Is your DIFC Company complying with New Data Protection Law 2020?
June 03, 2020
1) What is Data Protection Law 2020?
Data Protection Law comes into force on 1 July 2020. In light of the current global pandemic, while the Data Protection Law will be effective from 1 July 2020, businesses to which it applies will have a grace period of three months, until 1 October 2020, to prepare to comply with it, after which it becomes enforceable.
DPL 2020 increases privacy compliance requirements for businesses registered in DIFC or which process personal data within the DIFC as part of “stable arrangements”.
DPL applies to:
- Any business registered in DIFC;
- -Any business which processes personal data within the DIFC as part of stable arrangements; and
- Any business which processes data on behalf of either of the above.
Key Features of Data Protection Law 2020:
Controllers or Processors may appoint a DPO.
DPOs are mandatory for:
-DIFC bodies (other than courts acting in their judicial capacity); and
-A controller or processor performing High Risk Processing Activities on a systematic or regular basis.
DPL 2020 adds:
- the accountability principle;
- requirement to process personal data in a transparent manner; and
- Requirement to process personal data in accordance with the application of data subject rights.
Controllers and Processors must demonstrate compliance with the data protection principles.
DPL 2020 adds:
- Right to withdraw consent at any time: an absolute right available to a data subject if the basis for the processing of the personal data is consent.
- Right to access
- Right to data portability
Consent must be freely given and unambiguous indication of consent. Consent can be withdrawn at any time.
DPL 2020 imposes legal obligations on processors as well as controllers. Any breach of their obligations can result in a fine or judicial remedy for data subjects.
DPL 2020 adds the ability to transfer personal data outside DIFC to a non-adequate country if appropriate safeguards are put in place, including:
- a legal binding instrument between public authorities;
- binding corporate rules; or
- Standard data protection clauses as adopted by the Commissioner.
Notification to the Commissioner:
As soon as practicable in the circumstances, where the breach compromises a data subject’s confidentiality, security or privacy. Notification to the data subject: As soon as practicable in the circumstances, where the breach is likely to result in a high risk to the security or rights of the data subject.
2. Penalty for non-compliance:
Failing to comply with general requirements specified under Article 9 of the Law made for the purpose of this Law
$50,000
Failure to comply with requirements for lawful Processing specified under Article 10 of the Law made for the purpose of this Law
$50,000
Failure to comply with requirements for lawful Processing specified under Article 12 of the Law made for the purpose of this Law
$50,000
Failure to comply with the requirements for accountability specified under Article 14(1) of the Law made for the purpose of this Law
$25,000
Failing to implement and maintain technical and organisational measures to protect Personal Data in accordance with Articles 14(2) of the Law made for the purpose of this Law
$50,000
Failure to comply with the requirements for accountability specified under Article 14(3) of the Law made for the purpose of this Law
$25,000
Failure to comply with the requirements for accountability specified under Article 14(4) of the Law made for the purpose of this Law
$25,000
Failure to comply with the requirements for accountability specified under Article 14(5) of the Law made for the purpose of this Law
$25,000
Failing to register with the Commissioner in accordance with Article 14(7)
$25,000
Failing to maintain records of any Personal Data Processing operations in accordance with Article 15
$25,000
Failing to appoint a DPO in accordance with Articles 16(2) and 16(3) of the Law made for the purpose of this Law
$25,000
Failing to carry out a data protection impact assessment prior High Risk Processing Activities in accordance with Article 20 of the Law made for the purposes of this Law.
$50,000
Failing to comply with the requirements specified under Article 22(1), 22(2), 22(5) or 22(6) of the Law made for the purpose of this Law
$20,000
Failing to comply with the requirements specified under Article 23 of the Law made for the purpose of this Law
$25,000
Failing to comply with the requirements specified under Article 24(1), 24(3) or 24(6) of the Law made for the purpose of this Law
$25,000
Failing to comply with the requirements specified under Article 25 of the Law made for the purpose of this Law
$25,000
Failing to comply with the requirements specified under Article 26 of the Law made for the purpose of this Law
$25,000
Failing to comply with the requirements specified under Article 27 of the Law made for the purpose of this Law
$25,000
Failing to comply with the requirements specified under Article 28 of the Law made for the purpose of this Law
$50,000
Failing to comply with the requirements specified under Article 29 of the Law made for the purpose of this Law
$10,000
Failing to comply with the requirements specified under Article 30 of the Law made for the purpose of this Law
$75,000
Failing to comply with the requirements specified under Article 31 of the Law made for the purpose of this Law
$75,000
Failing to comply with the requirements specified under Article 32(3) of the Law made for the purpose of this Law
$75,000
Failing to comply with the requirements specified under Article 33 of the Law made for the purpose of this Law
$75,000
Failing to comply with the requirements specified under Article 34 of the Law made for the purpose of this Law
$100,000
Failing to comply with the requirements specified under Article 35 of the Law made for the purpose of this Law
$100,000
Failing to comply with the requirements specified under Article 36 of the Law made for the purpose of this Law
$100,000
Failing to comply with the requirements specified under Article 37 of the Law made for the purpose of this Law
$100,000
Failing to comply with the requirements specified under Article 38 of the Law made for the purpose of this Law
$100,000
Failing to comply with the requirements specified under Article 39 of the Law made for the purpose of this Law
$100,000
Failing to comply with the requirements specified under Article 40 of the Law made for the purpose of this Law
$50,000
Failing to report Personal Data Breach in accordance with Article 41 of the Law made for the purpose of this Law
$25,000
Failing to report Personal Data Breach in accordance with Article 42 of the Law made for the purpose of this Law
$50,000
Failing to comply with the requirements specified under Article 65 of the Law made for the purpose of this Law
$75,000
How MBG Can Help?
We have a dedicated team of privacy professionals, with thorough expertise in leading data protection programmes across large scale and complex organizations
-Privacy Impact Assessment and health check
-Policy analysis and design
-Governance and compliance review
-Third party risk management
-Mergers and acquisitions data transfer and ownership
-Privacy risk and compliance training
-Training and awareness design and implementation
-Classroom and computer based training
-Privacy by design advice and implementation
-Digital asset risk and assessment and management (e.g websites and mobile apps)
Madan Mohan
[email protected]Designation: Associate Director
About Author:Madan Mohan is leader in the Technology Advisory Services of MBG Group. He is Certified CISO, CISA, CISM, ISO27001 Lead auditor, ISO 25999 Lead auditor and DCPLA (Privacy Lead Auditor).
He has over 16 years of experience in Technology security , servicing large clients and managing Information security, BCP, Privacy, Cyber Security, Risk Management & Compliance projects