The Abu Dhabi Global Market (“ADGM”) has introduced the Data Protection Regulations 2021 (“DPR”), superseding the Data Protection Regulations 2015 and enhancing the ADGM data protection framework in line with international standards.
The new regulations predominately draw on the General Data Protection Regulation (“GDPR”) with added considerations to the ADGM market nuances. The regulations are intended to be ‘proportionate and business friendly’, allowing the safe and efficient data flow between jurisdictions deemed to have adequate data protection frameworks. The regulations set clear and comprehensive expectations for businesses who will be conducting processing of personal data, whether they are considered the ‘Controller’, the organisation with control over the data, or the ‘Processor’, the organisation instructed to process data in a set way.
Why has the DPR been introduced?
Personal data is a valuable asset which, historically, has been undervalued and therefore subject to neglect, unauthorised distribution and crime. Due to the interconnectivity of international businesses in the ADGM, and with many businesses being technology driven, vast amounts of data are processed and managed in the region. Personal data has a high value, especially on the black market, so jurisdictions have provided guidance to businesses to improve practices in data transfer and boost consumer trust. Data loss, breaches and cyber crime can cause extensive damage to a firm’s reputation and can cause financial loss to a firm not only by compensatory fines, but also by straining internal resources.
What is new?
The DPR is notably prescriptive and necessitates comprehensive reporting responsibilities, enhanced data protection frameworks and detailed documentation of processing activities with the expectation to promote transparent processing. However, familiar concepts from the 2015 regulations remain, such as the principles of data processing. Firms will notice that there is still a need for processing agreements, company security obligations and international transfer measures, but the DPR clarifies their interpretation, in turn creating a more robust framework.
To support the DPR, the ADGM has created the new role of the Office of Data Protection, independent from the Registrar, and designed to promote awareness, share best practice, handle data subjects’ complaints, and administer the regulations and supporting guidance.
How much time do firms have to implement the changes?
The regulations allow established firms until 11th February 2022 to update their existing framework and to ensure they are compliant. Firms established after the DPR will have until 11th August 2021 to incorporate it into their framework. Firms should be aware that, although the fines are capped, they can reach USD 28 million and the expectation of a firm’s data protection infrastructure is extensive.
Which firms are required to have a DPO?
- are a public authority;
- have core activities consisting of processing operations which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of Data Subjects on a large scale; or
- have core activities consisting of Processing on a large scale of Special Categories of Personal Data.
To support smaller firms, the regulations have provided a DPO exemption where firms are classed as Small or Medium-sized Enterprises (“SME”) and do not conduct high-risk processing activities.
What is the DPO responsible for?
- handing any Data Subject Access Requests (“DSAR”) in a timely and comprehensive manner
- training staff on data protection processes, policies and developments
- overseeing the data protection operations and infrastructure
- ensuring data subjects can successfully exercise their rights
- keeping up to date with ADGM guidance and rulings on data protection
- assessing the processing operations of the firm using a Data Protection Impact Assessment (“DPIA”) and implementing mitigating measures
- to be a contact point with the Commissioner of Data Protection for any enquiries or complaints to or against the firm
- sharing their knowledge with the firm.
The DPO is neither required to be located in the ADGM nor do they have to hold the position of DPO as their only role, which means that DPO’s can be either outsourced or shared within the firm’s group.
The DPR will enhance the firms’ obligations for the benefit of its data subjects. Some of the more significant requirements include the requirement for firms to communicate a breach to the data subject, without undue delay, where there is a high risk to their rights unless limited exceptions apply.
Firms are also required to notify the Commissioner of Data Protection within 72 hours of data breaches where there is a risk to the rights of natural persons. In addition to this, in cases where a breach has occurred, in order to increase accountability for firms and where it is practical to do so, there is a requirement for the firm to advise the data subject and the Commissioner of Data Protection on mitigation steps for the concerned data subjects.
The full list of the data subject’s rights under the DPR are as follows:
- Right of access by the data subject;
- Right of rectification;
- Right to erasure;
- Right to restriction of processing;
- Notification of erasure or restriction of processing;
- Right of data portability;
- Right to object; and,
- Right to be notified of individual decision-making including profiling.
As before, all data subjects’ rights may be limited by applicable law. Rights must be either actioned or rejected within two months of receiving the request, with the ability to extend the deadline for an additional one month in limited circumstances.
In a further attempt to make firms more accountable, the DPR requires firms to conduct a DPIA when the processing activity results, or is likely to result, in high risk to the rights of the data subjects prior to conducting the activity. Where the outcome of the DPIA concludes the activity is high risk even with the firm’s mitigation measures applied, the firm has an obligation to notify the Commissioner of Data Protection. Firms will also be required to create a ROPA that tracks their processing activities, cross-jurisdiction transfers, and formalise their erasure dates amongst other details, cementing a habitual accountability practice. Both exercises require firms to consciously consider the data subjects rights and security when processing data or conducting new processing activities
Although international transfer restrictions existed in the 2015 regulations, the DPR has honed the requirements, restricting the use of transfer permits to non-adequate jurisdictions and instead moving towards international best practice methods. In its wake, firms can rely on the new safeguarding measures including the binding corporate rules, standard contractual clauses, legally binding and enforceable instrument between public authorities, and a Data Commissioner approved code of conduct or certification mechanism. Whilst firms can continue to rely on the international transfer permits under the old regime, the Commissioner of Data Protection retains the right to revoke this safeguard method.
The terminology has been largely updated to use internationally recognised standards. Key definitions such as ‘processing’, ‘controllers’, and ‘joint controllers’ have been clarified, whilst progressive terms have been introduced such as ‘biometric data’, ‘state of the art’, ‘high risk processing activities’ and ‘profiling’ to ensure the regulations meet contemporary business needs.
Where firms intend to process special categories of personal data, the DPR requires appropriate documentation to cover how the Controller intends to comply with the principles of processing personal data, and the firm’s retention and erasure policy. The documents must be retained, reviewed and, where required, updated and must be made available to the Commissioner of Data Protection on request. This can take the form of a singular policy or make references to multiple policies.
Firms processing personal data are required to pay a fee to the Office of Data Protection and submit a possessing notice. The notice provides contact details as well as the data processing commencement date to the Commissioner of Data Protection. Firms will need to pay a renewal fee on the anniversary of the initial processing notification.
Firms that have under five employees who do not conduct high risk processing activities are exempt. Firms should be aware that there is a set fine of 150% of the data protection fee for missing the payment deadline.
What should your firm do now?
The DPR is a big undertaking compared to the previous 2015 regulations and firms should review the legislation carefully before implementing changes to their policies, procedures, systems and contracts. Details of the support available to you can be found here.
If your Firm needs guidance or support with implementing the ADGM Data Protection Regulations, contact our data protection team.