Our knowledge, experience, and expertise are now available on the go.
My Tamimi App, a convenient new tool for anyone with an interest in the legal sector, from law students to General Counsel.Find out more
The Dubai International Financial Centre (‘DIFC’) has issued a new DIFC Data Protection Law, DIFC Law No. 5 of 2020 (‘DIFC Data Protection Law’). The DIFC Data Protection Law replaces the previous DIFC data protection law, DIFC Law No. 1 of 2007.
Modelled on Europe’s General Data Protection Regulation (‘GDPR’), the DIFC Data Protection Law provides enhanced standards and controls for the processing and movement of personal data by controllers and processors, and protects the fundamental rights of data subjects. One purpose of the DIFC Data Protection Law is to protect the fundamental rights of data subjects, including how such rights apply to the protection of personal data in emerging technologies.
In this article, we explore the obligations on ‘controllers’ (i.e. entities that control the processing of personal data) and ‘processors’ (i.e. entities that process personal data under the direction of a controller) to notify the DIFC Data Protection Commissioner, and affected data subjects, in the event of personal data breach incidents.
Guidance issued by the Commissioner of Data Protection sets out that controllers and processors should consider the following matters with regards to enhancing information security and protecting against personal data breaches:
Controllers and processors should prepare an incident response plan to ensure the correct procedures are followed to reduce the risk of personal data breaches, and to know what to do if a breach incident occurs. The incident response plan should be aligned to the personal data breach requirements in the DIFC Data Protection Law.
Controllers and processors should ensure they provide specific DIFC Data Protection Law training to personnel, including training focussed on data breach incidents. Such training will assist personnel in recognising data breach incidents, which can take a variety of forms, ranging from inadvertently sending an email to the wrong recipient through to sophisticated hacking events.
The DIFC Data Protection Law sets out that if there is a personal data breach that compromises a data subject’s confidentiality, security or privacy, the controller involved shall, “as soon as practicable” in the circumstances, notify the personal data breach to the DIFC Commissioner of Data Protection. If a processor discovers a personal data breach, the processor is required to notify the relevant controller without undue delay.
The notification to the Commissioner should:
When a personal data breach is likely to result in a high risk to the security or rights of a data subject, the controller shall communicate the personal data breach to an affected data subject as soon as practicable in the circumstances. If there is an immediate risk of damage to the data subject, the controller shall promptly communicate with the affected data subject in clear and plain language containing the following information (at the least):
The Commissioner has the option to communicate the personal data breach to the data subjects where there is a high risk to the security or rights of the data subjects involved, or otherwise direct the controller to make a public communication disclosing that the personal data breach has occurred.
The DIFC position in relation to personal data breach notification obligations is similar to the GDPR approach, but there are some distinct differences:
Controllers and processors subject to the DIFC Data Protection Law must ensure they are across all obligations with respect to data breach notification obligations, including with regard to notifications to the Commissioner of Data Protection and to affected data subjects. Besides the risk of fines and claims for damages, failure to act appropriately in addressing data breach incidents can also result in reputational damage.
Disclaimer: This chat service should not be relied upon as a substitute for professional advice which takes account of your specific circumstances and any changes in the law and practice. No warranty is made as to the accuracy or completeness of the information provided via this service and no liability is accepted by Al Tamimi & Company Limited, its affiliates, partners or employees for any loss arising as a result of reliance upon the information provided.
Kindly accept the disclaimer to proceed to a live chat.
Thank you for your inquiry. We will connect you to one of our agents now.
Thank you for your interest in working with Al Tamimi & Company. Please click here to view our latest job openings.