ADGM Data Protection Regulations – what businesses need to know

New data protection law in the UAE

The Abu Dhabi Global Market (ADGM) financial free zone has enacted its Data Protection Regulations 2021 (DPR), with effect from 11 February 2021. The ADGM has followed a similar approach to the UAE’s other specialist financial free zone, the Dubai International Financial Centre (DIFC), in replacing its existing data protection law with a new law, adopting many of the new data protection norms created by the European General Data Protection Regulation (GDPR). The DIFC enacted its new data protection law, Law No 5 of 2020 (DPL), with effect from 1 July 2020.

Both the DPL and DPR are based around concepts which are very similar or analogous to those found in the GDPR, such as “personal data”, “controller”, “processor”, “data subject” etc.

The DPR materially increases the data protection compliance requirements incumbent upon ADGM businesses, as well as introducing the potential for very large fines – up to USD 28,000,000 - to be issued for breach.

Who is affected?

• Any authority, body corporate, branch, representative office, institution, entity, or project established, registered or licensed to operate or conduct any activity within the ADGM or exempt from being registered or licensed under the laws of the ADGM (ADGM Entity).
• Any person who processes personal data on behalf of an ADGM Entity. Typical examples of processors include cloud service providers, outsourced business service providers, travel agents, marketing agents, employment service providers etc.

What are the key obligations?

• Personal data must be processed only in accordance with a lawful basis and only in a manner consistent with the purposes for which it was collected. It must not be kept in a form which permits the data subject to be identified for longer than necessary.
• Personal data must be kept secure and appropriate technical and organisational measures must be implemented.
• Data controllers must provide sufficient, transparent information to data subjects so that the data subjects are informed as to the purpose and other features of the processing of their personal data.
• Data controllers must comply with requests by data subjects to exercise their rights, such as the right to access the personal data, the right to correct personal data, the right (in certain circumstances) to have personal data deleted, the right to restrict and object to processing (in certain circumstances), the right to have a copy of the personal data transferred to another controller (in certain circumstances), the right to object to certain automated decision making.
• Controllers must complete an annual notification to the ADGM Commissioner of Data Protection and pay an annual data protection fee.
• Controllers must ensure that their processors are subject to suitable written contract terms to ensure processing complies with the DPR.
• Controllers must keep a record of processing activities.
• Controllers may need to appoint a data protection officer.
• In certain circumstances, controllers will need to complete a data protection impact assessment.
• Data controllers must be able to demonstrate compliance with the DPR.

“International” transfers

Any transfer of personal data for processing outside the ADGM must comply with the DPR. As many business services are increasingly provided remotely, most ADGM Entities are likely to conduct a number of such transfers. Intra-company personal data transfers (for example, from an ADGM branch office to a European headquarters) will also be international transfers which must comply with the DPR.

Certain jurisdictions are considered to have adequate legal regimes to protect personal data. Personal data can be transferred to those jurisdictions without the need to take further specific steps to comply with the DPR. ADGM Entities should be aware that the UAE is not considered to be an adequate jurisdiction.

A transfer to a jurisdiction other than a jurisdiction considered adequate can only be lawfully performed if appropriate safeguards are implemented (as described in the DPR) or certain other specific derogations apply.

Breach notification

Where controllers suffer a personal data breach, they need to inform the ADGM Commissioner of Data Protection. If the breach is likely to result in a high risk to the data subjects, the controller may also need to notify the data subjects directly.

What are the consequences of violating the law?

The Commissioner of Data Protection has the power to issue and publish directions, order certain activities to be undertaken or ceased and to issue fines, to entities which violate the law. The maximum level of any fine under the DPR has been set at USD 28,000,000, which is clearly a noteworthy amount.

The consequences of violation are not just limited to the potentially steep direct regulatory costs. In addition, a business suffering a data breach or a public reprimand is likely to experience:

• Potential direct damages payable to data subjects (in addition to regulatory fines)
• Damage to reputation in the marketplace, including amongst clients and industry partners
• Business interruption and impact on management time
• Increased costs of ongoing compliance, including dealing with increased regulatory scrutiny, such as audits
• Third party costs to respond to breaches, such as cybersecurity consultants and legal consultants as well as potential hardware costs (if, for example, a malicious cyber breach renders drives or servers inaccessible or corrupted)

What should businesses do?

A holistic data protection compliance programme includes:

• Data mapping and internal process mapping (various business units typically handle personal data, including sales, HR, marketing, customer relations, IT, administrative units, legal, finance etc.)
• Internal policy and control documentation
• External information documents and appropriate contractual terms
• Administrative controls to ensure obligations such as annual notification obligations are complied with
• Staff training
• Supplier due diligence and documentation
• Cybersecurity review, monitoring and implementation

It is appropriate for organisations to take a risk-based approach, in light of the extent and nature of their data processing activities, however organisations that are best placed to deal with the demands of data protection regulation are those which successfully embed a culture of data protection throughout the organisation. Relying on discrete business units, such as Legal, to drive compliance without the buy-in of all stakeholders will not deliver the best risk mitigation.

How we can help

CMS has a team of data protection specialists in the UAE who can advise clients on a range of aspects including data due diligence, development of policy and contractual documentation, training, regulatory analysis, dealing with data subject requests and complaints and more.

We are able to advise on small, discrete tasks, to provide packages of documentation, or on full compliance programmes including data mapping and staff training, tailored to fit your organisation. Please contact us to talk.