In today's digital age, data protection has become increasingly important due to the vast amount of personal and sensitive information that is collected and processed. It aims to ensure the privacy, confidentiality, integrity, and availability of this data while also ensuring compliance with legal and regulatory requirements.

As a result, many countries have enacted laws and regulations to govern data protection and ensure that organizations are held accountable for any breaches or mishandling of personal data.

The General Data Protection Regulation ('GDPR') is the legal foundation for defending the right to data protection in the European Union. Comparably, the United Arab Emirates ('UAE') has released its first federal data protection law ever. This policy marks a major departure in the way that data protection is approached in the UAE, even though it is conceptually similar to the GDPR and other data protection regulations throughout the world. Its implementation will have a substantial impact on how firms gather, use, and communicate with consumer and employee personal data.

"Dubai is a booming city in a state of ongoing progressive transformation. The Dubai International Financial Centre ('DIFC') Data Protection Law provides a comprehensive framework for data protection in Dubai, and is going to prove to be essentially beneficial for organizations operating within the DIFC given that they comply with its provisions in letter and spirit", says Monish G Chatrath, Managing Partner, MGC Global, post his visit to the region.

Based on the aforementioned, a fireside chat was held between Monish and the data protection experts of MGC Global to discuss various aspects relating to data protection and privacy regulation in the UAE.

Excerpts from the same can be seen by clicking here (Data Protection in the UAE-Fireside Chat) as well as read below.

Could you outline the current state of the data protection regulation in the UAE?

The UAE Cabinet declared on November 28, 2021, that Federal Decree-Law No. 45/2021 on the Protection of Personal Data, or Personal Data Protection Law (‘PDPL’) 2021, which was released on September 20, 2021, had been enacted. The PDPL 2021 is applicable to all seven emirates; these include Umm Al-Quwain, Ajman, Dubai, Fujairah, Ras Al Khaimah, Sharjah, and Abu Dhabi (the capital). Further, the PDPL is the first federal law that was created in collaboration with significant private sector technology firms.

The PDPL, Federal Decree Law No. 45 of 2021, is an integrated framework that ensures information confidentiality and protects people's privacy in the UAE. It outlines the roles and responsibilities of all parties involved and offers effective governance for data management and protection. The provisions of the law apply to the complete or partial processing of personal data using electronic systems, whether done domestically or abroad.

The law specifies safeguards for the processing of personal data as well as the basic duties of businesses that handle personal data to keep it secure, discreet, and private. It forbids the processing of personal data without the owner's consent, with some exceptions for situations when the processing is required to uphold a legal right or to safeguard public interest.

The law grants the data owner the right to request that inaccurate personal data be corrected and to request that the processing of his personal data be limited or stopped. It sets out the requirements for the cross-border transfer and sharing of personal data for processing purposes.

The UAE lacked a comprehensive federal data protection law prior to this rule. Organizations instead looked to particular clauses in legislation like the Constitution and UAE Penal Code, which control privacy and data security in the UAE in a more indirect manner. Separately, the financial free zones in the UAE, the Abu Dhabi Global Market ('ADGM') and the DIFC have already put into place their own data protection rules, both of which are heavily influenced by the European Union's approach to data protection.

While organizations with a base in the ADGM or DIFC or even those operating in third countries with their own data protection laws will be familiar with many of the PDPL's provisions, the introduction of the data law required a step-change in how many onshore UAE organizations processed personal data.

Who all does this regulation apply to?

The PDPL applies to the following:

1. An individual who resides or has a place of business in the UAE;

2.  An organization that is established in the UAE that processes the personal data of individuals, whether those individuals are located inside or outside the UAE; &

3.  An organization that is not established in the UAE that processes the personal data of individuals that are located inside the UAE.

This means that even if the actual processing is done in Europe, a company based in the UAE that handles personal data of people living in, say, Europe must abide by the PDPL. The PDPL will also apply to firms that are not based in the UAE but handle the personal data of people who live there and will have extra-territorial effect.

It is still unclear how this will be regulated and upheld, particularly in cases when the processing takes place outside of the UAE. It is crucial to remember that whether a person is physically present in the UAE or not is more essential than their nationality.

There are some important exceptions to the Data Law. In particular, it does not apply to:

1. Government data.

2. Government authorities.

3. Organizations incorporated in the ADGM and DIFC and any other free-zones, that have enacted their own data protection legislation (the “Free-zones”) .

4. Personal Data under security and judicial authorities (the police, for instance).

5. Individuals who process personal data for own use.

Are there any cross-border transfer rules in the UAE?

Similar to GDPR, the UAE PDPL forbids the transfer of personal data outside of the UAE, with some exceptions taken into account. Businesses with a global presence, using cloud hosting outside of the UAE, or utilizing outsourcing contracts may be impacted by this. In order to assure compliance, businesses might need to re-evaluate the data hosting and transfers and put in place the required safeguards.

The PDPL sets out the framework for protecting personal data and imposes restrictions on how personal data is collected, stored, and used by organizations.

· Organizations must comply with the PDPL if they want to transmit personal data to data controllers and processors outside their home country. Organizations must make sure that the data being transferred is appropriately protected, and the data transfer agreement must include specific provisions forbidding the transfer of data to a country where there are insufficient data security or protection regulations.

· Along with describing the countries' destinations, organizations must also explain the transfer's goal. The destination nation must be determined based on the type of data being transferred, the intended use of the transfer, and the nation's legal framework.

· Additionally, organizations must ensure that personal data transfers are legal, appropriate, and compliant with all relevant laws and regulations.

The law offers UAE's organizations with an efficient and safe regulatory framework for data protection since cross-border data transfer is viewed as an area of consumer protection and security issues.

What does one have to do to comply with the data protection laws in the UAE?

Involve a number of procedures, including adhering to strict data protection laws and best practices to the letter, educating personnel to be data compliant, reviewing the privacy policy frequently, using industry-recognized safeguards like encryption, and regularly updating software, among others.

Majorly: 

1. Conduct data privacy assessments.

2. Identify the lawful basis of processing of personal data.

3. Develop appropriate consent mechanism & policies.

4. Fulfil cross-border data transfer obligations.

5. Provide privacy notices to individuals for the processing of their personal data.

6. Assess the need to conduct a personal information impact assessment.

7. Appoint a Data Protection Officer (or 'DPO').

8. Maintain a record of processing activities.

9. Maintain a comprehensive DSR framework.

10. Develop a data breach response process.

Our data protection experts have assisted organizations assess their state of readiness and comply with data protection and privacy regulations across the globe. We have assessed the PDPL in detail and are available to help organizations comply with this regulation in the UAE.

Please do not hesitate to reach out to us at contactus@mgcglobal.co.in.

Best regards

Markets Team

MGC Global Risk Advisory

About Allinial Global

Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately USD 4.98 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It currently has member firms in 105 countries, and 261 member firms across the globe.

Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management.