His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice-President and Prime Minister of the UAE and Ruler of Dubai has enacted a new DIFC Data Protection Law (New DIFC Law), which replaces the DIFC Data Protection Law of 2007 (as amended) (2007 DP Law).

The New DIFC Law reflects many of the requirements of the EU’s General Data Protection Regulation (GDPR) seen by many as the ‘gold standard’ for data protection compliance. The New DIFC Law will predominantly apply to businesses with operations in the Dubai International Financial Centre (DIFC), an economic zone located in the Emirate of Dubai.

The new law will come into force on 1 July 2020. However, organisations will be given until 1 October 2020 to achieve compliance to allow for the impact of the COVID-19 pandemic on business operations. This gives organisations just a few months to make any changes required to bring their compliance frameworks into line with the new law. 

Organisations with EU operations or who are otherwise subject to the GDPR are likely to be familiar with many of the New DIFC Law’s concepts, and may already be in a good position to comply with the new law by adapting or re-purposing existing GDPR based policies and procedures.

From our previous experience in preparing for the GDPR coming into force, we recommend that organisations begin planning now. In particular, organisations should prioritise fact gathering and other time intensive tasks such as contract remediation. Importantly, there are some key differences between the GDPR and New DIFC Law, which organisations should be aware of. We have summarised the key obligations under the New DIFC Law, as well as some of the differences to the GDPR, in our analysis. You can view the full alert here or in the download button below.

If you would like to get in touch with our team to discuss the changes to the New DIFC Law, please feel free to contact one of the lawyers below or your usual Baker McKenzie contact.


Kellie Blyth is a Counsel and Head of the UAE Data and Technology practice of Habib Al Mulla & Partners, a member firm of Baker & McKenzie International, based in Dubai. An experienced technology and privacy lawyer, Kellie has been advising local and multinational clients in the technology, telecoms, financial services, insurance and automotive sectors, on their strategic IT projects, helping them develop, commercialise and implement digital and technology solutions whilst managing legal and regulatory risk.


Benjamin Slinn is a senior associate in Baker McKenzie’s London office, focusing on data protection, e-commerce consumer law, as well as immersive technologies and video games. Ben regularly assists clients with global data protection compliance projects and assessments as well as specific data protection challenges such as international transfers and data security breaches.

Write A Comment