UAE Data Protection Regulation and its Impact
The United Arab Emirates (UAE) has enacted its first data protection law (DPL) about the protection of personal data. New changes also consist of forming a new UAE Data Office (UAE Federal Decree-Law No.44 of 2021) which will deal with all relevant obligations, act as the data protection regulatory authority relating to the new data protection law and issues.
This new development in the UAE can be seen as an effort to standardize and consolidate its data protection laws with current international data protection laws.
UAE Data Protection Regulation and its Impact
The United Arab Emirates (UAE) has enacted its first data protection law (DPL) about the protection of personal data. New changes also consist of forming a new UAE Data Office (UAE Federal Decree-Law No.44 of 2021) which will deal with all relevant obligations, act as the data protection regulatory authority relating to the new data protection law and issues.
This new development in the UAE can be seen as an effort to standardize and consolidate its data protection laws with current international data protection laws.
The UAE Federal Decree-Law No. 45 of 2021 Regarding the Protection of Data Protection was issued on 20th September 2021 (“Law”). The Law will become effective on 2nd January 2022. Executive regulations are due to be issued within 6 months of the date of issuance of the Law. UAE companies will then have 6 months from the issuance of those executive regulations to comply with the Law (although that period can be extended by the Cabinet). As with many UAE laws, the executive regulations will contain a great deal of additional detail on the provisions of the Law and assist UAE companies in understanding their compliance requirements under the Law.
The Law looks to align UAE’s Federal law with global “best practice” data protection principles. For those familiar with such principles, much of the Law will be familiar with key transparency and accountability concepts included. The Law introduces data subject rights, data breach requirements, data protection impact assessments, data transfer requirements and notification and record keeping requirements.
Besides the major benefits that data protection laws bring, this will allow private individuals as well as companies and organizations much easier understanding and simpler implementation of the protection controls.
As seen in many countries around the world, the GDPR (General Data Protection Regulation) has made significant strides in increasing the privacy rights of natural persons. The government has developed the new data protection laws, that aligns to global adoption of DPR and to establish a practical environment for data protection that ensures competitiveness and security for data owned by the subjects.
The Law looks to align UAE’s Federal law with global “best practice” data protection principles. For those familiar with such principles, much of the Law will be familiar with key transparency and accountability concepts included. The Law introduces data subject rights, data breach requirements, data protection impact assessments, data transfer requirements and notification and record keeping requirements.
Besides the major benefits that data protection laws bring, this will allow private individuals as well as companies and organizations much easier understanding and simpler implementation of the protection controls.
As seen in many countries around the world, the GDPR (General Data Protection Regulation) has made significant strides in increasing the privacy rights of natural persons. The government has developed the new data protection laws, that aligns to global adoption of DPR and to establish a practical environment for data protection that ensures competitiveness and security for data owned by the subjects.
UAE Personal Data Protection Law
There are a few differences between the new UAE DPR law and the GDPR. It can be argued that UAE personal data protection regulations will augment data protection principles defined in GDPR. Focus on consent as the primary legal basis with no legitimate interest basis is one of the main differences in the law. Many organizations that comply with GDPR rely on the legitimate interest to justify the data processing of private individuals. Additional differences focus on processing requests for records and no requirement for a privacy statement.
The Data Protection Act will come into effect on 2 January 2022, but organizations will have 6 months since the effective date to comply with the new law. This time frame will depend on the publishing date of the regulation.
UAE Data Protection Regulation – The First of Its Kind
The new Data Protection Regulation is expected to provide many benefits and data rights to natural persons. It can be argued that this new development in the data protection law will bring about an increase in the security controls and safeguards for organizations to achieve compliance which has often seen as a common problem amongst consumers in the UAE with a high volume of unsolicited advertising by retailers and service providers through emails, SMS and cold calling.
UAE Personal Data Protection Law
There are a few differences between the new UAE DPR law and the GDPR. It can be argued that UAE personal data protection regulations will augment data protection principles defined in GDPR. Focus on consent as the primary legal basis with no legitimate interest basis is one of the main differences in the law. Many organizations that comply with GDPR rely on the legitimate interest to justify the data processing of private individuals. Additional differences focus on processing requests for records and no requirement for a privacy statement.
The Data Protection Act will come into effect on 2 January 2022, but organizations will have 6 months since the effective date to comply with the new law. This time frame will depend on the publishing date of the regulation.
UAE Data Protection Regulation – The First of Its Kind
The new Data Protection Regulation is expected to provide many benefits and data rights to natural persons. It can be argued that this new development in the data protection law will bring about an increase in the security controls and safeguards for organizations to achieve compliance which has often seen as a common problem amongst consumers in the UAE with a high volume of unsolicited advertising by retailers and service providers through emails, SMS and cold calling.
UAE DPR - Key Requirements and Items
Since the new regulation is somewhat like General Data Protection Regulation (GDPR), the following are key points and changes that will be introduced by the new regulation.
The most important item is the data subject rights. Personal Individuals will have the right to access their personal data held by controllers and will be able to request a transfer of their personal data. If not required by other laws, individuals will also be able to delete their personal data or restrict its processing. Lastly, objections to automatic processing and marketing-related data processing will also be objectionable.
Naturally, the data controllers (organizations and companies that determine the purpose and means of personal data processing) will be required to open channels of communication with data subjects. This means that a Data Protection Officer (DPO) must be appointed by each organization that processes or determines the purpose of Personally Identifiable Information or PII.
The new regulation contributes to data processing transparency by requiring the organizations to explain the reasons for data collection and processing of personal data to data subjects. This means that the use of personal data must be clearly explained to the data subjects and require their consent. To add, organizations will have to provide the data subjects with an option to decline the processing of their personal data and withdraw their consent. Personal data processing for marketing purposes will also require the consent of a data subject.
The new law specifies how organizations should perform data protection impact assessments or DPIA on every organizational process that deals with PII. This is perhaps one of the more complex tasks that organizations will have to complete to become compliant. Any processing of PII that poses a risk to the confidentiality and privacy of a data subject must be assessed and effectively scored. With UAE DPR, this will also apply to any organization, foreign or domestic that processes the PII of UAE citizens. Interestingly, any government entity in the UAE will be exempt from the regulation.
It is important to mention that the law will not apply to PII that is already regulated by healthcare or financial banking laws. But for everyone else, assessing the data processing activities and implementing changes to become compliant will become a new reality. Like GDPR, organizations in the UAE and abroad will have very limited time in order to become compliant if they haven’t performed any steps to becoming GDPR compliant. Luckily, unlike GDPR, the UAE data protection regulation does not list or specify any monetary fines at this moment.
Finally, to have proper oversight, the UAE will establish the “UAE Data Office” that will deal with the development of additional data protection policies and provide oversight of the new regulation. Since January 2nd, organizations had six months to ensure their operations comply with the new law.
UAE DPR - Key Requirements and Items
Since the new regulation is somewhat like General Data Protection Regulation (GDPR), the following are key points and changes that will be introduced by the new regulation.
The most important item is the data subject rights. Personal Individuals will have the right to access their personal data held by controllers and will be able to request a transfer of their personal data. If not required by other laws, individuals will also be able to delete their personal data or restrict its processing. Lastly, objections to automatic processing and marketing-related data processing will also be objectionable.
Naturally, the data controllers (organizations and companies that determine the purpose and means of personal data processing) will be required to open channels of communication with data subjects. This means that a Data Protection Officer (DPO) must be appointed by each organization that processes or determines the purpose of Personally Identifiable Information or PII.
The new regulation contributes to data processing transparency by requiring the organizations to explain the reasons for data collection and processing of personal data to data subjects. This means that the use of personal data must be clearly explained to the data subjects and require their consent. To add, organizations will have to provide the data subjects with an option to decline the processing of their personal data and withdraw their consent. Personal data processing for marketing purposes will also require the consent of a data subject.
The new law specifies how organizations should perform data protection impact assessments or DPIA on every organizational process that deals with PII. This is perhaps one of the more complex tasks that organizations will have to complete to become compliant. Any processing of PII that poses a risk to the confidentiality and privacy of a data subject must be assessed and effectively scored. With UAE DPR, this will also apply to any organization, foreign or domestic that processes the PII of UAE citizens. Interestingly, any government entity in the UAE will be exempt from the regulation.
It is important to mention that the law will not apply to PII that is already regulated by healthcare or financial banking laws. But for everyone else, assessing the data processing activities and implementing changes to become compliant will become a new reality. Like GDPR, organizations in the UAE and abroad will have very limited time in order to become compliant if they haven’t performed any steps to becoming GDPR compliant. Luckily, unlike GDPR, the UAE data protection regulation does not list or specify any monetary fines at this moment.
Finally, to have proper oversight, the UAE will establish the “UAE Data Office” that will deal with the development of additional data protection policies and provide oversight of the new regulation. Since January 2nd, organizations had six months to ensure their operations comply with the new law.
How to Become Compliant with UAE DPR
If organizations haven’t taken steps towards GDPR compliance, they will need to conduct a comprehensive effort to become compliant to UAE PDPL.
To begin the compliance efforts, DTS can help build your compliance towards data protection regulation, it is important to appoint a DPO or a virtual DPO at the start of the process for that individual to have oversight of the compliance efforts.
The efforts should consist of data mapping, identification of processes that deal with PII, conducting a Data Protection Impact Assessment, and establishing and implementing security controls to meet the technical requirements and become compliant. This will not be a small task but will bring better security standards and increased insight into the organization’s data processing activities.
How to Become Compliant with UAE DPR
If organizations haven’t taken steps towards GDPR compliance, they will need to conduct a comprehensive effort to become compliant to UAE PDPL.
To begin the compliance efforts, DTS can help build your compliance towards data protection regulation, it is important to appoint a DPO or a virtual DPO at the start of the process for that individual to have oversight of the compliance efforts.
The efforts should consist of data mapping, identification of processes that deal with PII, conducting a Data Protection Impact Assessment, and establishing and implementing security controls to meet the technical requirements and become compliant. This will not be a small task but will bring better security standards and increased insight into the organization’s data processing activities.
See also: