Year: 2022

Law Firm Fined For GDPR Breach: What Went Wrong? 

On 10th March the Information Commissioner’s Office (ICO) announced that it had fined Tuckers Solicitors LLP £98,000 for a breach of GDPR.

The fine follows a ransomware attack on the firm’s IT systems in August 2020. The attacker had encrypted 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.  Some of the files included Special Category Data. Clearly this was a personal data breach, not just for the fact that data was released on the dark web, but because of the unavailability of personal data (though encryption by the attacker) which is also cover by the definition in Article 4 GDPR. Tuckers reported the breach to the ICO as well as affected individuals through various means including social media

The ICO found that between 25th May 2018 (the date the GDPR came into force) and 25th August 2020 (the date on which the Tuckers reported the personal data breach), Tuckers had contravened Article 5(1)(f) of the GDPR (the sixth Data Protection Principle, Security) as it failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The ICO found its starting point for calculating the breach to be 3.25 per cent of Tuckers’ turnover for 30 June 2020. It could have been worse; the maximum for a breach of the Data Protection Principles is 4% of gross annual turnover.

In reaching its conclusions, the Commissioner gave consideration to Article 32 GDPR, which requires a Data Controller, when implementing appropriate security measures, to consider:

 “…the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”.

What does “state of the art” mean? In this case the ICO considered, in the context of “state of the art”, relevant industry standards of good practice including the ISO27000 series, the National Institutes of Standards and Technology (“NIST”), the various guidance from the ICO itself, the National Cyber Security Centre (“NCSC”), the Solicitors Regulatory
Authority, Lexcel and NCSC Cyber Essentials.

The ICO concluded that there are a number of areas in which Tuckers had failed to comply with, and to demonstrate that it complied, with the Security Principle. Their technical and organisational measures were, over the relevant period, inadequate in the following respects:

Lack of Multi-Factor Authentication (“MFA”)

MFA is an authentication method that requires the user to provide two or more verification factors to gain access to an online resource. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber-attack e.g. a code from a fob or text message. Tuckers had not used MFA on its remote access solution despite its own GDPR policy requiring it to be used where available. 

Patch Management 

Tuckers told the ICO that part of the reason for the attack was the late application of a software patch to fix a vulnerability. In January 2020 this patch was rated as “critical” by the NCSC and others. However Tuckers only installed it 4 months later. 

Failure to Encrypt Personal data

The personal data stored on the archive server, that was subject to this attack, had not been encrypted. The ICO accepted that encryption may not have prevented the ransomware attack. However, it would have mitigated some of the risks the attack posed to the affected data subjects especially given the sensitive nature of the data.

Action Points 

Ransomware is on the rise. Organisations need to strengthen their defences and have plans in place; not just to prevent a cyber-attack but what to do when it does takes place:

  1. Conduct a cyber security risk assessment and consider an external accreditation through Cyber Essentials. The ICO noted that in October 2019, Tuckers was assessed against the Cyber Essentials criteria and found to have failed to meet crucial aspects. The fact that some 10 months later it had still not resolved this issue was, in the Commissioner’s view, sufficient to constitute a negligent approach to data security obligations.
  2. Making sure everyone in your organisation knows the risks of malware/ransomware and follows good security practice. Our GDPR Essentials e learning solution contains a module on keeping data safe.
  3. Have plans in place for a cyber security breach. See our Managing Personal Data Breaches workshop

More useful advice in the ICO’s guidance note on ransomeware and DP compliance.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in April.

advanced_cert

Leading Surveillance Law Expert Joins the Act Now Team

Act Now Training welcomes solicitor and surveillance law expert, Naomi Mathews, to its team of associates. Naomi is a Senior Solicitor and a co-ordinating officer for RIPA at a large local authority in the Midlands. She is also the authority’s Data Protection Officer and Senior Responsible Officer for CCTV.

Naomi has extensive experience in all areas of information compliance and has helped prepare for  RIPA inspections both for the Office of Surveillance Commissioners and Investigatory Powers Commissioner’s Office (IPCO). She has worked as a defence solicitor in private practice and as a prosecutor for the local authority in a range of regulatory matters including Trading Standards, Health and Safety and Environmental prosecutions. Naomi has higher rights of audience to present cases in the Crown Court.

Naomi has many years of practical knowledge of RIPA and how to prepare for a successful prosecution/inspection. Her training has been commended by RIPA inspectors and she has also trained nationally. Naomi’s advice has helped Authorising Officers, Senior Responsible Officers and applicants understand the law and practicalities of covert surveillance. 

Like our other associates, Susan Wolf and Kate Grimley Evans, Naomi is a fee paid member of the Upper Tribunal assigned to the Administrative Appeals Chamber (Information Rights Jurisdiction and First Tier Tribunal General Regulatory Chamber (Information Rights Jurisdiction).

Ibrahim Hasan, director of Act Now Training, said:

“ I am pleased that Naomi has joined our team. We are impressed with her experience of RIPA and her practical approach to training which focuses on real life scenarios as opposed to just the law and guidance.”

Naomi will be delivering our full range of RIPA workshops as well developing new ones. She is also presenting a series of one hour webinars on RIPA and Social Media. If you would like Naomi to deliver customised in house training for your organisation, please get in touch for a quote. 

The New Isle of Man GDPR Handbook

Act Now Training is pleased to announce the launch of the new Isle of Man GDPR Handbook. The handbook is designed for data protection practitioners and legal advisers who require a reference guide to the Isle of Man Data Protection regime. It has been published following the success of the Act Now UK GDPR and EU GDPR handbooks.

The IoM GDPR handbook sets out the full text of the EU GDPR as it applies to the Isle of the Man (Applied GDPR) together with cross referenced recitals. Isle of Man specific amendments, insertions and deletions are clearly indicated to allow users to easily identify what has been changed from the original EU text. Relevant provisions of the Implementing Regulations have been included where they contribute to the further understanding of the Applied GDPR. Guidance from the Isle of Man Information Commissioner and the European Data Protection Board is also signposted to assist users when interpreting the legislation. 

Ibrahim Hasan, the editor of the IoM GDPR Handbook, said:

“I am really pleased with the publication of the Isle of Man GDPR Handbook. We wanted to fulfil the need of data protection practitioners in the Ise of Man to have access to a clear and easy to follow publication to help them navigate their way around this complex legislation.”

Isle of Man delegates who book our new IoM GDPR Practitioner Certificate course will receive a complimentary copy of this handbook as part of their course materials. 

EARLY BIRD DISCOUNT

The RRP of the Isle of Man GDPR handbook is £54.99 (plus postage and packing). There is an early bird discount of 15% off the RRP until 3pm on 17th March 2022. Please quote the discount code “IoM15” when placing your order here. 

The Revised GDPR Immigration Exemption  

nithin-shetty-UkcqOttz-F4-unsplash

The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 came into force on 26th January 2022. It amends Schedule 2 of the DPA 2018 to include a revised “immigration exemption”. The exemption disapplies many data subject rights in the GDPR (now UK GDPR), such as subject access and the right to erasure, where personal data is processed for “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of effective immigration control”. 

The amendment follows the May 2021 Court of Appeal judgement, in  The Open Rights Group & Anor, R (On the Application Of) v The Secretary of State for the Home Department & Anor  (2021) EWCA Civ 800, where it was held that the immigration exemption, as it was originally drafted in the DPA 2018, was unlawful and incompatible with the EU GDPR (and now consequently the UK GDPR). 

Article 23 of the EU GDPR allows Member States to create exemptions to restrict data subjects’ rights in certain circumstances (e.g. for the purposes of crime prevention).
Such exemptions must respect the “essence of the fundamental rights and freedoms” and be “necessary and proportionate… in a democratic society”.  Article 23(2) also includes a list of “specific provisions” that any legislative measure creating a restriction to data subjects’ rights must contain e.g. the purpose of the processing, the relevant categories of personal data, the scope of the restriction introduced and details of the accompanying safeguards. The Court of Appeal found that the immigration exemption, as originally drafted, did not contain any of these provisions; nor were they covered in any separate legally binding legislation.   

The 2022 regulations amend the immigration exemption to make clear that it may only be relied on by the Secretary of State and only if the Secretary of State has in place an immigration exemption policy document. This is a document which explains the Secretary of State’s polices and processes for determining whether, and the extent to which, the exemption applies in any particular case, and for ensuring that any personal data covered by the exemption is not abused or accessed or transferred in a manner contrary to the UK GDPR. Additional safeguards are also added to the exemption to require the Secretary of State:  

(a) to decide whether the immigration exemption applies on a case by case basis, and to have regard to the immigration exemption policy document when making such decisions;

(b) to keep a record of any decision that the immigration exemption applies and the reasons for that decision;

(c) to inform a data subject of any such decision, unless doing so may be prejudicial to any of the matters mentioned in paragraph 4(1)(a) and (b) of Schedule 2 to the 2018 Act. 

Following the Court of Appeal judgement, questions now arise (though not specifically addressed by the court) about the legality of other GDPR exemptions set out in the DPA 2018. Many of them also appear not to have the “specific provisions” required under Article 23(2).  

Act Now’s UK GDPR Handbook has been updated to include the revised wording for the immigration exemption, as well as new guidance from the ICO and European Data Protection Board. This is now available to purchase although delegates on our forthcoming GDPR Practitioner Certificate course and Advanced Certificate in GDPR Practice course will receive a complimentary copy. 

advanced_cert

Act Now in Dubai 

Last week the Act Now team returned from a trip to the United Arab Emirates to promote our Middle East training programme. It was a great opportunity to better understand the UAE privacy framework and the needs of businesses faced with the challenge of implementing new laws (as well as get some sun!) 

The Middle East is fast catching up with Europe when it comes to data protection law.
The UAE recently enacted a federal law to comprehensively regulate the processing of personal data in all seven emirates. This will sit alongside current data protection laws regulating businesses in the various financial districts such as the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. In addition there are a number of sector specific laws in the UAE which address personal privacy and data security.
Saudi Arabia, Bahrain and Qatar also now have comprehensive data protection laws. 

Whilst in Dubai we met with a number of potential clients, consultancies and law firms specialising in data protection. It was a great opportunity to discuss the changing privacy landscape and how Act Now can assist in developing the understanding of the legislation and its practical implementation. We had some interesting discussions about the changing privacy attitudes around the world, the power of Big Tech and increasing use of AI. 

We also had meetings with data protection regulators in Dubai and Abu Dhabi. We were impressed by their commitment to educating businesses about the new laws and their practical advice to reduce the burden of implementation. They emphasised the importance of embedding a privacy culture in organisations and an understanding of the UAE laws as standalone privacy laws and not just “importing of GDPR”. A special thank you to Lori Baker at the DIFC and Sayid Madar at the ADGM for taking time out of their busy schedules to meet us.  

During our last trip to Dubai in 2018 there was very little awareness of data protection law amongst businesses and compliance seemed to be geared around GDPR. This time on our travels (and shopping trips) we certainly noticed a more serious attitude amongst larger businesses to try and get data protection right. We saw  privacy notices in most official forms, CCTV signs in malls and even a privacy notice recording when ringing our hotel.  

The introduction and/or revision of privacy law in the Middle East is an important development which further proves that data protection is a truly global issue.
Many organisations may need to appoint a Data Protection Officer as part of the new legal framework. Even where they do not need a DPO they will certainly need someone to drive forward compliance and liaise with regulators. This opens up opportunities for UK and EU Data Protection professionals especially as the new laws have some alignment with  the EU General Data Protection Regulation (GDPR)  and the  UK GDPR
 

These are exciting times for data protection professionals. For those seeking a fresh new challenge and the opportunity to spread the data protection message to new jurisdictions, now is the time to brush up on Middle East data protection laws. See photos of our trip below. Sun, sea and subject access awaits! 

We Are Hiring!

Are you a surveillance law expert with a proven track record of delivering practical and engaging training on Part 2 of the Regulation of Investigatory Act 2000 (RIPA) and/or its Scottish equivalent (RIPSA)? 

Due to an increased demand, Act Now Training is recruiting trainers to join its team of experts who deliver in-house and external surveillance training courses throughout the UK and online. These range from one hour webinars to full day courses and aim to help local authority staff practically apply the legislation and prepare for Commissioner inspections.

With more courses planned for 2022, including some new ones, we need trainers who enjoy the challenge of explaining difficult concepts in a practical jargon-free way.

We have opportunities for full time trainers as well as those who wish to add an extra “string to their bow” without leaving their day job. You do not have to be a lawyer and indeed our current team includes an ex police officer and a data protection officer. What is important is that you have practical experience of working with surveillance legislation, have enthusiasm for the subject and want to deliver innovative training (not “death by PowerPoint”) to a range of audiences.

If you think you have what it takes to become an Act Now trainer, please get in touch with your CV explaining your RIPA/RIPSA knowledge and experience. A full privacy policy can be read on our website.

The New Saudi Arabian Federal Data Protection Law 

The Middle East is fast catching up with Europe when it comes to data protection law. The Kingdom of Saudi Arabia(KSA) has enacted its first comprehensive national data protection law to regulate the processing of personal data. This is an important development alongside the passing of the new UAE Federal DP law. It also opens up opportunities for UK and EU Data Protection professionals especially as these new laws are closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR

The KSA Personal Data Protection Law (PDPL) was passed by Royal Decree M/19 of 9/2/1443H on 16 September 2021, approving Resolution No. 98 dated 7/2/1443H (14 September 2021). The detailed Executive Regulations are expected to be published soon and will give more details about the new law. It will be effective from 23rd March 2022 following which there will be a one year implementation period.

Enforcement 

PDPL will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA).The Executive Regulations will set out the administrate penalties that can be imposed on organisations for breaches. Expect large fines for non-compliance alongside other sanctions. PDPL could mirror the GDPR which allows the regulator to impose a fine of up to 20 million Euros or 4% of gross annual turnover, whichever is higher. PDPL also contains criminal offences which carry a term of imprisonment up to 2 years and/or a fine of up to 3 million Saudi Royals (approximately £566,000). Affected parties may also be able to claim compensation.

Territorial Scope

PDPL applies to all organisations that are processing personal data in the KSA irrespective of whether the data relates to Data Subjects living in the KSA. It also has an “extra-territorial” reach by applying to organisations based abroad who are processing personal data of Data Subjects resident in the KSA. Interestingly, unlike the UAE Federal DP law, PDPL does not exempt government authorities from its application although there are various exemptions from certain obligations where the data processing relates to national security, crime detection, statutory purposes etc.

Notable Provisions

PDPL mirrors GDPR’s underlying principles of transparency and accountability and empowers Data Subjects by giving them rights in relation to their personal data. We set out below the notable provisions including links to previous GDPR blog posts for readers wanting more detail, although more information about the finer points of the new law will be included in the forthcoming Executive Regulations. 

  • Personal Data – PDPL applies to the processing of personal data which is defined very broadly to include any data which identifies a living individual. However, unlike GDPR, Article 2 of PDPL includes within its scope, the data of a deceased person if it identifies them or a family member.
  • Registration  Article 23 requires Data Controllers (organisations that collect personal data and determine the purpose for which it is used and the method of processing) to register on an electronic portal that will form a national record of controllers. 
  • Lawful Bases – Like the UAE Federal DP law, PDPL makes consent the primary legal basis for processing personal data. There are exceptions including, amongst others, if the processing achieves a “definite interest” of the Data Subject and it is impossible or difficult to contact the Data Subject.
  • Rights – Data Subjects are granted various rights in Articles 4,5 and 7 of the PDPL which will be familiar to GDPR practitioners. These include the right to information (similar to Art 13 of GDPR), rectification, erasure and  Subject Access. All these rights are subject to similar exemptions found in Article 23 of GDPR.
  • Impact Assessments – Article 22 requires (what GDPR Practitioners call) “DPIAs” to be undertaken in relation to any new high risk data processing operations. This will involve assessing the impact of the processing on the risks to the rights of Data Subjects, especially their privacy and confidentiality.
  • Breach Notification – Article 20 requires organisations to notify the regulator, as well as a Data Subjects, if they suffer a personal data breach which compromises Data Subjects’ confidentiality, security or privacy. The timeframe for notifying will be set by the Executive Regulations.
  • Records Management – Organisations will have to demonstrate compliance with PDPL by keeping records. There is a specific requirement in Article 3 to keep records similar to a Record of Processing Activities(ROPA) under GDPR.
  • International Transfers – Like other data protection regimes PDPL  imposes limitations on the international transfer of personal data outside of the KSA. . There are exceptions; further details will be set out in the Executive Regulations.
  • Data Protection Officers – Organisations (both controllers and processors) will need to appoint at least one officer to be responsible for compliance with PDPL. The DPO can be an employee or an independent service provider and does not need to be located in the KSA. 
  • Training – After 23 March 2022, Data Controllers will be required to hold seminars for their employees to familiarise them with the new law.

Practical Steps

Organisations operating in the KSA, as well as those who are processing the personal data of KSA residents, need to assess the impact of PDPL on their data processing activities. Work needs to start now to implement systems and processes to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage. The following should be part of an action plan for compliance:

  1. Training the organisation’s management team to understand the importance of PDPL, the main provisions and changes required to systems and processes. 
  2. Training staff at all levels to understand PDPL at how it will impact on their role.
  3. Carrying out a data audit to understand what personal data is held, where it sits and how it is processed.
  4. Reviewing how records management and information risk  is addressed within the organisation.
  5. Drafting Privacy Notices to ensure they set out the minimum information that should be included.
  6. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification.
  7. Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure.
  8. Appointing and training a  Data Protection Officer.

Act Now Training can help your organisation prepare for PDPL. We are running a webinar on this topic soon and can also deliver more detailed in house training. Please get in touch to discuss you training needs. We are in Dubai and Abu Dhabi from 16th to 21st January 2022 and would be happy to arrange a meeting.

The New UAE Federal Data Protection Law

The United Arab Emirates has enacted its first comprehensive national data protection law to regulate the collection and processing of personal data. Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data (PDPL) was published by the Cabinet Office on 27th November 2021 as part of a legal reform programme in advance of the UAE’s Golden Jubilee. The detailed Executive Regulations are expected to be published on 20th  March 2022 with the new law becoming fully enforceable six months later.

The UAE is no stranger to data protection laws. The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 became enforceable in October 2020. However, it only applies companies under the jurisdiction of the DIFC as well as those processing personal data on their behalf.  In February 2021, the Abu Dhabi Global Market (ADGM) enacted its new Data Protection Regulations 2021 with the same limited applicability.  There are also a number of other sector specific laws in the UAE which address personal privacy and data security. 

Applicability

PDPL applies to all organisations that are processing personal data in the UAE irrespective of whether the data relates to Data Subjects living in the UAE. It also has an “extra-territorial” reach by applying to organisations based abroad who are processing personal data of Data Subjects resident in the UAE. PDPL does not apply to government data, government authorities that control or process personal data and personal data held by security and judicial authorities. Health data, credit data and banking data are also excluded as they are protected by other laws.

Key Provisions

PDPL is closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR. It mirrors their underlying principles of transparency and accountability and, like them, empowers Data Subjects by giving them rights in relation to their personal data. We set out below the notable provisions. We have included links to previous GDPR blog posts useful for readers wanting more detail:

  • Lawful Bases – Article 4 states that personal data can only be processed with the consent of the Data Subject. Exceptions include, amongst others, if the processing is: necessary to execute a contract to which the Data Subject is a party; required to protect interests of the public; relates to data already in the public domain; necessary to comply with other laws. Interestingly, PDPL does not include “legitimate interests” as a lawful basis for processing, as is found in GDPR.
  • Consent – Where consent is used as the lawful basis for processing personal data, it should be obtained from Data Subjects in a specific, clear and unambiguous form and should be freely given through a clear affirmative statement or action (Article 6). Consent can be withdrawn at any time.
  • Rights – Data Subjects are granted various rights in Articles 14-18 of the PDPL which will be familiar to GDPR practitioners. These include  Subject AccessData Portability, rectification or erasure of personal data, restriction on processing, objection to automated decision making and the right to stop processing.
  • Data Protection Impact Assessments – Article 21 requires, what GDPR Practitioners call, “DPIAs” to be undertaken in relation to any new high risk data processing operations. This will involve assessing the impact of the processing on the risks to the rights of Data Subjects, especially their privacy and confidentiality.
  • Breach Notification – Article 9 requires organisations to notify the regulator, as well as a Data Subjects, if they suffer a personal data breach which compromises Data Subjects’ confidentiality, security or privacy. The timeframe for notifying will be set by the Executive Regulations.
  • Data Processors – PDPL imposes direct compliance obligations on Data Processors in Article 8 and obligations on Data Controllers when engaging them, similar to Article 28 of GDPR e.g. contracts.
  • Records Management – Organisations will have to demonstrate compliance with PDPL by keeping records. There is a specific requirement in Article 7 to “keep a register of Personal Data” similar to a Record of Processing Activities(ROPA) under GDPR.
  • International Transfers – Article 22  imposes limitations on the international transfer of personal data outside of the UAE.  Similar to the concept of the “adequacy” under the GDPR, the regulator is expected to approve certain countries as having “sufficient provisions, measures, controls, requirements and rules” for protecting privacy and confidentiality of personal data. Article 23 sets out exceptions although further details will be set out in the Executive Regulations.
  • Data Protection Officers – Organisations (both controllers and processors) will need to appoint a Data Protection Officer (DPO) in certain circumstances, set out in Article 10, including where the processing creates a high-level risk due to the use of new technology or the volume of the personal data; processing includes an assessment of sensitive personal data as part of profiling or automated processing; or where large volumes of sensitive personal data are processed. The DPO can be an employee or an independent service provider and does not need to be located in the UAE. Articles 11 set out the responsibilities of the DPO and it is interesting to note that, just like under the GDPR, the PDPL gives the role protected status i.e. they cannot be dismissed for doing their job.

Enforcement 

PDPL will be enforced by the UAE’s Data Office. The Executive Regulations will set out the administrate penalties that can be imposed on organisations for breaches. They could mirror current laws, such as the DIFC DP Law, where the maximum fine for a breach is $100,000. Organisations may also be required to pay compensation directly to Data Subjects or be sued by them. Alongside other sanctions, GDPR allows the regulator to impose a fine of up to 20 million Euros or 4% of gross annual turnover, whichever is higher. It will be interesting to see if PDPL follows GDPR.

Practical Steps

PDPL is likely to become fully enforceable by the end of September 2022. Organisations operating in the UAE need to assess the impact on their data processing activities. Systems and processes need to be put in place to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage. The following should be part of an action plan for compliance:

  • Training staff at all levels to understand PDPL at how it will impact on their role.
  • Carrying out a data audit to understand what personal data is held, where it sits and how it is processed.
  • Reviewing how records management and information risk  is addressed within the organisation.
  • Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification.
  • Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure.
  • Appointing and training a  Data Protection Officer.

Act Now Training, in collaboration with Middlesex University Dubai, is excited to announce the launch of the UAE’s first Data Protection Executive training programme. This qualification is ideal as a foundation for businesses and organisations aiming to comply with the UAE Federal Data Protection Law. More Information: https://actnowtraining.blog/2023/12/13/act-now-partners-with-middlesex-university-dubai-for-uaes-first-executive-certificate-in-dp-law/