Privacy laws have never been as important as they are today, now that data travels the world through borderless networks. As part of its 50th anniversary, the UAE has issued a set of sweeping legal reforms, including enacting the much-anticipated Data Protection Law, which was issued in September.
The new legislation will regulate the collection and processing of personal data in the country. This long-awaited development is in line with wider international practices in protecting the privacy of individuals and personal data.
Part of an ambitious set of legal reforms intended to place the UAE at the forefront of digitisation in the Middle East, the Data Protection Law is similar to the EU General Data Protection Regulation (GDPR) and the recently-issued Personal Data Protection Law in Saudi Arabia. The law will have extra-territorial reach, and will apply to any organisation that is established in the UAE and processes personal data of data subjects inside or outside the UAE, as well as any organisation that is established outside the UAE and processes personal data of data subjects inside the UAE.
While it is expected that the privacy law will be welcomed by local, regional and international businesses that rely on personal data and international personal data flows, businesses with global privacy compliance programs must expand to cover the UAE Data Protection Law.
However, businesses that are not compliant with the GDPR may find some of the new obligations challenging. For example, the new Data Protection Law introduces rights for individuals to access, rectify, correct, delete, restrict processing, request cessation of processing or transfer of data, and object to automated processing.
The Data Protection Law creates a framework to ensure confidentiality and to protect the privacy of individuals (data subjects) by requiring organisations that fall within the scope of the Data Protection Law to implement appropriate governance for the management and protection of personal data.
A single national data privacy regulator, the UAE Data Office, will be established under a separate statute to regulate the implementation of the Data Protection Law.
There are also new requirements around transfers of data outside of the UAE and to notify the new data protection regulator of data breaches. The requirements regarding keeping data secure and data breach obligations will definitely up the ante for businesses in the UAE to take cyber security seriously.
Here are some of the key features of the Data Protection Law:
- Businesses have to appoint a Data Protection Officer (DPO) who has sufficient skills and knowledge in data protection to oversee compliance.
- Businesses have to create a Record of Processing Activities, also called ROPA, a requirement similar to the GDPR.
- The Data Protection Law introduces Data Subject Rights — people to whom personal data belongs — and “lawful bases for processing”. The businesses not only have to get the consent of the Data Subject prior to processing it, but also make it clear, be transparent, how they process the Data Subject’s data, called Privacy Notices.
- The new law also makes it mandatory for businesses to report data breaches.
- Businesses also have to meet requirements around cross-border data transfers — when they are permitted, and when they are not.
The executive regulations are expected to be published before March 2022. Thereafter organisations have six months more to adjust operations to ensure compliance with the UAE Data Protection Law.
“This gives businesses approximately ten months to arrange their compliance. While this may sound like a long lead time, it is not as long as other jurisdictions have had (notably the EU). Our experience tells us that the task of assessing the data protection obligations and implementing compliance programs of a business can take considerably longer than businesses initially anticipate,” said DLA Piper, a global law firm.
Here are a few things businesses in the UAE must consider:
The first step is to understand what personal data you process, and make sure the data collection practices don’t break the law and that they aren’t hiding anything from data subjects. A data mapping exercise will provide a snapshot of how data is collected and managed, such as where the personal data comes from; where it is stored and transferred; and who the personal data is shared with.
It’s imperative that businesses must develop a data register — the Record of Processing Activities (ROPA). The UAE Data Protection Law requires that both Data Controllers and Data Processors maintain these registers.
The ROPA, the backbone in the data protection compliance program, will feed into developing data protection policies, data subject rights processes, data processing agreements, data transfer processes and policies. Businesses also need to consider how consent is currently obtained, and the language used to collect and record this consent. And businesses must design a data protection programme to meet the requirements of the law.
To start with, develop appropriate personal data protection policies that reflect your organisation’s approach to personal data management, explaining the data subject’s rights and how your organisation will work with data subjects around these. Additionally, consider how you respond to data subject requests for access, objection, deletion, transfer, rectification and objections to how it processes personal data.
Given the new breach notification requirements of the Data Protection Law, consider how your organisation will respond to data breaches, including processes around who within your organisation should be involved in the response team. A phased approach will ease the burden.
Most importantly, raise awareness of personal data protection issues within your organisation, including how data protection can be a differentiator for your business and the possible risks when it goes wrong.
If you liked reading this, you might like our other stories