Securiti announces a $75M Series C Funding RoundView
Few countries define financial activity as the United Arab Emirates. It has been the tourism and financial hub of activity in the Middle East for decades now. The advent of the information age led to the UAE formulating legislation that protected users within its jurisdiction and afforded equal protection to the organisations operating from the country.
This is the primary reason why certain zones will be excluded even when the Federal Decree-Law No. (45) of 2021 on Personal Data Protection (PDPL) officially came into force. These include the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM). This is because these regions have their versions of data protection laws tailored to strike the perfect balance between user privacy without trampling on business operations.
The Data Protection Regulations (DPR) 2021 is Abu Dhabi Global Market (ADGM)'s data protection regulation, enacted on 14 February 2021. For new entities incorporated on or after the 14th February 2021, ADGM DPR came into effect on the 14th August 2021. For existing entities, came into effect on the 14th February 2022.
The territorial scope of this law is relatively simple and less complicated than most other data protection laws. Hence, any organisation that operates from inside ADGM or is registered with the ADGM Commissioner of Data Protection must comply with it if they process personal data of any kind.
Where the data processor is processing personal data for a data controller outside of ADGM, the data processor must comply with the requirements of ADGM DPR to the extent possible, taking into account whether the data controller is subject to similar obligations under the laws of its home jurisdiction. ADGM DPR applies to natural persons whatever their nationality or place of residence.
As far as the kind of data covered by this law, any data processed wholly or partly by automated means is covered by the law.
However, this law does not extend to public authorities involved in processing of information related to the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to national security. ADGM DPR does not apply to the processing by a natural person for the purposes of purely personal or household activity.
Much like every other major data protection law globally, the ADGM DPR places certain obligations on data handlers. Failure to adhere to these obligations can lead to non-compliance with the law itself and result in heavy fines or suspension of their operations in the most extreme cases.
A data handler cannot process the personal data of data subjects without a legitimate reason to do so. Some of the legitimate reasons to continue with the processing of data include the following:
The ADGM DPR follows a rather strict set of consent requirements since the data subject must inform the data handler or data processor (whether in writing, electronically, or orally), by a statement or by clear affirmative action, signify agreement to the processing of personal data relating to them.
Moreover, silence, pre-ticked boxes, or inactivity does not constitute consent under the ADGM DPR. Hence, explicit consent in written form is crucial before collecting any data on users.
Similarly, a data processor or data handler must make it just as easy for a user to withdraw consent as it is to give their consent.
Additionally, explicit consent needs to be gained before a data handler or data processor can process the following information deemed as Special Categories of Personal Data:
However, the need for explicit consent in the aforementioned case is not required under the following reasons:
Before a data handler can begin operations related to collecting or processing data, they are first required to register with the ADGM Commissioner of Data Protection's office. The data handler must fulfill all legal obligations to complete the registration.
The Commissioner of Data Protection must then provide the data handler with a written notification permitting them to proceed with their data processing activities while also providing them with the necessary documents to inform them of their responsibilities towards the Commissioner of Data Protection.
Lastly, the data handler must inform the Commissioner of Data Protection if they plan to cease their data processing activities, change their contact details, or appoint any third-party data processors.
The data handler is required to guarantee certain assurances or undertake security measures if they plan to continue processing data.
The data handler must undertake appropriate technical and organisational measures to ensure no unlawful access or processing of data takes place.
When choosing a third party data processor, the data handler must ensure that the data processor has appropriate technical security and organisational measures in place to ensure all data collected is afforded the best protection possible.
In case an unauthorized breach of data occurs, the data handler must take the appropriate measures to inform the Commissioner of Data Protection within 72 hours of the breach. Furthermore, if a third-party data processor is handling the data, they must inform the principal data handler of the breach as soon as possible.
The data handler must then inform the affected data subjects promptly without any undue delay if the data breach is likely to result in high risk to the data subjects’ rights. However, the data handler may be exempt from this requirement if:
The Data Protection Officer (DPO) must be appointed to both oversee and advise the organisation in its functions which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of data subjects on a large scale.
The DPO does not need to be a full-time employee within the organisation or even based within the ADGM. However, a DPO’s appointment must be made keeping in mind the strict eligibility criteria set forth by the regulatory bodies. Moreover, once hired, the Commissioner of Data Protection must be informed of this appointment within one month.
All data processors or data handlers are required to carry out an extensive data protection impact assessment if any of their processing activity is likely to result in high risk to data subject rights. Such assessments must be carried out at regular intervals while the results of each assessment must be reflected in the organisation's measures to prevent any potential data breaches.
If an assessment reveals issues with an organisation’s current practices, the regulatory body must be informed of these as well as the steps the organisation plans to take to remedy this.
This is more of an extension of the data handler's registration requirements. A data handler must establish and maintain records of any personal data processing operations or set of such operations intended to secure a single purpose or several related purposes.
Moreover, the data handler must provide the Commissioner of Data Protection with access to these records whenever requested.
The ADGM DPR does allow cross-border data transfers outside the ADGM. A transfer may take place only if the jurisdiction is designated by the Commissioner of Data Protection as an adequate jurisdiction.
Additionally, data can be transferred to jurisdictions that have not been deemed as adequate by the Commissioner of Data Protection under the following circumstances:
All users or data subjects are guaranteed a set of rights, known as data subject rights. Like every other major data protection law, the ADGM DPR guarantees all data subjects a set of rights. These rights include the following:
As far as the regulatory body is concerned, the Commissioner of Data Protection is the one responsible for enforcing the ADGM DPR. The Commissioner will serve a term of 4 years, with two possible extensions leading to 12 years in service.
The powers accorded to the Commissioner of Data Protection include the following:
Any data handler or data processor that fails to comply with these rules or regulations can be subject to fines of up to $28 million per offense.
The Commissioner of Data Protection is required to investigate each case and offense separately. If a party is found to breach the regulations, the monetary fines may be imposed per the Commissioner of Data Protection’s evaluation but not exceeding $28 million.
A data handler or data processor that receives such a fine may go to the courts to request a review of the fine within three months of receiving the notice from the Commissioner of Data Protection.
Knowing the fundamentals of any data protection law is only half the solution. It is equally important to know how any organisation can build the proper foundations to ensure the law is fully operationalized within the way it functions. A few simple but effective ways to achieve that is by implementing the following:
Data protection and the right to privacy have become increasingly sensitive topics worldwide. This is reflected acutely in the fact that more and more countries are legislating to enact their data protection laws that protect their residents and obligate organisations to adopt the best privacy practices in their operations.
However, the sheer amount of data involved and the different laws in each country means that the best way to ensure compliance is via automation. While there's no shortage of software and services that claim to help organisations comply with global privacy regulations, few are ever able to deliver on these claims.
Securiti would be the exception to that, thanks to its market-leading, AI and machine learning-based set of tools that can help businesses of all sizes achieve privacy compliance. Securiti can help your business stay compliant with ADGM's DPR and other privacy and security regulations worldwide.
To see how it works, request a demo today.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
3031 Tisch Way Suite 110 Plaza West, San Jose,