The DIFC Data Protection Law 2020 (“DPL”) will be in full force on 1st October 2020 following its enactment on 1st July 2020. Even if you currently work to the 2007 DIFC Data Protection Law framework or the General Data Protection Regulation (“GDPR”), there are several steps that must be taken to ensure that you are not in breach. This article aims to assist you in understanding the basic requirements of the DPL and provide some helpful implementation tips.
The DPL is notably comprehensive and aims to weave data protection principles into the fabric of your firm and its operations. The DPL will affect all employees and departments in your firm. If your firm processes Personal Data in or through the DIFC, whether that be sensitive (now referred to as ‘special categories of personal data’) or other Personal Data, you should plan for a firmwide action plan to ensure compliance.
First, you must establish in what way the DPL will apply to you and your firm. This will depend on whether you are a “Controller” or a “Processor”. A Controller is an individual or an entity which determines the purpose and means of processing Personal Data. The Processor actually undertakes the processing of that Personal Data. As a Controller you will be free to decide how to process the data and for what purpose to process the data. As a Processor, you will have been told exactly how to process that data by the Controller, and you will act within that scope. It is worth noting that most firms are likely to be both a Controller and a Processor. Once you have determined your role you can assess the requirements in the DPL which apply to you. The standards and liability will differ depending on your role and responsibility to that data.