UAE Data Protection Law: The requirements and ensuring compliance
On 2 January 2022, the United Arab Emirates (UAE) launched its Federal Personal Data Protection (PDP) Law – a new law which provides a legal framework to ensure the security and privacy of personal information. Niraj Mathur and Sivanantham Shanmugam from Protiviti walk through the law’s key requirements, and how companies can comply.
The PDP Law is designed to protect and empower UAE citizen’ and residents’ data privacy rights to reshape the way organizations address data security and privacy requirements.
The PDP Law has a territorial reach and applies to:
The UAE cabinet has established the UAE Data office as Competent Supervisory Authority to ensure federal law enforcement. Once the Executive Regulations are issued, organizations will need to comply with UAE PDP Law within a period of six months.
Under UAE PDP Law, businesses (data controllers) and their suppliers (data processors) are required to demonstrate compliance. Though the penalties are yet to be released, under the UAE PDP Law, the appointed bureau can carry out investigations/audits against the organizations found violating the provision of the law and impose administrative penalties.
Exemptions
The provisions of the decree do not apply to the following:
1. Data generated and managed by the Government sector
2. Government authorities that control or process personal data
3. Free-Zone companies which are already subject to data protection legislation
4. Security and judicial authorities who process personal data
5. Health personal data that is already subjected to data protection legislation
6. Banking and credit personal data subject to legislation regulating data processing and protection
7. Individuals that process data related to them for personal purposes
Core elements of the law
The UAE PDP Law combines the leading practices from a variety of current, world-class data protection laws, such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other forward-thinking technology-agnostic concepts.
The key requirements of the UAE PDP Law cut across various areas incorporating aspects of risk management, compliance, legal obligations, data protection, data governance, and record management. The PDP Law requires organizations to adopt a holistic, structured, and collaborative approach to establish a privacy program that aims to uphold the privacy rights of individuals in the UAE.
A high-level overview of the key obligations of the UAE PDP Law:
What should companies do?
The UAE PDP Law brings about a paradigm shift in the way businesses view the collection and processing of personal data impacting businesses across industries involved in processing personal data. A number of key considerations for businesses to navigate the UAE PDP Law compliance journey include:
Visibility over personal data
Over the last few decades, technological advancements and business transformations have resulted in collecting and processing large volumes of data, including personal data. However, the need for greater visibility and control, specifically for personal data, arises with large volumes considering the UAE PDP Law requirements.
Multiple requirements under the UAE PDP Law, such as providing privacy notices, maintaining a special record of processing activities, fulfilling data subject requests, and ensuring confidentiality and integrity, raise a key question that businesses must address – “Do I know what personal data my business collects/ process?”
To this end, it is pertinent for businesses to carry out a data discovery exercise to identify and map out the collection, storage, processing, and transfer of personal data within their environment to tackle this issue.
Ensuring processing is fair and legitimate
Today, personal data and its associated processing activities are an essential and often unavoidable part of business operations. While the UAE PDP Law does not stop businesses from collecting or processing personal data, it expects businesses to ensure that personal data is processed legally, fairly, and transparently.
Therefore, it is important for businesses to retrospect their business processes to ensure the processing of personal data is legitimate and aligned to the acceptable lawful basis identified under the UAE PDP Law. Further, businesses should review and update their privacy policies / notices to increase transparency over their processing activities concerning collecting and using personal data.
Additionally, businesses should establish/ update mechanisms to obtain and record consent (where necessary) from data subjects to continue processing their personal data.
Upholding individuals privacy rights
Under the UAE PDP Law, data subjects have rights over their personal data, including the “right to information and access”, “right to rectification/ blocking/ erasure”, “right to data portability”, and the “right to object”. For example, this would mean that the data subject can request organizations for a copy of all personal data or request for correction / deletion of certain personal data that the organization is expected to fulfil subject to certain allowed exemptions.
This would require businesses to enforce better control over personal data and establish standard operating procedures to manage the lifecycle of such requests received from data subjects.
Addressing cross-border concerns
The UAE PDP Law prohibits the transfer of personal data outside the UAE, barring certain exemptions factored under the law. This may impact businesses with a global presence, utilize cloud hosting (outside UAE), or leverage outsourcing arrangements. As a result, they may need to re-assess the data hosting/ transfers and implement necessary measures to ensure compliance.
Use of third parties
Businesses constantly engage third-party service providers to support their business processes. With the advent of the UAE PDP Law, the traditional approach towards vendor onboarding and management should be accordingly assessed and redefined.
The UAE PDP Law requires businesses to implement additional measures prior to sharing personal data with third-party vendors (‘data processors’), such as conducting data privacy and security due diligence before engaging with third parties, incorporating contractual obligations around data privacy and security and monitoring compliance.
Consent management
The UAE PDP Law recognizes ‘consent’ as one of the lawful basis to justify processing activities. The PDP Law further clarifies requirements around the use and management of consent like GDPR, which requires businesses to evaluate the traditional practices and assess the validity of consent collection. For consent to be valid, it should be freely given, explicit, unconditional, specific, and informed.
Additionally, mechanisms to facilitate consent withdrawal should be established, which should be as seamless as the process followed for obtaining consent.
Assessment of the impact of personal data protection
The UAE PDP Law requires businesses to assess the privacy impact of processing activities that meet specific criteria to ensure data privacy risks are proactively identified / mitigated, enable maximum privacy, and ensure adequate measures are implemented to minimize impacts on data subjects.
Specific obligations for Data Processors
The UAE PDP Law recognizes specific obligations for data processors that process personal data upon specific instructions from data controllers. This means that processing activities concerning data subjects in the region, carried out by service providers within the region or outside, are regulated under the UAE PDP Law.
These obligations include ensuring the purpose of processing is aligned to the written instructions of the data controller, implementing appropriate technical and organizational safeguards, and following appropriate data retention/ disposal procedures.
Breach Notification
The UAE PDP Law requires businesses to report data breaches or violations of personal data that may impact its privacy, confidentiality, or security within specific time periods (as required under executive regulations that are expected to be published shortly) to the bureau and in certain circumstances to data subjects as well.
Achieving compliance
To successfully govern, manage, operate, and monitor business processes to ensure compliance with the UAE PDP Law requirements, it is key for businesses to establish a formalized Data Privacy Program.
This would necessitate businesses to develop policies & procedures, assign roles and responsibilities, formalize a risk management program, and establish mechanisms for effective governance and compliance to effectively manage data privacy risks and ensure compliance with the UAE PDP Law requirements.