The State of UAE Data Protection

I would like to shed some light on the current state of the UAE data protection law, the obligations of organizations collecting and processing personal information and how we can help you achieve a greater level of compliance with the law.

UAE Federal decrees 44-45/2021 were published in late 2021 to establish the UAE Data Office and announce the new UAE Data Protection Law (DP Law). The DP Law came into force in January 2022 and is expected to be supplemented by executive regulations to provide additional details that would enable the implementation and enforcement of this law.

Personal Data

Personal data is any information that can identify a natural person
directly or indirectly.

Example of personal data:

Directly – Name, ID number, email address, IP address, CCTV footage.

Indirectly – Gender, birth date, license plate number, phone number.

The UAE Data Office, which is affiliated with the UAE cabinet and will be supported logistically and administratively by the Telecommunication and Digital Government Regulatory Authority (TDRA), will act as the federal data regulator of the UAE and will be responsible for:

• Preparing policies and legislation related to data protection
• Proposing and approving the standards for monitoring Personal Data Protection Law
• Preparing systems for complaints and grievances related to data
• Issuing guidelines and instructions for the implementation of the law

The UAE Data Protection Law is committed to protection of personal information by establishing the following key privacy principles when processing data:

The UAE DP Law aims to empower individuals (referred to as ‘Data Subjects’) and give them control over their personal data by granting them the following rights. The Data Subject Rights can however be superseded if there are other laws in place that stipulate keeping data available for a certain period of time (for example, personal details related to bank records).

• Right to delete personal data
• Right to object to automated decision making
• Right to correct personal data if inaccurate or incomplete
• Right of access to information related to their personal data processing
• Right to restrict or stop processing of their personal data

As of now, and since the executive regulation is not published yet, there are no timelines stipulated concerning the response and action of data subject rights requests.

How To Effectively Establish A Data Privacy Protection Program?

• Appoint a Data Protection Officer
• Inventory your personal data
• Notify and seek consent from your data subjects
• Protect personal data
• Respond to your data subject requests
• Notify authorities and data subject in case of breaches
• Communicate your data protection policies and processes

How Can We Help?

• Conduct a Gap Assessment
• Establish a Data Protection Governance Framework
• Establish Data Subject Rights and Consent Management Process
• Conduct Data Privacy Impact Assessment
• Establish Data Breach Management Process
• Conduct Data Protection Awareness

BE CYBERSMART. KEEP IT PRIVATE.

Follow these simple tips to keep your data private and safeز