UAE NEW FEDERAL DATAPROTECTION LAW READINESS ROADMAP

????I.?????????OVERVIEW

Announced in September 2021 by UAE minister of state for digital economy, AI and Remote working, the long awaited first UAE comprehensive data protection law Federal decree Law n. 45 of 2021 (“The Data Protection Law” or the “Law”) was issued as a part of the largest legislative reform package in the history of the UAE, issued in conjunction with the celebration of the young country’s 50th?anniversary.

This marks an important milestone for all those who live in or do business with the UAE as the law introduces numerous major changes in the data protection regime not only directly in the UAE but also indirectly in the GCC region due to the extra-territorial aspects of the Law.?

The changes come in the context of various legislative and enforcement steps taken by the UAE to align the country’s social and business environment with global best practices to consolidate UAE’s competitive position as a world class center for trade and commerce. Besides, The UAE places digital transformation at the heart of its national strategy.?

In line with these developments, the Law looks also to align the UAE’s federal law with global data protection standards and concepts such as transparency and accountability. It introduces data subjects rights and provide data subjects with more control over their personal data.

Along with the Law, UAE federal decree-Law n.44 of 2021 creates the UAE data office. The UAE data office will act as the data protection regulatory authority supporting the organizations implementing the Law’s requirements. The Law entered into force on?the 2nd of January 2022?though a one-year non-enforcement period will be applied, with full enforcement starting 12 months later in?January 2023.?The UAE Data Office will also need to be established before?January 2023.

???II.?????????WHAT ARE THE MAIN IMPLICATIONS FOR BUSINESS?

The Law refers to the “Executive regulations” (also referred to as “Implementing Regulations”),???(“The Regulations”), which will be published 6 months after the Law effective date (July 2022).?

The executive regulations will include useful and practical information for businesses providing clarity on compliance requirements for organizations in the UAE along with other aspects such as scope and level of sanctions.?

Given the short lead-time, it would be prudent for organizations falling within the scope of the Law to kick-off compliance assessments and implementation projects to quickly set up compliant processes and procedures given that enforcement will commence in less than 12 months.?

The Law will apply to all organizations processing personal data and that are located in the UAE (whether acting as controllers or processors). It covers the personal data of data subjects residing and/or working in the UAE.?

Organizations located outside the UAE are also subject to the Law as long as they are processing personal data of UAE data subjects, this extra territorial element is similar to GDPR.?

It is important to note that the Data Office has the ability to exempt UAE companies that do not process large volumes of personal data. However that will be set out in the Regulations.?

It is important also to note that the Law does not apply to personal data processing by Government authorities, security and judicial authorities.?

In addition, the Law does not cover personal health data and personal banking and credit data covered by separate legislations. Organizations located in Dubai International Financial Center (“DIFC”) and Abu Dhabi Global Market (“ADGM”) are subject to the specific data protection laws governing those free zones.?

?III.?????????READINESS ROAD MAP FOR ORGANIZATIONS

As indicated above, all businesses operating in the UAE or based outside the UAE collecting and processing personal data of data subjects located in the UAE, will need to assess their activities and projects and make all the necessary adjustments and take all the required steps to align and comply with the Data Protection Law promptly especially now that it is officially in force.???

The organizations will therefore need to implement a data protection framework and program within the provided tight timeline. During this timeline, entities subject to the UAE Data Protection Law will need to put in place adequate policies procedures controls registers and technical measures to demonstrate compliance with the law.?

Below are detailed some useful steps and compliance readiness measures designed with the new data protection law in mind that will enable organizations to better assert their regulatory compliance.

1.?????Personal Data Mapping - ROPA :?

The first step for organizations is to have a good understanding of the personal data they process and map all the processing activities. Creating a Register Of Processing Activities (ROPA) is the tool needed to comprehensively demonstrate. The maintenance of the ROPA is a?requirement?for both Data Controllers and Data Processors (As provided by Article?7 clause 4 & 8 clause 7?of the Data Protection Law). While, this ROPA requirement is also found in the European General Data Protection Regulation (“GDPR”), the UAE equivalent requests the specification of more details such as details of persons authorized to access personal data and mechanisms for erasing modifying personal data.?

2.?????Data Protection Officer appointment (“DPO”)

Organizations will need to appoint a DPO under certain conditions. The UAE data protection law gives flexibility for the DPO to be an employee or external party who may be based inside or outside the UAE, however the DPO must?possess a robust knowledge and application of data privacy laws and regulations (Article 10& 11 of the UAE Data Protection Law).

The DPO acts as a “control-tower”, aligning technical, legal, audit, strategy, and other functions towards achieving the required compliance. The DPO works with the company leadership to develop solutions that meet the company needs while ensuring structural compliance.?

3.?????Consent collection prior to processing personal data?

The UAE Data protection Law prohibits the processing of personal data without the collection of the consent of the individual (i.e. data subject) except in certain specific cases as provided by the law such as: to execute a contract with the data subject, to protect public interest, to comply with legal obligations (see?Article 4?Data Protection Law ). Therefore, it is crucial for organizations to establish consent collection and maintain a consent registry where required including for marketing purposes. In fact, the Data protection Law does not allow the processing on the basis of the Controller’s legitimate interest like the GDPR.??It is also necessary to incorporate opt out mechanisms to allow data subjects to withdraw their consent or object to receiving marketing communications.

4.?????Transparency

The data protection Law sets transparency requirements for setting data privacy notices where the organizations make it clear how the process the personal data. This requirement is consistent with GDPR.

5.?????Vendors risk management

Similar to the GDPR, Third party data processors (vendors, suppliers..) are required to act on the instructions of a controller and implement contracts with the controller for the processing of personal data which should contain specific information about data processing (purpose, scope, categories of data, etc.).

Organizations acting as data controllers (collecting data and deciding about the purposes for which and the means by which the personal data is processed) are responsible for their data processors. In other words organizations would be ultimately responsible for ensuring that their service providers are processing the personal data in compliance with the UAE data protection law requirements.?

A review of all contracts with suppliers and vendors has to be performed along with an audit for all third parties with whom personal data is shared in case of outsourcing or certain activities for example, has to be conducted. In addition, the contractual provisions have to be updated in line with the data protection requirements and liabilities.

It is important to note that where more than one processor is participating in the processing of the personal data the Data Protection??Law expressly??requires such processing to be conducted with a contract specifying the obligations and responsibilities for and roles of each processor. The regulations are likely to clarify the contracts that need to be put in place and the specific obligations to be included.???

6.?????Data Protection Impact assessment?

It is necessary to perform a Data Protection Impact Assessment (“DPIA”) and gather adequate associated documentation (vendor assessment questionnaire, security assessments, etc.) for processing operations where the use of technologies could pose a high risk to the confidentiality and privacy of the data Subject?(article 21)?. DPIA’s will be required where processing covers automated processing including profiling, or involves large volume of sensitive personal data. The DPO role will be important for the management of these assessment. The Data Office will release further details on processing operations that will not require assessments.

7.?????Breach response plan and breach notification?

The new law makes data breach notification and reporting a mandatory requirement?(article 9).?From??January 2nd, 2022 , organizations acting as controllers or processors will need to be able to identify and investigate when and how a data breach has occurred and have an adequate response plan involving all the relevant stakeholders (such as IT, communication, legal , DPO…) including processes to evaluate the impact of the breach.

8.?????Technical and organizational measures

The Law sets out that organizations acting as controllers and as processors must develop procedures and take measures in accordance with best international practices and standards??commensurate with the risk and cost involved with the processing to ensure an appropriate level of information security. Some of these measures are already listed in the law such as “encryption”, “ pseudonymization” and “anonymization” (which terms are defined in the law). It is important to coordinate with IT to establish strong processes and measures and to ensure those measures and processes are tested and evaluated for efficiency.?

9.?????Data Subject rights and requests management?

The new UAE data protection law introduced new data subject rights to provide individuals “Data Subjects” with more control over their personal data (article?14, 15, 16, 17, 18). It is essential to put in place adequate processes to ensure that data subject request are dealt with in a timely manner. These processes should be supported and coordinated with the IT teams and technology workflows as it involves finding relevant documents across various systems and data sources and creating a tractability of actions conducted for documentation accountability and reporting purposes. Unlike the GDPR which sets a one month deadline to respond to data subject requests, data subject rights response timeline is yet to be clarified in the implementing regulation.

10.??Data Transfer assessment?

A review of data flows and transfers of data outside the UAE needs to be conducted prior to any data transfer. The implementing regulations would clarify if an approval needs to be sought from the UAE Data Office following the controllers own assessment of the level of protection or the UAE data Office will designate approved countries for data transfers similar to adequacy decisions made by international regulators.??If a country is not deemed to provide adequate or equivalent level of protection, specific controls and derogations will enable such transfers such as transfers that are necessary for the performance of contracts with or in the interest of the data subjects

11.??Training and awareness?

Finally, an efficient data protection program requires raising employee’s awareness and train them on the new applicable data privacy requirements and processes.

Adequate Training should be conducted on an ongoing basis with record and reporting targets to embed a culture of compliance and data privacy, deliver successfully the privacy message and set the stages for reception and acceptance throughout the organization.?