The Dubai International Financial Centre (DIFC) has issued a consultation paper relating to an update of the DIFC Data Protection Law*. The current law is based on the European Data Protection Directive which was replaced last year by the European General Data Protection Regulation (GDPR) and the DIFC is seeking to similarly update its own regime in light of that and other international developments.
The new draft law retains the same core principles as the existing law, but any business which processes personal data in the DIFC will need to be aware of some key developments proposed by the new legislation. Consultation responses are welcomed from any interested party.
Key features of the draft law include:
- Increasing focus on organisational awareness and prominence, including requirements for data protection assessments, appointment of data protection officers, consultation with the Commissioner of Data Protection
- Updated data export provisions to bring the DIFC closer into line with GDPR mechanisms and to provide a framework for DIFC controllers to respond to requests for data from competent authorities outside the DIFC
- Extension of direct compliance obligations to data processors
- Increased detail on data subject consent validity (where consent is the basis for processing)
- Enhanced data subject rights
- Anticipation of potential tension between emerging technologies and data protection principles and potential routes for controllers to manage the conflict
All businesses with DIFC operations, and providers of services who act as data processors on behalf of such businesses, will need to consider the implications of the draft law.