The ADGM Data Protection Regulations 2021 (“DPR”) are now in force and are the most comprehensive yet. Many of the concepts of the DPR may be familiar to those working to General Data Protection Regulation (“GDPR”) standards, as terminology and concepts are drawn from the internationally recognised standards, but the DPR has nuances to facilitate the business needs of the ADGM.
Where should you start?
First, you must establish in what way the DPR will apply to you and your firm. This will depend on whether you are a “Controller” or a “Processor”. A Controller is an entity that determines the purpose and means of processing personal data and the Processor undertakes the processing of that personal data. As a Controller you will be free to decide how to process the data and for what purpose to process the data. As a Processor you will have been told exactly how to process that data by the Controller and you will act within that scope. It is worth noting that most firms are likely to be both a Controller and a Processor for different processing activities. Once you have determined your role you can assess which requirements in the DPR apply to you. The standards and liability will differ depending on your role and responsibility to that data.