The new DIFC Data Protection Law No.5 of 2020
June 04, 2020
By Raka Roy
On June 1st, 2020, the UAE Government enacted the DIFC Data protection Law no. 5 of 2020. His Excellency Essa Kazim, Governor of DIFC, stated: “By setting out the regulation, DIFC also sets a clear requirement for all organisations to follow global best practice relating to data and privacy.”
The new law comes into effect from 1st July, however, businesses will receive a three-month grace period to comply with the new regulations.
The Law typically focusses on enhancing security and best practices for data security and privacy. Accountability of Data Controllers and Processors have been introduced through implementation of data protection impact assessments and compliance program requirements. The law now mandates the appointment of a data protection officer if required.
Protection of an individual’s rights and their personal data has been the primary focus of the amended law, which is being guarded by the imposition of contractual obligations towards the Data Controllers and by further clarity regarding the terms of usage of personal data that is collected and managed by the relevant entities.. Furthermore, much importance has been given to contractual clarity of a data subject’s rights when engaging with vendors of evolving technologies such as AI and Blockchain.
Serious data breaches will now be faced with increased fine limits in addition to or in replacement of the administrative fines. Nonetheless, cross border data transfers have been eased out by removing the permit options from the Data Commissioner.
It is evident that the current laws and regulations would align DIFC with the GDPR and the California Consumer Privacy Act, helping it to be recognised by the European commission, the UK, USA, and other strong data protection regimes.