The New DIFC Data Protection Law | High-risk processing

The new DIFC Data Protection law directly affects all DIFC businesses and many businesses from outside the DIFC, which have regular dealings in the DIFC. The law will also indirectly affect all service providers to such businesses which process personal data as part of their offering. All directly affected businesses will need to consider if they carry out high-risk processing, as defined in the new law. This is an important and necessary assessment, because the question of whether or not the business carries out high-risk processing affects the compliance obligations that the business has to satisfy. In summary, high-risk processing is where new methods or technologies are being used, which increase the risks to data subjects or make it harder for data subjects to exercise their rights or where a considerable amount of personal data is being processed and such data is high risk due to sensitivity or due to the nature of the processing, or where personal aspects are being systematically and extensively evaluated, or where material amounts of special categories of personal data, and that term has a similar meaning to the term in the GDPR, are being processed. There will be some cases where the assessment gives an outcome which is a shade of grey rather than black or white result. This is deliberate because the law wants businesses to engage with their data processing and with their data sets, and to carefully consider their activities and to develop an approach to compliance accordingly. The commissioner of data protection is available and can be consulted with, and is available to consult with organisations which are struggling to make a determination, and the commissioner may also publish further guidance on this subject in due course. Organisations which conduct high-risk processing must appoint a data protection officer and must conduct data protection impact assessments before the high risk processing activity takes place. If an organisation fails to do this then it is in breach of the law and it could be sanctioned, which may include fines or public reprimands.