Data Protection Compliance

Data Protection Compliance

The UAE has implemented Data Protection Laws which are aligned with best practices followed globally, such as EU GDPR, which are adapted to meet the needs to UAE. There are currently 3 Data Protection laws applicable in UAE which are as follows:

1. Data Protection Regulations 2021 issued by Abu Dhabi Global Market applicable for Processing of Personal Data in the context of the activities of an Establishment (entity or authority licensed in ADGM) of a Controller or a Processor in ADGM, regardless of whether the Processing takes place in ADGM or not.

2. Data Protection Law 2020 issued by DIFC is applicable for Controller or Processor incorporated in DIFC, regardless of whether processing takes place in the DIFC not.

3. UAE Federal Data Protection Law No. 45 of 2021 applicable to the processing of personal data by controllers and processors located in the UAE (other than entities / authorities registered in DIFC and ADGM) whether or not the personal data processing relates to data subjects in the UAE or abroad.

There are very limited exemptions available for applicability of these regulations. Some of the entities may be subject to compliance of more than one or all the 3 laws.

The objective of these laws is promote protection of individual’s personal data and to promote lawful, fair and transparent processing of Personal Data. It includes provisions relating to data subject rights, establishment of data protection policy, data protection impact assessments, appointment of Data protection officer, data breach notifications, data transfer requirements and notification and record keeping requirements.

Personal Data:

Personal data is any data relating to an identified natural person or identifiable natural person.  Entities do not need to know the name of a person to be identified/identifiable, for e.g. it may include names, photographs, ID numbers, location data, online identifiers (e.g. IP addresses and cookie identifiers) etc.

Personal data may be retained in any form, such as

  • Customer, supplier, employee database containing personal data.
  • Minutes of meeting containing names of persons attending meeting and the discussion.
  • Interview assessment forms containing personal data.
  • Database of email and other contact details for marketing purpose.
  • Visitor register containing contact details for security purpose.
  • Family details of employees for procuring insurance.

Entities are required to assess the applicability of the provisions and carefully establish policies and procedures to ensure compliances with these Data Protection Laws.

Data Protection Compliance

Key Considerations for Implementation of Data Protection Regulations:

Establish System and Process
Entities must review the whole business process and practices across various divisions and take necessary steps to ensure that their systems and processes are designed to comply with the requirement of DP Laws.
Tone at the Top
Senior management in the entity should take steps to foster a culture of ‘privacy awareness’ and develop policies and procedures in compliance with the DP Laws.
Controller Vs Processor
Assess if an entity is acting as a Controller or Processor, as the compliance obligations differs for each circumstances. Many entities may act both as Controller and Processors depending on the circumstances.
Lawful Bases for Processing
Entities must determine lawful basis before processing of personal data. They should not swap between lawful basis after commencement of processing unless there is a good reason to do so...
Consent from Data Subject
Consider consent of data subject as legal base for processing personal data only if it meets the conditions specified in Law, if not, the consent obtained may become invalid. 
Rights of Data Subject
Entities to communicate the rights of data subject and establish a communication channel to exercise their rights such as right to be informed, right to access personal data etc.,
Special Categories
Entity can process special categories of personal data only under certain circumstances as mentioned in the law. Also, entity is required to maintain Policy Document when special category in certain circumstances.
Record of Processing Activities
Entity must maintain record of processing activities (ROPA), separately as controller and as processor. ROPA should contain information such as categories of personal data, description, purpose of processing etc., 
Data Processing Impact Assessment
To carry out an impact assessment of processing activity which results in higher risks to the interest of natural persons, which includes assessment of risk of processing and the additional measures to mitigate the risks.
Transfer of Personal Data Outside Jurisdiction
Must identify all the other controllers (for e.g. insurance companies with whom employee personal data is shared) and processors (for e.g. payroll service provider who process salary based on the information shared by entity) outside jursidiction and establish necessary safeguard measures.
Export of Data/ International Transfers
Identify if any of the process results into international transfers which requires additional safeguard measures. (e.g. use of third party software, which hosted at server outside UAE in non-adequate jurisdiction, to store personal data / record certain transactions and that third party may have limited access to personal data to provide technical support to entity, may result in international transfer)
Establish System and Process
Entities must review the whole business process and practices across various divisions and take necessary steps to ensure that their systems and processes are designed to comply with the requirement of DP Laws.
Tone at the Top
Senior management in the entity should take steps to foster a culture of ‘privacy awareness’ and develop policies and procedures in compliance with the DP Laws.
Controller Vs Processor
Assess if an entity is acting as a Controller or Processor, as the compliance obligations differs for each circumstances. Many entities may act both as Controller and Processors depending on the circumstances.
Lawful Bases for Processing
Entities must determine lawful basis before processing of personal data. They should not swap between lawful basis after commencement of processing unless there is a good reason to do so...
Consent from Data Subject
Consider consent of data subject as legal base for processing personal data only if it meets the conditions specified in Law, if not, the consent obtained may become invalid. 
Rights of Data Subject
Entities to communicate the rights of data subject and establish a communication channel to exercise their rights such as right to be informed, right to access personal data etc.,
Special Categories
Entity can process special categories of personal data only under certain circumstances as mentioned in the law. Also, entity is required to maintain Policy Document when special category in certain circumstances.
Record of Processing Activities
Entity must maintain record of processing activities (ROPA), separately as controller and as processor. ROPA should contain information such as categories of personal data, description, purpose of processing etc., 
Data Processing Impact Assessment
To carry out an impact assessment of processing activity which results in higher risks to the interest of natural persons, which includes assessment of risk of processing and the additional measures to mitigate the risks.
Transfer of Personal Data Outside Jurisdiction
Must identify all the other controllers (for e.g. insurance companies with whom employee personal data is shared) and processors (for e.g. payroll service provider who process salary based on the information shared by entity) outside jursidiction and establish necessary safeguard measures.
Export of Data/ International Transfers
Identify if any of the process results into international transfers which requires additional safeguard measures. (e.g. use of third party software, which hosted at server outside UAE in non-adequate jurisdiction, to store personal data / record certain transactions and that third party may have limited access to personal data to provide technical support to entity, may result in international transfer)

How Crowe Can Help You?

We understand that entities may be familiar with Data Protection laws but finds it difficult to implement and comply with and keep track of changes in the laws and regulations.

We offer to help entities to establish a framework towards greater compliance, and protect your business’ legal and financial standing. After all, when it comes to non-compliance issues, ignorance of the law is no defense.

Our Services to Include:

  • Act as Outsource Data Protection officer.
  • Establishment of Data Protection Compliance framework.
  • Drafting policies and procedure, privacy statements, preparation of consent forms, register of processing activities etc.,
  • Independent assessment of compliance of Data Protection regulations.
  • Provide training to employees on compliance with Data Protection regulations.
  • Assistance in establishment of contractual arrangement with processors.

Contact us for further assistance

Contact Us

umesh
Umesh Narayanappa
Partner – Abu Dhabi