In response to the COVID-19 pandemic and recognition of the need for employees to work remotely as far as possible, the UAE's Minister of Human Resources & Emiratisation issued Resolution No. 281 of 2020 (the Resolution) on 29 March 2020. The Resolution provides new regulations which private sector employers must follow and introduces some unique information security requirements.
From a technology and data protection perspective, the resolution is significant as it creates – for the first time in UAE federal laws – an express requirement for organisations to establish a policy framework to govern the use of IT assets and the protection of data. Existing UAE law does protect the privacy rights of individuals to an extent but there is no formal data protection law.
Noteworthy requirements that apply to private sector businesses under the Resolution include:
From a data protection perspective, the Guidelines require employers to ensure the availability of a safe IT environment to carry out remote working subject to appropriate data privacy and confidentiality controls. Employers must set out their rights of access to IT systems. Accordingly, this creates a new obligation on all private sector businesses in the UAE to have a codified approach to system access and information security. While many large multinationals sensibly adopt such practices, this will be a new requirement for many SMEs and local companies that have not previously been required to adopt this approach by law.
There is no end date or timeline attached to the Resolution, so it will need to be complied with until it is replaced or revoked.
We expect the privacy concepts in the Resolution to continue to be built out in UAE law and for data protection and privacy issues to become increasingly important issues for UAE onshore businesses to consider as part of corporate governance and resilience measures.