Data Protection Law (DIFC Law No. 5 of 2020)

Data Protection Law


The DIFC has recently enacted a new Data Protection Law (DIFC Law No. 5 of 2020) (“New DP Law”), which will come into effect from 1st July 2020. The New DP Law allows the DIFC to strengthen its leadership in enhancing data protection practices and to further develop the already robust DIFC Data Protection regime currently in place. The current DIFC Data Protection Law (DIFC Law No. 1 of 2007 (as amended)) (“Old DP Law”) will remain in force until the New DP Law comes into force. Once the New DP Law comes into force, firms will have a three-month transition period in order to ensure compliance with the New DP Law. The New DP Law combines the best practices from a variety of world-class data protection laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act. It also includes appropriate data-sharing structures between government authorities allowing for further enhancement of data-sharing standards in the region.


Detailed Overview

A few key highlights of the New DP Law include:

  • Requirement for clear, unambiguous and free consent from a Data Subject for Processing of that Data Subject’s Personal Data
  • Introduction of the concept of ‘High-Risk Processing Activities’ and a requirement that Data Controllers must conduct a data protection impact assessment prior to conducting such Activities
  • Requirement for appointment of Data Protection Officers where High Risk Processing Activities are conducted regularly and on a systematic basis
  • Removal of the list of countries that meet adequacy requirements for data transfers outside the DIFC as well as the requirement to obtain a permit or other written authorization from the Commissioner prior to making such transfers of data or prior to Processing Special Category Personal Data, as was specified under the Old DP Law
  • Enhancement of the rights of Data Subjects in line with the corresponding GDPR provisions
  • Introduction of general and administrative fines for breaches of the New DP Law, as well as increased maximum fine limits

How can we help?

We can help you assess the impact of the new DP Law on your business with services such as:

  1. Data protection impact assessment for High Risk Processing Activities
  2. Review and update existing Policies, Procedures and Contracts in line with the new DP Law
  3. Internal Audit of Data Processing Activities
  4. Cyber-security Risk assessment


Our experts can provide you a detailed analysis of the implications of the New DP Law for your business and comprehensive review of your existing Data Protection policies and procedures, in order to ensure full compliance with the provisions of the New DP Law and avoid significant penalties.

Contact us

Narasimha Das
Narasimha Das
Associate Partner