IDC Names Securiti a Worldwide Leader in Data PrivacyView
On 28 November 2021, the UAE passed the Federal Decree-Law No. 45 of 2021, better known as the Personal Data Protection Law (PDPL). It follows several other countries around the globe in coming up with concrete legislation that protects the data of all residents within its jurisdiction.
Naturally, the new law has drawn several comparisons with the EU's General Data Protection Law (GDPR), considered by many to be the most thorough piece of legislation done on the subject of data privacy and data protection. Unsurprisingly, there are numerous similarities between the two laws, along with some notable differences.
Understanding these similarities and differences can help companies and data handlers achieve data compliance for both laws and gain a competitive advantage over the rest of their competition in both regions. Additionally, it can also be a helpful exercise in assessing how and in which areas they need to amend their data processing practices to remain compliant with both laws.
Data privacy and protection have become an essential cornerstone of any company's ability to maintain the trust of its users. As users become increasingly aware and educated about what their rights are and the responsibilities of data handlers towards them, it is imperative that organisations understand where they stand.
The most natural step to start off with is to ensure whether a company needs to comply with the new UAE data protection laws and how it compares to compliance needs as per the GDPR.
As per the new UAE PDPL, any company registered in the UAE that collects or processes the data of UAE residents is subject to this new legislation. Additionally, any company not registered in the UAE but processing the data is also subject to this legislation.
Some notable exemptions exist for government data, public entities' data, health and credit data subject to their own dedicated legislation. Moreover, companies established in the free zones of Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) are subject to their own data protection laws and exempt from the PDPL.
The GDPR deals with the scope and who needs to comply with it in a simpler way. Whether in the EU or outside, any company that collects data on EU residents has to comply with the legislation's provisions.
Additionally, there are provisions in the GDPR where if your product is being sold to customers in the EU or is accessible to them, you would need to comply with the GDPR. For example, if a company has an app on the App Store that is not available in the US but not the EU, they are exempt from complying with the GDPR. However, if the same app is available on a website that is available worldwide, the company would need to be GDPR compliant since EU residents can access the company's app. Interestingly, if a company's product or service is available in the EU currency or only offers to ship to the EU, it would still need to be GDPR compliant.
While the GDPR and the PDPL differ in some areas, they are on the same page when it comes to providing all users with several rights over their data. Here are all the rights that are guaranteed under both the GDPR and PDPL:
Here’s how the UAE’s PDPL interprets Data Subjects’ rights:
The GDPR remains the gold standard when it comes to data protection regulations around the world. Expectedly, it has an expansive set of rights for data subjects. The most prominent of which include:
This is undoubtedly the biggest difference between the PDPL and the GDPR. While the GDPR takes a much more standardized approach where anyone in breach of the law would not know what penalties to expect, the UAE law approaches penalties on a case-by-case basis:
The UAE's data protection law does not have any standardized penalties in place for websites and companies found in non-compliance as of yet. There will be further executive regulation carried out to set penalties after the law is implemented in January 2022.
Until such regulation is done, the courts and the UAE Data Office will oversee each case of non-compliance separately and decide the appropriate punishment in each case.
The GDPR is incredibly strict when penalizing companies and websites found to be in non-compliance with any of the law's provisions.
Under GDPR, non-compliance and data breaches can result in fines as high as 20 million euros or 4% of the violating company's annual global turnover - whichever amount is higher.
A controller must, before processing a data subject’s personal data, provide the data subject with the purposes for the personal data processing, any third parties that the personal data will be shared with and the protection measures put in place to cover any cross-border data transfers.
The UAE’s PDPL legislation mandates all data handlers to be transparent about their data collection activities with the data subjects. This includes detailed information about what data is being collected, why it’s being collected, how the data collected is used, whether the collected data is shared or sold to another party, whom to contact if the data subjects wishes to request access, alteration or deletion of their data, and how the collected data is protected
Data collected on data subjects is an incredibly vital asset for any data handler. In some instances, this data may need to be transferred to another country for protection or any other reason. In such a scenario, this what both the legislations have to say on the matter:
Transfers of data outside the UAE’s jurisdiction is allowed, provided the country where the data is to be transferred has an “adequate level of protection”. This means the country having some form of data protection legislation of its own or a country that has some sort of bilateral data protection agreement signed with the UAE. Even so, transfer of data can only occur if the following conditions are met:
The GDPR is unique in this particular case as it does not mention any jurisdiction outside the EU. Hence, the transfer of data to a country outside the EU jurisdiction is not overtly addressed. However, there are some strict criteria that need to be met as judged by the Information Commissioner's Office.
Some of these criteria include:
The GDPR and PDPL legislation mean that companies must rethink and strategize their data collection mechanisms. These legislations put the users' right to privacy above all else, including user experience. This can be particularly challenging for companies for whom data processing is vital to their ability to offer better products and services.
However, thanks to its PrivacyOps framework that consists of several machine learning and artificial intelligence-powered tools, Security can help companies of varying sizes achieve data compliance swiftly and effectively. To see Securiti's tools in action and how they can help you comply with both the GDPR and PDPL, request a demo today.
See how easy it is to manage privacy compliance with robotic automation.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.