His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice-President and Prime Minister of the UAE and Ruler of Dubai has enacted a new DIFC Data Protection Law (New DIFC Law), which replaces the DIFC Data Protection Law of 2007 (as amended) (2007 DP Law).
The New DIFC Law reflects many of the requirements of the EU’s General Data Protection Regulation (GDPR) seen by many as the ‘gold standard’ for data protection compliance. The New DIFC Law will predominantly apply to businesses with operations in the Dubai International Financial Centre (DIFC), an economic zone located in the Emirate of Dubai.
The new law will come into force on 1 July 2020. However, organisations will be given until 1 October 2020 to achieve compliance to allow for the impact of the COVID-19 pandemic on business operations. This gives organisations just a few months to make any changes required to bring their compliance frameworks into line with the new law.
Organisations with EU operations or who are otherwise subject to the GDPR are likely to be familiar with many of the New DIFC Law’s concepts, and may already be in a good position to comply with the new law by adapting or re-purposing existing GDPR based policies and procedures.
From our previous experience in preparing for the GDPR coming into force, we recommend that organisations begin planning now. In particular, organisations should prioritise fact gathering and other time intensive tasks such as contract remediation. Importantly, there are some key differences between the GDPR and New DIFC Law, which organisations should be aware of. We have summarised the key obligations under the New DIFC Law, as well as some of the differences to the GDPR, in our analysis. You can view the full alert here or in the download button below.
If you would like to get in touch with our team to discuss the changes to the New DIFC Law, please feel free to contact one of the lawyers below or your usual Baker McKenzie contact.