Category: Dubai

Act Now Partners with Middlesex
University Dubai for UAE’s first
Executive Certificate in DP Law

Act Now Training, in collaboration with Middlesex University Dubai, is excited to announce the launch of the UAE’s first Data Protection Executive training programme. This qualification is ideal as a foundation for businesses and organisations aiming to comply with the UAE Federal Data Protection Law.

This practical course focusses on developing a data protection framework and ensuring compliance with the UAE Data Protection Law’s strict requirements. This is particularly relevant given the recent advancements in Data Protection law in the Middle East, including the UAE’s first comprehensive national data protection law, Federal Decree Law No. 45/2021. 

This law regulates personal data processing, emphasising transparency, accountability, and data subject rights. It applies to all organisations processing personal data within the UAE and abroad for UAE residents.

The importance of understanding this law is paramount for every business and organisation, as it necessitates a thorough reassessment of personal data handling practices. Non-compliance can lead to severe penalties and reputational damage.

The Executive Certificate in UAE DP Law is a practical qualification delivered over 5-weeks in two half day sessions per week and offers numerous benefits:

  1. Expertise in Cutting-Edge Legislation: Gain in-depth knowledge of the UAE’s data protection law, essential for professionals at the forefront of data protection practices.

  2. Professional Development: This knowledge enhances your resume, especially for roles in compliance, legal, and IT sectors, showing a commitment to legal reforms.

  3. Practical Application: The course’s structured format allows gradual learning and practical application of complex legal concepts, ensuring a deep understanding of the law.

  4. Risk Mitigation: Understanding the law aids in helping organisations avoid penalties and reputational harm due to non-compliance.

  5. Networking Opportunities: The course provides valuable connections in the field of data protection and law.

  6. Empowerment of Data Subjects: Delegates gain insights into their rights as data subjects, empowering them to protect their personal data effectively.

Delegates will receive extensive support, including expert instruction, comprehensive materials, interactive sessions, practical exercises, group collaboration, ongoing assessment, and additional resources for further learning. Personal tutor support is also provided throughout the course.

This program is highly recommended for officers in organisations both inside and outside the UAE that conduct business in the region or have customers, agents, and employees there. 

Act Now will be delivering and has designed the curriculum. Act Now Training is the UK’s premier provider of information governance training and consultancy, serving government organisations, multinational corporations, financial institutions, and corporate law firms.   

With a history of delivering practical, high-quality training since 2002.
Act Now’s skills-based training approach has led to numerous awards including most recently the Supplier of Year Award 2022-23 by the Information and Records Management Society in the UK. 

Our associates have decades of hands-on global Information Governance experience and thus are able to break down this complex area with real world examples making it easy to understand, apply and even fun!

Middlesex University Dubai is a 5 star rated KHDA university and one of three global campuses including London and Mauritius. It is the largest UK University in the UAE with over 5000 student enrolments from over 120 nationalities.

For more information and to register your interest, visit Middlesex University Dubai’s website. Alternatively you can Click Here.

Act Now in Dubai: Season 2 

On the 2ndand 3rd October 2023, the UAE held the first ever privacy and data protection law conference; a unique event organised by the Dubai International Financial Centre (DIFC) and data protection practitioners in the Middle East. The conference brought together data protection and security compliance professionals from across the world to discuss the latest developments in the Middle East data protection framework.  

Data Protection law in the Middle East has seen some rapid developments recently. The UAE has enacted its first federal law to comprehensively regulate the processing of personal data in all seven emirates. Once in force (expected to be early next year) this will sit alongside current data protection laws regulating businesses in the various UAE financial districts such as the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. Jordan, Oman, Bahrain and Qatar also have comprehensive data protection laws.  Currently what is causing most excitement in the Middle East data protection community is Saudi Arabia’s Personal Data Protection Law (PDPL) which came into force on 14th September 2022.  

The conference agenda covered various topics including the interoperability of data protection laws in the GCC, unlocking data flows in the region, smart cities, the use of facial recognition and data localisation. The focus of day 2 was on AI and machine learning. There were some great panels on this topic discussing AI standards, transparency and the need for regulation.   

Speakers included the UAE Minister for AI, His Excellency Omar Sultan Al Olama, as well as leading data protection lawyers and practitioners from around the world. Elisabeth Denham, former UK Information Commissioner, also addressed the delegates alongside data protection regulators from across the region. Act Now’s director, Ibrahim Hasan, was invited to take part in a panel discussion to share his experience of GDPR litigation and enforcement action in the UK and EU and what lessons can be drawn for the Middle East. 

Alongside Ibrahim, the Act Now team were at the conference to answer delegates’ questions about our UAE and KSA training programmes.
Act Now has delivered training  extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. We were pleased to see there that there was a lot of interest in our courses especially our DPO certificates.  

Following the conference, Ibrahim was invited to deliver a guest lecture to law students at Middlesex University Dubai. This is the biggest university in Dubai with over 4500 students from over 118 countries. Ibrahim talked about the importance of Data Protection law and job opportunities in the information governance profession. He was pleasantly surprised by the students’ interest in the subject and their willingness to consider IG as an alternative career path. A fantastic end to a successful trip. Our thanks to the conference organisers, particularly Lori Baker at the DIFC Commissioner’s Office, and our friends at Middlesex University Dubai for inviting us to address the students.  

Now is the time to train your staff in the new data protection laws in the Middle East. We can deliver online as well as face to face training. All of our training starts with a free analysis call to ensure you have the right level and most appropriate content for your organisation’s needs. Please get in touch to discuss your training or consultancy needs.  

Act Now Launches New UAE DP Officer Certificate 

Act Now Training is pleased to announce the launch of the new UAE Data Protection Officer Certificate.  

Data Protection law in the Middle East has seen some rapid developments recently. The UAE recently enacted a federal law to comprehensively regulate the processing of personal data in all seven emirates. This will sit alongside current data protection laws regulating businesses in the various financial districts such as the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. In addition there are several sector specific laws in the UAE which address personal privacy and data security. Saudi Arabia, Bahrain and Qatar also now have comprehensive data protection laws.   

These laws require a fundamental assessment of the way Middle East businesses handle personal data from collection through to storage, disclosure and destruction. With enhanced rights for individuals and substantial fines for non-compliance no business can afford to ignore the new requirements. 

Act Now’s UAE Data Protection Officer Certificate has been developed following extensive discussions with our clients and partners in the UAE and builds on our experience of delivering training and consultancy in the region. The course focuses on the essential knowledge required by DPOs to successfully navigate the UAE data protection landscape. The course will also help DPOs to develop the skills required to do their job better.
These include interpreting the data protection principles in a practical context, drafting privacy notices, undertaking DPIAs and reporting data breaches. 

The course teaching style is based on four practical and engaging workshops covering theory alongside hands-on application using case studies that equip delegates with knowledge and skills that can be used immediately. Delegates will also have personal tutor support throughout the course and access to a comprehensive revised online resource lab. 

Ibrahim Hasan, director of Act Now Training, said: 

“I am really pleased to be launching this new UAE DPO certificate course. This is an exciting time for data protection law in the Middle East. Act Now is committed to contributing to the development of the DPO function in the region.” 

If you would like to discuss your suitability for this course, please get in touch. It can also be delivered as an in house option.

Middle East Data Protection Specialist Joins the Act Now Team

Suzanna Ballabas

Act Now Training is pleased to announce that Suzanne Ballabás, an experienced Dubai based data protection specialist, has joined its team of associates.  

Suzanne is a privacy professional with over ten years of practical experience in implementing privacy practices across various international organisations, in addition to acting as a compliance officer for multiple regulated entities within the UAE’s financial districts of DIFC and ADGM.  

Previously, Suzanne held the position of Head of Data Protection in the Middle East for Waystone, where she managed data protection infrastructure for over 100 firms and served as the Data Protection Officer for various organisations, including Michael Page, DP World Financial Services, and Waystone. She played a crucial role in establishing Waystone’s data privacy practice in the Middle East and possesses extensive knowledge of data protection laws and regulations in the UAE.

Before her time in Dubai, Suzanne was based in London, working with the GDPR, rolling out the international privacy programme for international accountancy practice Baker Tilly.  

Suzanne is a law graduate and holds multiple IAPP privacy qualifications including Certified Information Privacy Professional/Europe (CIPP/E), Certified Information Privacy Manager (CIPP/M), Certified Information Privacy Technologist (CIPP/T. She also specialises in ADGM Compliance (Financial Services), Money Laundering Reporting and International Human Resource Management. 

Suzanne said: 

“I am really pleased to be joining the Act Now team. I’m excited to start working with them to help deliver their excellent courses and training programmes particularly those targeted at the fast developing Middle East data protection landscape.” 

This is an exciting time for privacy law in the Middle East. Alongside the passing of the law, which is awaiting executive regulations,  Saudi Arabia and a number of other jurisdictions have passed DP laws similar to GDPR. 

Ibrahim Hasan said: 

Act Now’s reputation is growing in the UAE as a provider of practical training on all aspects of  data protection. With Suzanne’s appointment we will be able to service more clients through delivery of our flagship courses, such as the UAE DPO Certificate, as well as develop new courses tailored for the Middle East market and to help practitioners understand the latest trends and developments in data protection law in the UAE and the wider Middle East.”  

For the past five years, Act Now has been delivered training extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. Check out our UAE privacy programme. We can also deliver customised in house training both remotely and face to face. Please get in touch to discuss your training or consultancy needs.   

Saudi Arabian Data Protection Law Update 

In September 2021, Saudi Arabia announced its first ever data protection law. The Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H approving Resolution No. 98 dated 7/2/1443H (14th September 2021). PDPL will regulate the collection, handling, disclosure and use of personal data and includes governance and transparency obligations. It will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA). 

PDPL was originally going to come fully into force on 23rd March 2022. However, in November 2022, SDAIA published proposed amendments for public consultation. On 21st March 2023, some of these amendments were passed by the Saudi Council of Ministers. PDPL will now officially come into force on 14th September 2023 and organisations will have till 13th September 2024 to comply. Much of the detail of the new law will be set out in the Executive Regulations which we are still waiting for, although a draft version was issued last year. 

The amendments to PDPL introduce several concepts that will align the new law more closely to the EU General Data Protection Regulation (GDPR) and the UK GDPR. These include: 

  • New Ground for Processing: Like the GDPR, Data Controllers may now rely on “legitimate interests” as a lawful basis to process personal data; this does not apply to sensitive personal data, or processing that contravenes the rights granted under PDPL and its executive regulations.  
     
  • Easier International Transfers: Like other data protection regimes, PDPL imposes limitations on the international transfer of personal data outside of the KSA. The strict prohibition on transfers outside Saudi Arabia has now been amended. Furthermore they no longer require approval from SDAIA. Data Controllers will need a specific purpose to transfer data outside the Kingdom and transfers appear to be limited to territories that SDAIA determines as having an appropriate level of protection for personal data, which will be further clarified once they issue evaluation criteria for this purpose. The pending executive regulations should set out exemptions from this condition.  
     
  • Removal of Controller Registration Requirements: The original law required Data Controllers to register on an electronic portal that would form a national record. This provision has now been removed. However, SDAIA has the mandate to license auditors and accreditation entities and create a national register if it determines that it would be an appropriate tool and mechanism for monitoring the compliance of controllers. 
  • Data Breach Notification Relaxed: Notifications of personal data breaches to SDAIA are no longer required “immediately.” However, controllers must now notify data subjects when a breach threatens personal data or contravenes the data subject’s rights or interests. The pending regulations are expected to provide additional specificity, such as particular dates for notifying data breaches and threshold requirements.  
     
  • Criminal Offences Reduced: The penalties for breaching PDPL will be a warning or a fine of up to SAR 5,000,000 (USD 1,333,000) that may be doubled for repeat offences. Criminal sanctions for violating the PDPL’s data transfer restrictions have been removed. There now remains only one criminal offence in relation to the disclosure or publication of sensitive personal data in violation of the law.  

Action Plan for Compliance 

Businesses established in Saudi Arabia, as well as those processing Saudi citizens’ personal data anywhere in the world, have sixteen months to prepare for PDPL. Considering that those covered by GDPR had four years, this is not a long time. Now is the time to put systems and processes in place to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage.  

The following should be part of an action plan for compliance: 

  1. Raising awareness about PDPL at all levels. Our GDPR elearning course can be tailored for frontline staff. 
  1. Carrying out a data audit and reviewing how records management and information risk is addressed. 
  1. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification
  1. Revising privacy policies in the light of the more prescriptive transparency requirements.  
  1. Writing policies and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access. 
  1. Appointing and training a Data Protection Officer.  

The new KSA data protection law is an important development in Middle East privacy law alongside the passing of the new UAE Federal DP law.
These laws, being closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR, open up exciting job opportunities for UK and EU Data Protection professionals. A quick scan of jobs sites shows a growing number of prospects. 

Act Now in the Middle East 

Act Now Training can help your businesses prepare for PDPL. We have delivered training extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. Check out our UAE privacy programme. We can also deliver customised in house training both remotely and face to face.
Please get in touch to discuss your training or consultancy needs.  

Our new Intermediate Certificate in GDPR Practice includes a module on worldwide data protection laws. 

Act Now in Dubai 

Last week the Act Now team returned from a trip to the United Arab Emirates to promote our Middle East training programme. It was a great opportunity to better understand the UAE privacy framework and the needs of businesses faced with the challenge of implementing new laws (as well as get some sun!) 

The Middle East is fast catching up with Europe when it comes to data protection law.
The UAE recently enacted a federal law to comprehensively regulate the processing of personal data in all seven emirates. This will sit alongside current data protection laws regulating businesses in the various financial districts such as the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. In addition there are a number of sector specific laws in the UAE which address personal privacy and data security.
Saudi Arabia, Bahrain and Qatar also now have comprehensive data protection laws. 

Whilst in Dubai we met with a number of potential clients, consultancies and law firms specialising in data protection. It was a great opportunity to discuss the changing privacy landscape and how Act Now can assist in developing the understanding of the legislation and its practical implementation. We had some interesting discussions about the changing privacy attitudes around the world, the power of Big Tech and increasing use of AI. 

We also had meetings with data protection regulators in Dubai and Abu Dhabi. We were impressed by their commitment to educating businesses about the new laws and their practical advice to reduce the burden of implementation. They emphasised the importance of embedding a privacy culture in organisations and an understanding of the UAE laws as standalone privacy laws and not just “importing of GDPR”. A special thank you to Lori Baker at the DIFC and Sayid Madar at the ADGM for taking time out of their busy schedules to meet us.  

During our last trip to Dubai in 2018 there was very little awareness of data protection law amongst businesses and compliance seemed to be geared around GDPR. This time on our travels (and shopping trips) we certainly noticed a more serious attitude amongst larger businesses to try and get data protection right. We saw  privacy notices in most official forms, CCTV signs in malls and even a privacy notice recording when ringing our hotel.  

The introduction and/or revision of privacy law in the Middle East is an important development which further proves that data protection is a truly global issue.
Many organisations may need to appoint a Data Protection Officer as part of the new legal framework. Even where they do not need a DPO they will certainly need someone to drive forward compliance and liaise with regulators. This opens up opportunities for UK and EU Data Protection professionals especially as the new laws have some alignment with  the EU General Data Protection Regulation (GDPR)  and the  UK GDPR
 

These are exciting times for data protection professionals. For those seeking a fresh new challenge and the opportunity to spread the data protection message to new jurisdictions, now is the time to brush up on Middle East data protection laws. See photos of our trip below. Sun, sea and subject access awaits! 

The New UAE Federal Data Protection Law

The United Arab Emirates has enacted its first comprehensive national data protection law to regulate the collection and processing of personal data. Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data (PDPL) was published by the Cabinet Office on 27th November 2021 as part of a legal reform programme in advance of the UAE’s Golden Jubilee. The detailed Executive Regulations are expected to be published on 20th  March 2022 with the new law becoming fully enforceable six months later.

The UAE is no stranger to data protection laws. The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 became enforceable in October 2020. However, it only applies companies under the jurisdiction of the DIFC as well as those processing personal data on their behalf.  In February 2021, the Abu Dhabi Global Market (ADGM) enacted its new Data Protection Regulations 2021 with the same limited applicability.  There are also a number of other sector specific laws in the UAE which address personal privacy and data security. 

Applicability

PDPL applies to all organisations that are processing personal data in the UAE irrespective of whether the data relates to Data Subjects living in the UAE. It also has an “extra-territorial” reach by applying to organisations based abroad who are processing personal data of Data Subjects resident in the UAE. PDPL does not apply to government data, government authorities that control or process personal data and personal data held by security and judicial authorities. Health data, credit data and banking data are also excluded as they are protected by other laws.

Key Provisions

PDPL is closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR. It mirrors their underlying principles of transparency and accountability and, like them, empowers Data Subjects by giving them rights in relation to their personal data. We set out below the notable provisions. We have included links to previous GDPR blog posts useful for readers wanting more detail:

  • Lawful Bases – Article 4 states that personal data can only be processed with the consent of the Data Subject. Exceptions include, amongst others, if the processing is: necessary to execute a contract to which the Data Subject is a party; required to protect interests of the public; relates to data already in the public domain; necessary to comply with other laws. Interestingly, PDPL does not include “legitimate interests” as a lawful basis for processing, as is found in GDPR.
  • Consent – Where consent is used as the lawful basis for processing personal data, it should be obtained from Data Subjects in a specific, clear and unambiguous form and should be freely given through a clear affirmative statement or action (Article 6). Consent can be withdrawn at any time.
  • Rights – Data Subjects are granted various rights in Articles 14-18 of the PDPL which will be familiar to GDPR practitioners. These include  Subject AccessData Portability, rectification or erasure of personal data, restriction on processing, objection to automated decision making and the right to stop processing.
  • Data Protection Impact Assessments – Article 21 requires, what GDPR Practitioners call, “DPIAs” to be undertaken in relation to any new high risk data processing operations. This will involve assessing the impact of the processing on the risks to the rights of Data Subjects, especially their privacy and confidentiality.
  • Breach Notification – Article 9 requires organisations to notify the regulator, as well as a Data Subjects, if they suffer a personal data breach which compromises Data Subjects’ confidentiality, security or privacy. The timeframe for notifying will be set by the Executive Regulations.
  • Data Processors – PDPL imposes direct compliance obligations on Data Processors in Article 8 and obligations on Data Controllers when engaging them, similar to Article 28 of GDPR e.g. contracts.
  • Records Management – Organisations will have to demonstrate compliance with PDPL by keeping records. There is a specific requirement in Article 7 to “keep a register of Personal Data” similar to a Record of Processing Activities(ROPA) under GDPR.
  • International Transfers – Article 22  imposes limitations on the international transfer of personal data outside of the UAE.  Similar to the concept of the “adequacy” under the GDPR, the regulator is expected to approve certain countries as having “sufficient provisions, measures, controls, requirements and rules” for protecting privacy and confidentiality of personal data. Article 23 sets out exceptions although further details will be set out in the Executive Regulations.
  • Data Protection Officers – Organisations (both controllers and processors) will need to appoint a Data Protection Officer (DPO) in certain circumstances, set out in Article 10, including where the processing creates a high-level risk due to the use of new technology or the volume of the personal data; processing includes an assessment of sensitive personal data as part of profiling or automated processing; or where large volumes of sensitive personal data are processed. The DPO can be an employee or an independent service provider and does not need to be located in the UAE. Articles 11 set out the responsibilities of the DPO and it is interesting to note that, just like under the GDPR, the PDPL gives the role protected status i.e. they cannot be dismissed for doing their job.

Enforcement 

PDPL will be enforced by the UAE’s Data Office. The Executive Regulations will set out the administrate penalties that can be imposed on organisations for breaches. They could mirror current laws, such as the DIFC DP Law, where the maximum fine for a breach is $100,000. Organisations may also be required to pay compensation directly to Data Subjects or be sued by them. Alongside other sanctions, GDPR allows the regulator to impose a fine of up to 20 million Euros or 4% of gross annual turnover, whichever is higher. It will be interesting to see if PDPL follows GDPR.

Practical Steps

PDPL is likely to become fully enforceable by the end of September 2022. Organisations operating in the UAE need to assess the impact on their data processing activities. Systems and processes need to be put in place to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage. The following should be part of an action plan for compliance:

  • Training staff at all levels to understand PDPL at how it will impact on their role.
  • Carrying out a data audit to understand what personal data is held, where it sits and how it is processed.
  • Reviewing how records management and information risk  is addressed within the organisation.
  • Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification.
  • Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure.
  • Appointing and training a  Data Protection Officer.

Act Now Training, in collaboration with Middlesex University Dubai, is excited to announce the launch of the UAE’s first Data Protection Executive training programme. This qualification is ideal as a foundation for businesses and organisations aiming to comply with the UAE Federal Data Protection Law. More Information: https://actnowtraining.blog/2023/12/13/act-now-partners-with-middlesex-university-dubai-for-uaes-first-executive-certificate-in-dp-law/

The New Dubai (DIFC) Data Protection Law

Act Now Dubai Micro Site Banners1

1st of July 2020 is a key date in the development of global data protection law.
The  California Consumer Privacy Act  (CCPA)  became fully enforceable on this date following a six month grace period.  The Act regulates the processing of California consumers’ personal data, regardless of where a company is located. It provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

1st July 2020 is also the date when a new data protection law also came into effect in Dubai, although it will not be enforced until 1st October 2020. The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DPL2020) will regulate the collection, handling, disclosure and use of personal data and includes enhanced governance and transparency obligations. DPL2020 is closely aligned with the EU General Data Protection Regulation (GDPR) and replaces DIFC Law No. 1 of 2007.

Scope

DPL2020 is not a data protection law for the whole of the United Arab Emirates or even just the emirate Dubai. The UAE has several laws on covering data protection themes including cyber security but there isn’t yet one main national data protection law across the country. 

DPL 2020 mainly applies to businesses operating in the Dubai International Financial Centre (DIFC). This is the leading financial hub in the Middle East, Africa and South Asia region. The 110-acre DIFC district is located in the heart of Dubai where 2400 business are registered employing over 25000 professionals in, amongst others, the legal, financial, management and regulatory sectors. If a business is registered in the DIFC, or processes personal data within the DIFC as part of stable arrangements it is covered by the new law as well as any business which processes data on behalf of either of the above.

Key Provisions

Those who know about GDPR will find many familiar concepts and principles in DPL2020 including data protection principles, Data Subjects’ rights and obligations on Data Controllers and Data Processors. We set out below the notable provisions. We have included links to our blog posts explaining the similar provisions found in GDPR:

  • Records Management: Businesses will have to demonstrate compliance with DPL2020. This requires amongst other things, better record management.
  • Data Protection Impact AssessmentsThese will have to be undertaken in relation to any new High Risk Processing Activities”. This will involve assessing the impact of the proposed data processing operation on the risks to the rights of Data Subjects.
  • Privacy Notices: These will have to be updated to include more information including the legal basis for processing and the rights of Data Subjects.
  • Breach Notification: Businesses will have to notify the regulator if they suffer a personal data breach which compromises a Data Subject’s confidentiality, security or privacy. In the case of High Risk, the Data Subject must also be informed.
  • Data Processors: The new law imposes direct compliance obligations on Data Processors and also imposes mandatory contractual requirements.
  • Data Protection Officers: Some businesses will have to appoint a DPOdepending on whether they conduct High Risk Processing Activities.

Enforcement

Like GDPR, DPL2020 is enforced by a regulator; The Commissioner of Data Protection who has power, amongst other sanctions, to issue administrative fines for breaches.
The maximum fine is 100,000 US dollars. The DIFC Courts may also require a business to pay compensation directly to Data Subjects.

In addition, aggrieved Data Subjects but can sue for compensation which is not subject to a cap. The Commissioner can also bring a compensation claims on behalf of Data Subjects who have suffered material harm and who are disadvantaged in their ability to bring their own claim.

What Next?

Businesses in the DIFC have four months before DPL2020 is fully enforced. Considering that those covered by GDPR had four years, this is not a long period. Now is the time to put systems and processes in place to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage.

The following should be part of an action plan for compliance:

  1. Raising awareness about DPL2020 at all levels. Our  GDPR e learning course  can be tailored for frontline staff.
  2. Carrying out a data audit and reviewing how records management and information risk  is addressed.
  3. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly  breach notification.
  4. Revising  privacy policies  in the light of the more prescriptive transparency requirements.
  5. Writing policies and procedures to deal with new and revised Data Subject rights such as  Data Portability  and  Subject Access.
  6. Appointing and training a  Data Protection Officer.

Act Now Training can help your businesses prepare for DPL2020. We have an international reputation in delivering data protection law training  and consultancy.
In 2018 Ibrahim Hasan  travelled to Dubai to deliver a  GDPR workshop  for international businesses and their advisers based in the Middle East. A wide range of delegates attended including representatives of the telecommunications, legal and technology sectors.
We have also trained officials from the Government of Brunei on data protection audits.

Our GDPR Practitioner Certificate is ideal for new DPOs and is available as an online DIFC option. We can also deliver customised in house training both remotely and face to face. Please get in touch to discuss you training needs.

Act Now is pleased to announce that we have developed a training programme for those who need to learn about the new DIFC DP law. This includes a specific DIFC DPO Certificate, DIFC One Day Course and DIFC Foundation Certificate covering all the basic aspects of Information Governance.

Ibrahim Hasan will also be running the DPL2020 webinar in August where he will cover the most important aspects of the new legislation. The webinar is free for DIFC based businesses as well UK businesses doing trading in the UAE and their legal advisers. 

As data protection goes global, if you need a general awareness of the law and its implementation around the world we have a webinar in July.

 

Act Now Delivers GDPR Training In Dubai

WhatsApp Image 2018-06-28 at 18.57.11(1)

In June 2018 Ibrahim Hasan travelled to Dubai to deliver a GDPR workshop for international businesses and their advisers based in the Middle East. A wide range of delegates attended including representatives of the telecommunications, legal and technology sectors.

The General Data Protection Regulation (GDPR will not just have an impact on Data Controllers and Data Processors in the European Union (EU). It will also apply to organisations in the rest of world that are:

  • processing personal data of individuals living in the EU;
  • offering goods or services to individuals in the EU, even if there is no charge for such goods or services; or
  • engaging in monitoring or profiling activities of individuals in the EU (for example, the use of cookies/behavioural advertising).

Our Dubai workshop examined the legal and practical impact of GDPR on Middle East/GCC based organisations. All the key issues for Data Controllers as well as Data Processors were discussed including international transfers, contract clauses and guarantees, security and breach notification and when a Data Protection Officer needs to be appointed. Crucially we also discussed how GDPR is a business opportunity rather than a threat.

Questions from the floor included:

  • Application to subsidiaries
  • Practically dealing with the Right to Erasure
  • The overlap of GDPR with human rights
  • The link with local (UAE) laws
  • National security and GDPR
  • E mail disclosures
  • Insurance for GDPR breaches
  • Application to group companies outside the EU

The feedback from the delegates was excellent with many saying that the workshop gave them food for thought. The Act Now mugs and notebooks went down well too!

Dubai being Dubai, of course the hospitality extended by the hotel was par excellence.  At each refreshment break we were served what seemed to be a full meal! Check out the photos below:

Our thanks to the staff at Radisson Blu in Dubai Media City, particularly Amish the manager.

Ibrahim Hasan said:

“I was really pleased to design and deliver this workshop in Dubai. It adds to our growing experience of delivering data protection training abroad. I would like to thank my good friends the Hafiji family for hosting me during my stay and showing me the sights. It was an all round 5 star experience.” ***

Act Now Training is pleased to announce two more GDPR training workshops in Dubai (UAE). We can also deliver customized GDPR courses at clients’ premises.

 

 

 

(*** – M and A, it would have been six stars but you forgot the miniature shower gel!!)

GDPR Training Courses in Dubai

dubai-architecture-beach-boat-buildings-hotel-nature-ocean-peaceful-sand-sea

Act Now Training is pleased to announce three forthcoming GDPR training workshops in Dubai (UAE).

The General Data Protection Regulation (GDPR) will not just have an impact on Data Controllers and Data Processors in the European Union (EU). It will also apply to organisations in the rest of world that are:

  • processing personal data of individuals living in the EU;
  • offering goods or services to individuals in the EU, even if there is no charge for such goods or services; or
  • engaging in monitoring or profiling activities of individuals in the EU (for example, the use of cookies/behavioural advertising).

Failure to comply with GDPR could lead to massive reputational damage and a fine of up to 20 million Euros or 4% of global annual turnover (whichever is higher).

Our Dubai workshops will examine the legal and practical impact of GDPR on Middle East/GCC based organisations. All the key issues for Data Controllers as well as Data Processors will be discussed including international transfers, contract clauses and guarantees, security and breach notification and when a Data Protection Officer needs to be appointed. Crucially we will discuss how GDPR is a business opportunity rather than a threat. By the end of the workshop delegates will be able to write their own action plan for GDPR compliance.

Ibrahim Hasan, solicitor and Director of Act Now Training, will deliver the first two workshops in Dubai. He said:

“I am really pleased to design and deliver this new GDPR workshop in Dubai. It will add to our growing experience of delivering data protection training abroad. Dubai is the latest addition to our increasing international portfolio. We plan to use it as a platform to showcase our other GDPR courses and consultancy services.”

More details and a course outline here

Our 2018 course programme contains many more GDPR courses and live webinars which are held in locations throughout the UK. Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers.  If you require these courses delivered at your premises, tailored to your needs, please get in touch.

Finally, we have sold over 350 copies of our GDPR handbook. We are donating £1 from each sale to the  DEC Rohingya Crisis Appeal.

Happy New Year!