, businesses must notify data subjects in case of breaches that pose a high risk to their rights and freedoms.

Does this law apply to personal data collected before its enactment?

Yes, the DIFC Data Protection Law applies to all personal data collected by organizations, even if the data was collected before the law came into effect. Businesses must ensure they are compliant with the law for all data processing activities, regardless of when the data was obtained.

What is a Data Protection Impact Assessment (DPIA), and when is it required?

A Data Protection Impact Assessment (DPIA) is a process used to assess the impact of data processing activities on data subjects’ privacy. It is required when there is high-risk processing of personal data, such as the use of new technologies or processing sensitive data (e.g., health or financial information). A DPIA helps identify risks and ensure compliance with data protection requirements.