DIFC Data Protection Law
Operationalize DIFC compliance with the most comprehensive PrivacyOps platform.
Download the book today!
The DIFC Data Protection Law, 2020 lays down regulations regarding the collection, disclosure and processing of personal data in the DIFC, a special economic zone in Dubai. It also gives rights to individuals whom the personal data relates to and provides power to the Commissioner of Data Protection to enforce the law, enact regulations and approve industry-wide Codes of Conduct.
The DIFC Data Protection Law takes reference from the best practice standards on data protections from international laws, and is consistent with EU regulations (GDPR) and OECD guidelines. It is designed to balance the legitimate needs of businesses and organizations to process personal information while upholding an individual’s right to privacy.
The solution
SECURITI.ai enables organizations to comply with the DIFC through AI-driven PI data discovery, DSR automation, documented accountability, enhanced visibility into data processing activities, and AI-driven process automation.
SECURITI.ai supports enterprises in their journey toward compliance with the DIFC through automation, enhanced data visibility, and identity linking
See how our comprehensive PrivacyOps platform helps you comply with various sections of DIFC
Customize a data subject rights request portal for seamless customer care
With the DSR request format, create customized web forms according to your brand image and accept verified data subject rights requests. Automate the initiation of fulfillment workflows when verified requests are received.
Automate data subject access request handling
DIFC Data Protection Law Article: Article 33(1)(a)(b)
The automation of the delivery and generation of secure data access reports will greatly reduce the risk of compliance violations and reduce the workforce required to comply with all the access requests.
Secure fulfillment of data access and port requests
DIFC Data Protection Law Articles: 33(1)(a)(b), 37, 40
The information is delivered through a secured centralized point to data subjects within 20 working days. It allows organizations to timely respond to an access request and provide information in a manner that it is readily retrieved.
Automate the processing of rectification requests
DIFC Data Protection Law Articles: 33(1)(c), 33(4)(5)(6), 36, 40
Fulfill data rectification requests, seamlessly, with the help of automated data subject verification workflows across all appearances of a data subject’s personal data.
Automate erasure requests
DIFC Data Protection Law Articles: 33(2), 33(3)(4)(6), 36, 40
Fulfill data subject’s’ erasure requests through automated and flexible workflows.
Automate objection and restriction of processing requests
DIFC Data Protection Law Articles: 34, 35, 36, 40
With the help of collaborative workflows, build a framework for objection and restriction of processing handling based on business requirements.
Continuous monitoring and tracking
DIFC Data Protection Law Articles: 14, 15
Keep track of risks against non-compliance to data subjects’ rights by continuously monitoring and scanning data.
Automate People Data Graph
DIFC Data Protection Law Articles: 14, 15, 19
Discover personal information stored across all your systems within the organization and link them back to a unique data subject. Also, allowing visualization of personal data sprawl and identifying compliance risks.
Meet cookie compliance
DIFC Data Protection Law Articles: 10(1)(a), 11(a), 12(1)(3)(4)(5), 32
Automatically scan the organization’s web properties and categorize tags and cookies. Also, build customizable cookie banners, collect consent and provide a preference center.
Monitor and track consent
DIFC Data Protection Law Article: 12(2)(9)
Track consent revocation of the data subjects to prevent the processing or transfer of data without their consent.
Assess DIFC readiness
DIFC Data Protection Law Articles: 9(2), 14, 15(1), 19
Measure your organization's posture against DIFC requirements with the help of our multi-regulation, collaborative, readiness and privacy impact assessment system. Seamlessly expand assessment capabilities across your vendor ecosystem to maintain compliance against DIFC requirements.
Manage vendor risk
DIFC Data Protection Law Articles: 24, 25, 28
Track, manage and monitor privacy and security readiness for all your service providers from a single interface. Collaborate instantly, automate data requests and manage all vendor contracts and compliance documents.
Breach Response Notification
DIFC Data Protection Law Articles: 41, 42
Automate compliance actions and breach notifications to concerned stakeholders with regards to security incidents by leveraging a knowledge database on security incident diagnosis and response.
Key data subject rights encoded within DIFC
Data subjects have the right to withdraw consent for the collection and processing of their personal information by a Controller at any time.
Data subjects have the right to request free-of-cost access to their personal information held by a Controller.
Data Subjects have a right to receive their data in a machine readable format and have it transferred from one Controller to another.
Data subjects have a right to know if their personal information has been collected, the categories of information collected, the purpose of collection and the intended recipients.
Data subjects have the right to request correction of their personal data.
A Controller cannot use personal data that was obtained in connection with one purpose for another purpose unless there exists an exception that allows it to do so and it must delete any personal information it does not require any further.
Data Subjects have the right to object against the processing of their personal data for any legitimate purpose, public interest purposes or automated profiling.
Data Subjects have the right to request the restriction of processing of their personal data.
Data Subjects have a right to be notified when personal data about them is being collected.
Quick facts about DIFC
1
The DIFC Data Protection law 2020 repeals
and replaces the Data Protection Law, 2007
2
This Law came into force on 1 July 2020.
3
This Law applies in the jurisdiction of the DIFC, a special economic zone set up in Dubai which is governed independently and has its own laws and regulations.
4
This law applies to processing of data by a Controller or Processor in the DIFC, regardless of whether the Processing takes place in the DIFC or not.
5
This Law is heavily inspired by the GDPR and aims to achieve an adequacy rating from the EU for transfers of personal data.
6
The DIFC was set up in Dubai to be an international financial hub within the Middle East.
