Co-Author by Rifdi Shuhaimi
Following our second article on managing Personal Data, DIFC-based companies should now be considering immediate practical steps to take in order to be compliant in their business operations.
Undefined capitalised terms in this article have the same definitions as provided in the first and second articles of this series.
Step 1 - Personal data audit assessment
We recommend that DIFC-based companies Processing any Personal Data carry out a thorough data audit to:
- ascertain what Personal Data they Process and hold;
- determine where the Personal Data is held (e.g. hard copy records, emails, cloud platforms, etc.);
- identify who has access to the Personal Data; and
- ensure the security of any Personal Data held (including within IT systems) is secure and reliable.
Step 2 - Consider compliance measures
Companies Processing Personal Data should look to do the following compliance exercises to ensure compliance with the DPL 2019.
- Implement "technical and organisational
measures" within the business as a whole to
ensure the lawfulness of Processing activities and the security of
any Personal Data Processed. These measures essentially must:
- consider the risk(s) and purpose(s) of Processing Personal Data on a case-by-case basis;
- give access to Personal Data only to people within the organisation on a need-to-know basis;
- ensure that only Personal Data which is necessary for each specific purpose is Processed;
- incorporate measures within the IT department to protect Personal Data by default;
- be reviewed and updated on a regular basis; and
- ensure that any online platform through which services are offered requires Data Subjects1 to choose their Personal Data collection settings.
- Draft a data protection policy to be circulated among employees setting out why and how Personal Data will be collected, as well as how long the Personal Data will be retained.
company's Processing activities (in electronic format), which
must include the following information:
- the name and contact details of the company's Controller2 and Data Protection Officer ("DPO");
- the type of Personal Data Processed by the company;
- the purpose(s) of Processing the Personal Data;
- the company's Personal Data retention policy;
- a description of the type of Data Subjects;
- a description of the people who will have access to Personal Data;
- an account of the "technical and organisational measures" implemented to ensure the security of Personal Data; and
- an account of all relevant safeguards applied when sharing Personal Data abroad (if applicable).
- Implement a deletion strategy and process to securely and permanently delete Personal Data after the retention period has expired.
- Prepare written agreements (such as a form of data processing/sharing agreement or data processing/sharing addendums) with suppliers, distributors and clients (where needed).
Step 3 - Consider the information that must be provided to Data Subjects when Processing their Personal Data
- the Data Subjects' rights under the DPL 2019;
- who their Personal Data will be shared with;
- how long their Personal Data will be stored for;
- why their Personal Data is being collected;
- the steps taken by the company to comply with its obligations under the DPL 2019;
- whether the Processing of their Personal Data may restrict the Data Subjects' rights under the DPL 2019;
- details of the security measures in place when their Personal Data is to be shared abroad; and
- the DPO's contact details (if applicable).
What does the future of data protection hold regionally?
Unsurprisingly, the Middle East is now embracing new data protection frameworks and laws, aligning with the rest of the world and, in particular, with the principles of the GDPR. The UAE, particularly given the DIFC laws and regulations, has been at the forefront of this adoption. Data protection laws and frameworks are growing regionally, as are regulatory agencies and authorities responsible for the enforcement of the rights protected under the relevant laws. These rights and the laws protecting them will only continue to gain importance and attract higher degrees of attention, enforcement action and publicity across the region.
In view of this evolution towards more robust data protection regionally, we recommend that all companies active within the DIFC act quickly in their preparations for the enforcement of the DPL 2019 in order to minimise any future delays and avoid penalties for non-compliance.
Should you wish to review the full draft of the DPL 2019, it has been published and is accessible on the DIFC's website.
1 The identified or identifiable natural person to whom Personal Data relates.
2 Any person who, alone or jointly with others, determines the purposes and means of Processing Personal Data.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.