A Guide to UAE Federal Data Protection Law

Personal Data: Any data relating to a specific natural person or relating to a natural person that can be identified directly or indirectly by linking the data, using identification elements such as his name, voice, picture, identification number, or his electronic identifier, his geographical location, or one or more of his physical, physiological, economic, cultural, or social characteristics, including sensitive personal data and biometric data.

Sensitive Personal Data: Any data that directly or indirectly discloses a natural person's family, ethnic origin, political or philosophical opinions, religious beliefs, criminal record, biometric data, or any data relating to that person's health, including his physical, psychological, mental, genetic, or sexual condition, including information related to the provision of health care services to him that reveals his health status.

Controller: The establishment or natural person who has personal data, and by virtue of its activity, determines the way, method, and criteria for processing this personal data and the purpose of its processing, whether alone or jointly with other persons or establishments.

Processor: The establishment or natural person that processes personal data on behalf of the controller so that he processes it under his direction and according to his instructions.

Data Protection Officer: Any natural or legal person appointed by the controller or processor, who undertakes the tasks of ascertaining the extent to which the entity to which he belongs complies with the controls, requirements, procedures, and rules for processing personal data protection stipulated in this Decree-Law, and to ensure the integrity of its systems and procedures in order to achieve compliance with its provisions.

Data breach: The process of breaching information security and breaching personal data through the illegal or unauthorised entry and access to them, including copying, sending, distributing, exchanging, transferring, circulating, or processing in a way that leads to disclosure or detection of this data to third parties, or its destruction or modification during the process of storage, transmission, and processing.

Cross-Border Processing: Dissemination, use, display, transmission, reception, retrieval, use, sharing or processing of personal data outside the geographical scope of the country.

Consent: The consent in which the data subject authorises a third party to process his personal data, provided that this consent is in a specific, clear, and unambiguous manner that he accepts the processing of his personal data through a clear positive statement or action.

Who will be the regulator?

The UAE Data office will be established which will act as the federal data regulator in the UAE. The office which is affiliated with the UAE Cabinet will be responsible for:

• preparing policies and legislations related to data protection
• proposing and approving the standards for monitoring Personal Data Protection Law
• preparing systems for complaints and grievances related to data
• issuing guidelines and instructions for the implementation of the Law

The provisions of the Law apply to the processing of personal data by means of electronic systems that operate automatically, or by other means, by:  

• Every data subject residing in the country or having a place of business therein.
• Every controller or processor located in the country that carries out the activities of processing the personal data of data subjects inside or outside the country.
• Every controller or processor located outside the country that carries out the activities of processing personal data for data subjects in the country

The provisions of this Law do not apply to the following:

• Government data
• Governmental entities controlling personal data or those that process it.
• Personal data is held by the security and judicial authorities.
• The data subject who processes his data for personal purposes.
• Personal health data that has legislation regulating the protection and processing of such data
• Personal banking and credit data and information have legislation regulating the protection and processing of such data.
• Companies and institutions located in free zones in the country and have special legislation for the protection of personal data.

Consent from Data Subjects: It is prohibited to process personal data without the consent of its owner with certain limitations that includes scenarios where processing is necessary to protect the public interest, the processing is necessary to establish any legal claim or defense of rights, archival purposes or for scientific purpose and protect the interests of the data subject.  

Obligations of the Controller: The controllers must take appropriate technical and organisational measures to implement the necessary standards to protect and secure personal data, maintain a special record of personal data, designate the processor who has sufficient guarantees to implement technical and organisational measures in a manner that ensures that the treatment meets the processing requirements.

Obligations of the Processor:  The Processor must process and implement in accordance with the instructions of the controller, apply the appropriate technical and organisational procedures and measures to protect personal data at the design stage, erase the data after the expiry of the processing period or hand it over to the controller, protect and secure the processing process and secure the electronic media and devices used in the processing and the personal data on them, maintain a special record of the personal data processed on behalf of the controller etc.   

Data Breach Notification: Controllers must inform the Data Office on every personal data breach that would "prejudice the privacy, confidentiality and security of a data subject's personal data" on becoming aware of the same. The controller must also notify data subjects about the breach—the detailed timeline for breach notification and action items to be published in executive regulation.          

Data Protection Officer: The controller and processor shall appoint a data protection officer who has sufficient skills and knowledge to protect personal data in the case when processing would cause a high level of risk to the confidentiality and privacy of the data subject's personal data, processing will include a systematic and comprehensive assessment of sensitive personal data and processing will take place on a large volume of sensitive personal data.   

Data Subject Rights: The data subject has the right to obtain the information and activities performed on their data without any consideration. Also, the data subject has the right to request the transfer of his personal data to another controller whenever this is technically feasible. Further, the data subject has the right to request the correction of his inaccurate personal data or its completion by the controller without undue delay. Finally, the data subject has the right to compel the controller to restrict and stop processing their data in multiple cases.

Security of personal data information: The controller and processor must develop and take appropriate technical and organisational procedures and measures to ensure the application of the level of information security that is commensurate with the risks associated with processing in accordance with the best international standards and practices.

Data Protection Impact Assessment: Taking into account the nature, scope and purposes of the processing, the controller must, before carrying out the processing, evaluate the impact of the proposed processing operations on the protection of personal data when using any of the modern technologies that would pose a high risk to the privacy and confidentiality of the personal data of the data subject.

Cross-border transfer and sharing of personal data: Personal data may be transferred outside the country if the country or territory to which personal data will be transferred has special legislation for the protection of personal data, which includes the most important provisions, measures, controls, requirements and rules for protecting the privacy and confidentiality of personal data of the data subject, his ability to exercise his rights, and provisions related to imposing appropriate measures on the controller or processor through a supervisory or judicial authority. It is expected that the UAE data office will designate approved countries for data transfers in due course.

Data Breach Notification: GDPR emphasises on notifying data subjects of any breach within 72 hours. However, UAE Law mentions that controllers must inform the Data Office on every personal data breach that would "prejudice the privacy, confidentiality and security of a data subject's personal data" on becoming aware of the same, and the results of the subsequent investigation within the period set by the executive regulations.

Penalties: For GDPR, a defined number of penalties (2% of global annual turnover or 10 million € or 4% of global annual turnover or 20 million €) is there based on the violation. However, the UAE law does not talk about a specific percentage on the revenue as of now and is expected to have clarity on penalties and administrative fines in mid-2022 as part of

Legitimate Interest Justification: The UAE Data Protection Law does not provide a justification for the processing of Personal Data based on legitimate interests, which is clearly specified in GDPR. Rather, there is an assumption that an individual's agreement will be obtained unless an exception exists, such as when the processing is necessary to protect the public interest, defend a legal claim, perform a contract, protect the interest of the individual and any other conditions specified by the Law.     

• Leadership Support, Governance and Data Privacy Team: Obtain leadership support for data privacy and protection initiatives across the organisation. Establish governance for data management activities and privacy programs; along with a dedicated DPO and experienced team, to focus on the implementation of privacy initiatives and progress reporting.  
• Data Handling and Processing: Identify where your data is located, identify what your data is, determine who has access to the data and define how you will implement privacy controls. Data management can be a challenging task for organisations which can be simplified by using "ROBUS" – BDO's Data Governance tool, which harnesses the power and stability of the latest technologies to enable businesses to document data protection, risk and governance activities in one place and demonstrate compliance with the Law.      
• Policies and Procedures: Review and update data privacy policies and procedures to incorporate necessary changes to address data privacy clauses from Law and regulations, and create necessary procedures including Data Subject Rights procedure, Data Breach procedure etc. Also, review various disclaimers, notices, and contracts to incorporate appropriate data privacy related clauses/details/information.
• Training and Awareness: Ensure training and awareness related to data privacy and protection throughout the organisation to ensure that senior management and staff understand basic principles of the law Fairness and Transparency, Purpose limitation, Data minimisation, Accuracy, Storage limitation, Confidentiality, Accountability etc.
• Technical Controls: A data privacy strategy relies upon the implementation of strong security controls. This includes organisational or programmatic controls such as policies, training and awareness, incident response plans, password policies, and technical controls such as encryption, anonymisation, logging, multi-factor authentication, and vulnerability detection. One important safeguard for data protection is Data loss prevention (DLP), which prevents unauthorised data leakage outside the organisation. Once data is classified, the technical implementation of DLP can establish policies for each layer of classification to prevent unwanted sharing.