You need a DPO in the DIFC, here’s why

What is a DPO?

In the UAE, a Data Protection Officer (DPO) is responsible for making sure an organization processes, stores and handles data in compliance with DIFC’s data protection rules. 

Is a DPO necessary?

In short, yes. All data controllers and processors subject to the DIFC Data Protection Law need to clearly allocate responsibility for data protection compliance. 

Certain DIFC bodies such as the DIFC Authority, the DFSA, and the DIFC Courts must also appoint a DPO. Similarly, it is necessary for data controllers and processors who perform certain ‘high-risk’ personal data processing activities to have a DPO. You can also appoint a DPO even if you’re not strictly required to do so.

What is a high-risk personal data processing activity?

These include (but are not limited to): 

• Data processing using innovative technologies that may increase the risk to security or data subject rights.
• If processing a considerable amount of personal data may result in the subject being put at risk.
• If systematic evaluation might have legal implications or significantly affect the person or people in question. 
• If a large amount of ‘special categories’ of personal data (e.g. concerning racial or ethnic origin, religious beliefs, criminal record etc.) is to be processed.

What does a DPO do?

• Monitors compliance with the DIFC Data Protection Law.
• Advises employees on data protection considerations and impact assessments, as well as ensuring they remain complaint.
• Works with the Commissioner of Data Protection and acts as a point of contact between them and the company. 
• Acts as a contact point for data subjects who wish to exercise their rights in accordance with the DIFC Data Protection Law.

What does a DPO need to know?

• They need to be familiar with the DIFC Data Protection Law, and ensure compliance with all its requirements.
• They need to act independently and under their own authority, with enough resources available to them to be able to act effectively and objectively. 
• A DPO needs to have timely and unrestricted access to information within the data controller or processor, and to have direct access to senior management. 

Who can (and cannot) act as a DPO?

A DPO can be a direct employee of a data controller or processor, or work within their corporate group. They could also be a third-party service provider.

If an individual acts as a DPO to a corporate group, they can be based outside the UAE, but if that’s not the case, DPOs need to be UAE residents. If a corporate third-party service provider acts as a DPO, they need to be licensed to operate in the UAE.