The UAE is to introduce a brand new Information Safety Regulation, the primary federal regulation of its sort within the area. The brand new Regulation is without doubt one of the initiatives to be applied underneath the lately revealed “Ideas of the 50,” a constitution of 10 strategic ideas that can information the political, financial, and social growth of the UAE for the following 50 years. The announcement comes a yr after the Dubai Worldwide Monetary Centre (DIFC) introduced in Information Safety Regulation No 5 – so the DIFC is forward of the UAE on this. The intention of each is broadly the identical, to simplify information switch between completely different international locations, notably Europe.
The brand new information regulation has been drafted in partnership with main expertise firms who’re apparent beneficiaries. It explains why Pc Weekly has lined this story in some element. They clarify how the thought behind the information legal guidelines search to ease worldwide information transfers by aligning organisations that deal with information inside the DIFC or, going ahead, the UAE, with Europe’s GDPR so minimising the necessity for particular person organisations to place in place particular switch mechanisms, resembling customary contractual clauses, coping with information trade. The principles are enforced by a regulator, the commissioner of information safety, who has the ability to impose sanctions, together with huge fines. On prime of that there’s the chance of getting to pay uncapped compensation on to information topics.
The UAE’s Information Regulation is important as a path to ‘adequacy’ selections from different regulators each within the UAE’s monetary freezones and globally. So, so as to make it simpler for world organisations, Information Safety Commissioners can look at the legal guidelines in different international locations to find out if these different international locations have sufficient ranges of information safety. So for instance, the impact of an adequacy choice by the EU Commissioner is that non-public information can circulate from the EU to the opposite nation with out additional safeguards, simply as if the switch had been inside the EU. In distinction, the place an adequacy has not been discovered, additional safeguards should be used. So, it’s straightforward to see the enterprise drivers for these new information legal guidelines.
So let’s hear extra about this. Ruth Stephen joined me by video-link from Dubai to debate the problems. I requested her first in regards to the DIFC’s information regulation which got here in final yr:
Ruth Stephen: “So, final yr, the DIFC had an overhaul of its information privateness legal guidelines and this meant rather a lot for companies all around the DIFC, notably worldwide companies the place they’re transferring private information between jurisdictions. For employers it is had fairly a major impact as a result of it has given their staff enhanced rights in relation to their private information. For instance, the fitting to be forgotten, the fitting to have their information rectified, topic entry requests, a complete raft of recent obligations that employers have needed to think about.”
Joe Glavina: “So in September we noticed that announcement a couple of new UAE-wide regulation which is on its approach, a federal regulation. Inform me about that.”
Ruth Stephen: “Sure, so the federal regulation which applies to the mainland jurisdiction, so exterior of the DIFC and the free zones, that is an overarching regulation in relation to information privateness that we all know is on the horizon, there’s a draft regulation in circulation. Given the approaches to information privateness that different international locations within the GCC have taken it’s anticipated that the regulation will, to a big extent, be aligned with GDPR which, in fact, is married up with information privateness legal guidelines within the DIFC. So the explanation and the rationale for that is to make enterprise work higher for enterprise but in addition for people to have readability, and certainty, and safety, as to how their private information is getting used and who has entry to it.”
Joe Glavina: “So, can I flip the motion factors round compliance. I suppose you’re been advising on this?”
Ruth Stephen: “Undoubtedly. So one thing that employers must do is that they have to contemplate the authorized foundation for processing worker information. So what we suggest is that employers take a step again and have a look at what forms of information they’re processing, by the use of an audit, in order that they’ll then actually make it possible for their lawful causes for transferring and processes processing this information are updated as a result of generally there’s simply been a historic purpose put in place underneath the privateness coverage and which may be outdated in keeping with how the enterprise has grown or developed over time. Equally, one thing that we’re serving to our shoppers with now in the mean time, is for them to contemplate how they are going to get hold of worker consent to transferring and processing their private information, assuming that because the lawful foundation for which they’re processing that information, as a result of the information Commissioner within the DIFC is asking on employers to rethink the explanations for which they’ve the lawful grounds, notably the place it has, traditionally, been requested that consent is obtained within the phrases of the employment contract as a result of when an worker is introduced with an employment contract it is impossible that they’re going to renegotiate the phrases of their contract after which it’s debatable as as to if their consent has been freely given when it’s tied up within the phrases of their employment.”
Joe Glavina: “Final query, Ruth. What if employers get this incorrect they usually face enforcement motion?”
Ruth Stephen: “So we’re actually but to see the ramifications however undoubtedly the commissioner has far reaching powers and reputational hurt is actually one of many huge dangers to companies. I imply, for these companies, you understand, clearly the monetary penalties are instant and hit them exhausting, however the reputational hurt when it comes to whether or not their stakeholders, their staff, their rivals, for instance, these might be far reaching and long term penalties and deterrents for firms to make sure compliance with the information privateness legal guidelines.”
Except for information safety, final week Ruth talked to this programme about adjustments to the DIFC’s employment legal guidelines designed to simplify and make clear working preparations, together with home-working through the pandemic. That programme is named ‘DIFC enacts adjustments to its employment legal guidelines’ and is on the market for viewing now from the Outlaw web site.