Organizations in the United Arab Emirates are entering a new era of data privacy enforcement. In late November, as part of its 50th anniversary, the UAE federal government issued a sweeping set of legal reforms, which notably included the UAE Federal Decree Law No. 45 for the 2021 Personal Data Protection Law. While this law has been long-awaited by data privacy experts in the region, many organizations are not prepared for the new obligations and controls that pertain to data processing and responding to new data subject rights. With less than one year before enforcement will begin, impacted organizations need to take swift action to achieve compliance.
In recent years, the UAE government has been taking numerous legislative and enforcement steps toward aligning the country’s business and social environment with global best practices to support its evolution as a world-class center for commerce. The Personal Data Protection Law, along with several other new laws introduced as part of the recent legal reforms, makes significant strides on this front.
One of the law’s central aims is to ensure all personal data processed in the UAE is processed transparently, honestly, fairly, accurately and kept secure, and that data breaches are reported to authorities as well as affected data subjects. The new decrees include establishment of the Emirates Data Office to monitor and enforce the UAE Personal Data Protection Law countrywide. Like the EU General Data Protection Regulation, the regulation gives considerable control and rights to data subjects. This includes restricting the use of data to only the reason for which it was initially captured (purpose limitation) and only for as long as needed (data retention). Data must also be correct and up to date (data accuracy) and stored in a way that upholds security and confidentiality (data security).
This means when the law takes effect Jan. 2, 2022, (enforcement begins September 2022), organizations must disclose to data subjects specifically why data is being collected, how it is used and with which parties it will be shared (which may include traditional personal information such as birthdates and addresses, as well as biometrics, voice recordings, images and other files with identifiers unique to a specific individual). To maintain compliance, organizations will also need to have processes in place to immediately contain and remove personal information from processing and storage systems upon the request of a data subject (i.e., respond to data subject access requests). Additional individual rights provided in the law include the right to be forgotten, the right to be provided with a copy of all data the organization holds on that individual, data portability and rectification rights, and the right to easily revoke consent.
How should you prepare?
Virtually all organizations in all seven emirates that collect or process personal data — or those operating elsewhere but processing data belonging to UAE residents — will need to establish or adjust their data privacy program, and quickly. For many this effort will include substantial changes to daily operations. Key steps that should be kicked off now include:
- Appoint a data protection officer. The law allows for an organization’s DPO to be an employee or outsourced to a third party with data privacy expertise. Not all organizations will need a DPO, but having one in place demonstrates to regulators that the organization takes privacy compliance seriously.
- Create consent forms and disclosures for the processing of all personal data. In situations where obtaining consent is not an option or not practical, organizations are only permitted to process data if they are doing so for the protection of public interest, for a judicial or security proceeding, for the protection of public health, when it is necessary for compliance with other laws (e.g., know your customer) and several other limited purposes.
- Review contracts with vendors and suppliers to determine which ones include data sharing. Organizations that are collecting data (controllers) have a responsibility for any downstream data processors they may use. Thus, if an organization outsources certain functions, it is still ultimately responsible for ensuring that its providers are also processing data in line with UAE law, regardless of where in the world the data processor is located. A thorough audit of data protection compliance among all third-parties with which personal data is shared will be needed, and contracts should be updated to reflect data privacy compliance requirements and liabilities. Similarly, employee contracts may need to be revised to reflect data protection provisions and other recently announced labour law changes in the UAE.
- Create a data map and a Record of Processing Activity. All controllers and processors are obliged to have both in place to accurately document exactly which processes and systems are utilizing personal data.
- Establish a breach response plan and breach notification procedures. Once the law comes into effect, organizations controlling and processing personal data will be expected to have the ability to identify when a breach of personal data has occurred and have a robust plan for how breaches will be responded to, including procedures for analyzing personal data, notifying the regulator and individuals impacted.
- Develop a Data Protection Impact Assessment, Vendor Assessment Questionnaire and Privacy Impact Assessment documents to support audits of third parties and provide a standardized way for the legal, compliance, IT and privacy teams to evaluate new technologies and partners against the organization’s privacy obligations and risks. These and other supporting materials will provide a foundation for the overarching privacy policy and should be intertwined with other relevant policies and procedures.
- Coordinate with IT to establish robust information security and access control mechanisms to ensure data doesn’t fall into the wrong hands.
- Build up DSAR processes and procedures to ensure all requests from data subjects can be dealt with in a timely manner. DSAR processes should be supported by technology workflows that provide an audit trail of actions performed and streamline the manual work involved with finding and containing pertinent documents across a wide range of systems and data sources.
- Examine all outside countries and jurisdictions to which data is routinely transferred. If any are not deemed to provide an adequate or equivalent level of protection, special controls and documentation will be needed to enable continuation of transfers.
- Train all staff on the new data privacy requirements and processes. Training should be conducted on an ongoing basis to reinforce a culture of compliance and keep employees up to date on changes in laws and policies.
The timeline for implementing these changes is incredibly tight, and for some organizations this may be the first time they’ve been required to establish data privacy policies and processes. Adding another layer of challenge is that it’s still uncertain exactly how the UAE will approach breach reporting timelines and fines. This makes it difficult for organizations to determine their overall risk position with regard to the new law. Given that more changes and clarifications are on the way in early 2022, including executive regulations that will offer specifics about enforcement actions, it’s critical to get started on initial steps now. Teams that do so will be in a stronger position to adjust and respond as additional developments emerge and their organization’s risk position comes into clearer focus.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates or its other professionals. © 2021 FTI Consulting LLP. All rights reserved.
Photo by Saj Shafique on Unsplash