Regulation 10 of the DIFC Data Protection Law: Why it matters for processing conducted using Autonomous Systems

Regulation 10 on Personal Data Processed Through Autonomous and Semi-Autonomous Systems (“Regulation 10”) of the DIFC Law No.5 of 2020 (“DDPL”) is the core regulation that operationalizes protections around “High Risk Processing Activities” in the Dubai International Financial Centre (“DIFC”) free zone.

These activities (discussed in more detail below) include processing involving: (i) the adoption of new technologies or methods; (ii) the processing of a large amount of personal data; or (iii) systematic evaluation of individual characteristics (e.g. profiling), and in all cases, which increase the risks to an individual’s rights or security.

Regulation 10 is primarily designed to ensure that Controllers and Processors (as defined in the DDPL), that deploy or provide such autonomous systems, properly assess, document and mitigate privacy risks before they undertake such processing activities.

Moreover, Regulation 10 makes transparency a core component of the new regulatory framework by requiring that affected individuals whose personal data may be processed through the use of autonomous systems are not only informed that  such systems are being used, but also given enough information to allow them to properly evaluate the associated risks, and decide whether to object, or to withdraw their consent to the systems’ processing of their personal data.

Download the full article here