The New Dubai (DIFC) Data Protection Law

Act Now Dubai Micro Site Banners1

1st of July 2020 is a key date in the development of global data protection law.
The  California Consumer Privacy Act  (CCPA)  became fully enforceable on this date following a six month grace period.  The Act regulates the processing of California consumers’ personal data, regardless of where a company is located. It provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

1st July 2020 is also the date when a new data protection law also came into effect in Dubai, although it will not be enforced until 1st October 2020. The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DPL2020) will regulate the collection, handling, disclosure and use of personal data and includes enhanced governance and transparency obligations. DPL2020 is closely aligned with the EU General Data Protection Regulation (GDPR) and replaces DIFC Law No. 1 of 2007.


DPL2020 is not a data protection law for the whole of the United Arab Emirates or even just the emirate Dubai. The UAE has several laws on covering data protection themes including cyber security but there isn’t yet one main national data protection law across the country. 

DPL 2020 mainly applies to businesses operating in the Dubai International Financial Centre (DIFC). This is the leading financial hub in the Middle East, Africa and South Asia region. The 110-acre DIFC district is located in the heart of Dubai where 2400 business are registered employing over 25000 professionals in, amongst others, the legal, financial, management and regulatory sectors. If a business is registered in the DIFC, or processes personal data within the DIFC as part of stable arrangements it is covered by the new law as well as any business which processes data on behalf of either of the above.

Key Provisions

Those who know about GDPR will find many familiar concepts and principles in DPL2020 including data protection principles, Data Subjects’ rights and obligations on Data Controllers and Data Processors. We set out below the notable provisions. We have included links to our blog posts explaining the similar provisions found in GDPR:

  • Records Management: Businesses will have to demonstrate compliance with DPL2020. This requires amongst other things, better record management.
  • Data Protection Impact AssessmentsThese will have to be undertaken in relation to any new High Risk Processing Activities”. This will involve assessing the impact of the proposed data processing operation on the risks to the rights of Data Subjects.
  • Privacy Notices: These will have to be updated to include more information including the legal basis for processing and the rights of Data Subjects.
  • Breach Notification: Businesses will have to notify the regulator if they suffer a personal data breach which compromises a Data Subject’s confidentiality, security or privacy. In the case of High Risk, the Data Subject must also be informed.
  • Data Processors: The new law imposes direct compliance obligations on Data Processors and also imposes mandatory contractual requirements.
  • Data Protection Officers: Some businesses will have to appoint a DPOdepending on whether they conduct High Risk Processing Activities.


Like GDPR, DPL2020 is enforced by a regulator; The Commissioner of Data Protection who has power, amongst other sanctions, to issue administrative fines for breaches.
The maximum fine is 100,000 US dollars. The DIFC Courts may also require a business to pay compensation directly to Data Subjects.

In addition, aggrieved Data Subjects but can sue for compensation which is not subject to a cap. The Commissioner can also bring a compensation claims on behalf of Data Subjects who have suffered material harm and who are disadvantaged in their ability to bring their own claim.

What Next?

Businesses in the DIFC have four months before DPL2020 is fully enforced. Considering that those covered by GDPR had four years, this is not a long period. Now is the time to put systems and processes in place to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage.

The following should be part of an action plan for compliance:

  1. Raising awareness about DPL2020 at all levels. Our  GDPR e learning course  can be tailored for frontline staff.
  2. Carrying out a data audit and reviewing how records management and information risk  is addressed.
  3. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly  breach notification.
  4. Revising  privacy policies  in the light of the more prescriptive transparency requirements.
  5. Writing policies and procedures to deal with new and revised Data Subject rights such as  Data Portability  and  Subject Access.
  6. Appointing and training a  Data Protection Officer.

Act Now Training can help your businesses prepare for DPL2020. We have an international reputation in delivering data protection law training  and consultancy.
In 2018 Ibrahim Hasan  travelled to Dubai to deliver a  GDPR workshop  for international businesses and their advisers based in the Middle East. A wide range of delegates attended including representatives of the telecommunications, legal and technology sectors.
We have also trained officials from the Government of Brunei on data protection audits.

Our GDPR Practitioner Certificate is ideal for new DPOs and is available as an online DIFC option. We can also deliver customised in house training both remotely and face to face. Please get in touch to discuss you training needs.

Act Now is pleased to announce that we have developed a training programme for those who need to learn about the new DIFC DP law. This includes a specific DIFC DPO Certificate, DIFC One Day Course and DIFC Foundation Certificate covering all the basic aspects of Information Governance.

Ibrahim Hasan will also be running the DPL2020 webinar in August where he will cover the most important aspects of the new legislation. The webinar is free for DIFC based businesses as well UK businesses doing trading in the UAE and their legal advisers. 

As data protection goes global, if you need a general awareness of the law and its implementation around the world we have a webinar in July.


Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

2 thoughts on “The New Dubai (DIFC) Data Protection Law”

Leave a Reply

%d bloggers like this: