UAE Data Protection Law
A new range of legal reforms has recently been introduced to the UAE. Namely the UAE federal Decree-law No 45 regarding Personal Data Protection.
The EU went through similar changes back in 2018 with the implementation of “GDPR” and if any lessons can be learnt from that, this is something that requires careful planning and preparation to avoid any issues, challenges or potential fines come the day they go live.
I have taken the opportunity to highlight some of the items that all companies will need to consider when working their way through the list of requirements that need to be completed ahead of deadline day come November 2022.
The aim of the law is to ensure that all data is kept safe, secure and held in a transparent and accurate manner.
Data Subjects – you the customer now will have much greater control and say in how your data is managed, and shared.
There must be specific reasons why your data is held and for what purpose and for how long.
Listed below are some tips/suggestions to help Companies in their planning for this Legal Degree.
Not exhaustive by any means however will start you thinking that this is something that requires a lot of thought and careful and strategic planning to ensure success and preparedness come live day.
DPIA – Data Protection Impact Assessment
This will be required to commence any workstream ahead of any project. The aim of the DPIA is to perform a health check against current state v desired state in terms of what you need to complete to be compliant.
DPO – Data Protection Officer
A new and vital role going forwards this or these people will ensure strict compliance with the laws and will be a point of contact for the company with the Supervisory Authority.
These people can be an existing employee, or this can be outsourced to a third party. Reporting line must be to the senior levels within the organisation and the roles impartiality is paramount.
The recruitment for this role will be a clear signal to the regulator that you are giving data Protection the level of focus that is required.
WORKSTREAMS – CULTURAL CHANGE
This will require the highest levels of support from the Board, cascading throughout the organisation
A working group will need to be established to cover Personal data audits, Gap Analysis, Project management parameters, and to ensure all key stakeholders are ready for the cultural change that is coming.
TRAINING & AWARENESS
There are various programmes that will benefit companies as early in the process as possible.
Training for all staff is a must from awareness of what is required to more specific and technical areas such as the DPO role and Processing and controlling functions that will be required.
Add this to your HR budgets for 2022 now. Training will become an ongoing part of your training budgets going forwards.
NOT JUST THE UAE
The Protection law also expects you to have clear governance about how you manage data to outside countries. Therefore, if your organisation manages clients multi country this will need to be evidenced just as it will be for UAE residents.
SANDS OF TIME
The timelines are incredibly tight when all that is required is considered.
With further changes will come later this year with regards to possible enforcement actions for non-compliance there is no time to waste in starting the work.
The EU legislation imposed heavy fines for non-compliance and we must assume that similar penalties may come into effect in the UAE, this is to be confirmed around March /April time.
For more information on the support we provide around Data Protection click here.