New DIFC Data Protection Law 2020: An overview

There has been a data protection regime in DIFC for around 15 years. It was the first in the Middle East and the current DIFC Data Protection Law dates back to 2007. In light of technological developments and increasing international standards of data protection over that time, in 2019 DIFC started the process of updating its data protection law. The Centre wants to be a regional example of best data protection practice and it aims to be the jurisdiction of choice for financial services in the Middle East. Ideally for DIFC, its laws would be formally recognised as offering the same level of protection as Europe and other jurisdictions in order to enable the free flow of personal data between those countries and the DIFC. The new law builds on current DIFC law and is based on the same core principles. And some of the main areas of interest for DIFC businesses and service providers will include the development of the legal framework around consent in the context of data processing, the requirement for some controllers to appoint a data protection officer, additional requirements around contracts with data processors. There are changes and revisions to the regime for international data transfers that will align it more closely with the EU GDPR. There are enhanced rights for data subjects. The law also include flexibility for innovation and it allows for the adoption of new technologies. There are many aspects to a successful data protection programme. Businesses operating in or dealing with the DIFC should start thinking about this sooner rather than later.