The New DIFC Data Protection Law | High-risk processing
0 (0 Likes / 0 Dislikes)
The new DIFC Data Protection law directly affects all DIFC businesses
and many businesses from outside the DIFC,
which have regular dealings in the DIFC.
The law will also indirectly affect all service providers
to such businesses which process personal data as part of their offering.
All directly affected businesses will need to consider
if they carry out high-risk processing, as defined in the new law.
This is an important and necessary assessment,
because the question of whether or not the business carries out high-risk processing
affects the compliance obligations that the business has to satisfy.
In summary, high-risk processing is where new methods or technologies
are being used, which increase the risks to data subjects
or make it harder for data subjects to exercise their rights
or where a considerable amount of personal data is being processed
and such data is high risk due to sensitivity
or due to the nature of the processing,
or where personal aspects are being systematically
and extensively evaluated,
or where material amounts of special categories of personal data,
and that term has a similar meaning to the term in the GDPR,
are being processed.
There will be some cases where the assessment
gives an outcome which is a shade of grey
rather than black or white result.
This is deliberate because the law wants businesses
to engage with their data processing
and with their data sets, and to carefully consider
their activities and to develop an approach to compliance accordingly.
The commissioner of data protection is available
and can be consulted with,
and is available to consult with organisations which are struggling
to make a determination,
and the commissioner may also publish further guidance on this subject
in due course.
Organisations which conduct high-risk processing
must appoint a data protection officer
and must conduct data protection impact assessments
before the high risk processing activity takes place.
If an organisation fails to do this
then it is in breach of the law and it could be sanctioned,
which may include fines or public reprimands.