Data protection officers
A business conducting “high risk processing activities” has additional compliance requirements under the new DP Law, including an obligation to appoint a data protection officer (DPO). DPOs are responsible for monitoring compliance with the DP Law and other applicable privacy laws, and to act as a contact point for the commissioner as well as oversee all data protection impact assessments the business undertakes. The contact details of the DPO must be given to data subjects when collecting their personal data.
A DPO is permitted to hold other roles or titles within the business provided those additional tasks and duties do not result in a conflict of interest or otherwise prevent the proper performance of the DPO role. The role of DPO can also be outsourced to an external party provided they have access to all relevant resources.
Generally, the DP Law requires the DPO to be resident in the UAE. However, if the person is an individual employed by a group of members and performs a similar function for the group on an international basis elsewhere, the residency requirement does not apply. In such cases, the DPO must be easily accessible to each member in the group.
The DPO is required to complete an annual assessment and submit that assessment to the commissioner. This is not intended to be an onerous obligation and will be integrated into existing DIFC compliance and reporting cycles.
The definition of ‘high risk processing activities’ pools together certain types of processing activity and includes:
- processing that includes the adoption of new or different technologies or methods which increase the risk to the security or rights of a data subject or renders it more difficult for a data subject to exercise its rights;
- processing a large amount of personal data, including staff and contractor personal data, where such processing is likely to result in a high risk to the data subject;
- systematic and extensive automated processing, including profiling, with significant effects; or
- processing a material amount of sensitive data (referred to as “special categories of personal data”).
The commissioner has published comprehensive guidance and a list of activities that are considered to be ‘high risk processing activities’. Although this guidance is comprehensive, it will often be a judgment call as to whether certain activities fall within the definition. Businesses should regularly assess whether their processing activities would be considered ‘high risk’ and stay on top of any updates issued by the commissioner.
Failure to appoint a DPO when required or requested to do so may result in a fine of up to $50,000.
Breach notifications to the commissioner
Under the DP Law, businesses are required to notify certain personal data breaches to the commissioner and sometimes to data subjects too.
A “personal data breach” is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In cases where a personal data breach compromises a data subject’s right to security or confidentiality, then expeditious notifications are required.
Examples of personal data breaches could include the infiltration of an IT system by a virus or third parties, an employee leaking information to third parties, incorrect use of email, or where laptops or devices are stolen or lost. This is a much wider definition than the previous DIFC data privacy regime which merely required notifications to the commissioner in the event of an “unauthorised intrusion” to a personal data “database”.
The new DP Law does not include any ‘de minimus’ limits for which a report must be made, so a strict technical interpretation of the requirements suggests that any breach, however small, would trigger a notification requirement to the commissioner. In this respect the data breach notification obligations are different from those set out in the GDPR.
Any business that processes information on behalf of a “controller” – this being any person who determines the purposes and means of processing personal data – must notify the controller of the personal data breach “without undue delay”. A controller must notify the commissioner of the breach “as soon as reasonably practicable”. Failure to so notify may result in a fine of up to $50,000 on either or both of the controller and processor.
As well as including details of the number of data subjects affected and the likely consequences of the data breach, the controller’s notification to the commissioner must also include details of measures taken or proposed to be taken to mitigate the adverse affects of the personal data breach. While businesses will be expected to make an initial notification of their breach to the commissioner, the DP Law provides leeway for businesses to report further details of the breach in stages thereafter as more information becomes available.
Breach notifications to data subject
A new requirement to notify data subjects has also been introduced in line with the requirements in the GDPR. Notification is required if it is “likely to result in high risk to the security or rights” of the data subject. A controller must make such notification as soon as practicable. However, if there is an “immediate risk of danger”, such notification must be made promptly.
The DP Law also contains a derogation which means that where a notification to an affected data subject could involve a disproportionate effort, a public communication or similar measure will be sufficient to satisfy the new provisions.
Failure to notify in accordance with these requirements can result in a fine of up to $50,000. A data subject can also apply to the court for compensation or damages where they have suffered loss as a result of the failure to notify.
Written agreements required for processors
Where services involving the processing of personal data are provided by other parties, contracts must contain much more robust contractual provisions. If the service provider appoints another company to carry out such services, then they must obtain the consent of the controller and the sub-contract must also contain similar robust contractual provisions.
Such contractual provisions must include commitments to:
- process the personal data following documented instructions from the controller;
- permit and assist with audits and inspections and make certain information available upon request by the commissioner, the counterparty or an auditor;
- ensure that all persons authorised to process personal data are under legally binding written agreements or duties of confidentiality;
- keep a program that demonstrates compliance with the DP Law; and
- provide appropriate technical and organisational measures to meet the controller’s obligation to respond to requests from data subjects.
Provision is made in the DP Law for the commissioner to publish standard contractual provisions for businesses to use in their contracts.
Failure to ensure that such contracts are in place with all relevant processors of personal data may result in a fine of up to $25,000.
Immediate actions for businesses
Responsibility for meeting the new requirements of the DP Law cannot be left solely to legal and compliance teams. Instead, compliance with data privacy obligations requires everyone in an organisation to understand their role and responsibility to keep data safe and secure.
There are a number of actions businesses should consider between now and 1 October 2020 to ensure they are prepared for and compliant with the new DP Law:
- review your current and future planned processing activities to identify what personal data you collect and ensure that it is being processed in accordance with a legitimate reason,including that it is relevant, accurate and being processed for the specific purpose for which it was collected and that all justifications for processing such data, including data subject consents, where relevant, remain valid;
- populate registers of processing activities that record personal data use;
- update privacy notices and customer facing terms and conditions to address the changes in the new DP Law – this will include alerting customers to their new data subject rights;
- review and remediate your existing controller / processor contractual arrangements – putting contracts into place with processors that contain the mandatory provisions as required by the DP Law;
- evaluate whether you are conducting ‘high risk processing activities’ and consider appointing a DPO;
- review the terms of your employment contracts;
- implement new data breach procedures to ensure that notifications are made to the commissioner and data subject, as required, in a timely manner in accordance with the DP Law;
- establish processes for dealing with data subject requests within the time required; and
- raise internal awareness of new requirements.
Additional contributions from Charlotte Holden of Pinsent Masons.