A new data protection law came into force in the Dubai International Financial Centre (DIFC) on 1 July 2020. The new law, Law No. 5 of 2020 (DIFC DP Law), which repeals the Data Protection Law No.1 of 2007, bears striking similarities to the EU’s General Data Protection Regulation (GDPR). The Law applies to controllers or processors that process personal data in the DIFC on a regular basis, regardless of the entity’s place of incorporation.

The DIFC DP Law will be actively enforced as of 1 October 2020. Unlike the situation with the introduction of the GDPR, where companies had a two-year transition period before enforcement began, DIFC entities have not had much time to prepare for compliance. With the date of enforcement just around the corner, it is important for companies operating in the DIFC to take the time now to achieve compliance with the new law if they have not already done so.

The DIFC DP Law draws heavily from the GDPR, so much so that the two can almost be read side by side.  For example, as with the GDPR, the DIFC DP Law:

  • requires records of processing to be kept;
  • follows the concepts of “controllers” and “processors” of data, as well as “joint controllers”;
  • establishes lawful bases required for any processing;
  • introduces general requirements from processing data comparable to the data processing principles contained in the GDPR;
  • follows the concept of Data Protection Impact Assessments (DPIAs) to be carried out for ‘high risk’ processing;
  • grants data subjects rights on par with those granted by the GDPR;
  • grants data subjects the right to seek compensation where they have suffered damage as the result of an infringement of the law;
  • prohibits international transfers unless there are appropriate safeguards in place; and
  • sets out the criteria for determining when an entity will need to appoint a Data Protection Officer (DPO).

We have prepared a table containing a side-by-side comparison of the DIFC DP Law against the GDPR. The table and information on how our EMEA Data Protection Team can help you in your compliance efforts is available here.