The DIFC Data Protection Law (“DPL”) is an internationally recognised privacy law requiring firms to have a comprehensive data protection framework. The objective of the DPL is to protect personal data, whilst allowing individuals to exercise their rights over their data. The requirements are extensive and the balance between the individuals rights and the businesses needs can often be complex. The DPL requires the principles of data protection to be built into the fabric of the organisation, therefore maintaining compliance on an ongoing basis should be treated as a priority.
Failure to act or implement suitable measures may be punishable by the DIFC Data Protection Commissioner with fines of up to $100,000 per breach.
The DIFC Data Protection Commissioner also reserves the right to impose an additional unspecified fine for severe failures.
Data Protection Officer (“DPO”) or Data Protection Contact
All firms are required to register an individual as a contact with the DIFC Data Protection Commissioner, and in addition to this, some firms may be required under the legislation to formally appoint a DPO to ensure the firm complies with its legal responsibilities.
Data Processing Map
One of the key requirements of the DPL is to create a suitable data processing map, also known as a Record of Processing Activity ("ROPA"). All firms are expected to consider the nature of the data collected, how it is processed, where it is held, as well as whether it has been transferred to a jurisdiction outside of the DIFC. This document will work as an inventory of data held by the firm as well as a processing flow map, the latter being an invaluable tool should you receive a request from an individual to exercise their extensive rights. Firms will find it difficult to comply with the DPL without a data processing map.
Whilst the extent of the requirements may differ from firm to firm, the high-level checklist included in our Regulatory Insight article 'DIFC Data Protection Law - What you should do now' will act as a guide to assist your Firm with updating its framework from Data Protection Law, Law No. 1 of 2007 to the current requirements.
What support is available to help your firm comply with the DPL?
Our team of consultants are able to provide your firm with support in the following ways:
Implementation project - 20 hours
We can conduct a health check of your data protection operations and a create a bespoke project plan with the option to assist with remediation work.
We will assess your current framework against the DPL requirements and provide you with a comprehensive report. Once the report is complete, we will create a tailored implementation project plan. The project plan will focus on key policy and procedure requirements as well as considerations for each of the business functions including IT, legal, compliance and training. We will offer advice on best practice and will be available to answer any questions that you may have during your implementation. If you require further assistance following this process, we can provide remediation support on a project or hourly rate basis.
Providing Ongoing Support: Outsourced Data Protection Officer – monthly retainer
On completion of the project plan or following your internal implementation of the DPL, you can engage our experienced consultants to act as your Data Protection Officer on an outsourced basis and be registered with the DIFC Data Protection Commissioner. You will be allocated up to 8 hours of support per month, with any hours provided above this charged at our standard hourly rate. Your consultant will oversee your Firm’s processing activities, ensuring compliance with the DPL, as well as conducting biannual health checks including policy updates, where required. Your consultant can provide advice and support with Data Subject Access Requests where they occur.
As the first consultancy firm to become established in the DIFC in 2006, we have experienced consultants who are able to guide you through the details of the DPL as well as the changes you will need to implement within your firm.
What should you do now?
If you suspect that there may be a gap in your data protection framework, you need to take action now. If your Firm needs guidance or support with implementing the DIFC Data Protection Law, contact us now.