You need a DPO in the DIFC, here’s why

What is a DPO?

In the UAE, a Data Protection Officer (DPO) is responsible for making sure an organization processes, stores and handles data in compliance with DIFC’s data protection rules. DPOs oversee data protection operations.
By data, what is meant in this instance is the personal data of staff, customers, providers and any other third parties or individuals connected with the company in any way.

Do you have to have a DPO?

If your company holds, controls, or processes data, and is subject to the DIFC Data Protection Law, you have to appoint a DPO to remain compliant. 

Certain Dubai International Financial Centre (DIFC) bodies – including but not limited to the DIFC Authority, the Dubai Financial Services Authority (DFSA), and the DIFC Courts – must appoint a DPO. 

Similarly, data controllers and processors who perform certain ‘high-risk’ personal data processing activities must also appoint a DPO. 

The Commissioner of Data Protection can also require data controllers and processors who do not fall within this jurisdiction, to appoint a DPO. If notified of this, they have to submit an annual assessment of the company’s data processing activities to the Commissioner.

What is a high-risk personal data processing activity?

They include (but are not limited to): 

• Data processing that uses innovative technologies or methods that present a material increase in risk to security or to data subject rights.
• If a considerable amount of personal data is being processed and the processing is likely to result in a high risk to the data subject (e.g. due to the sensitivity of the data, or risks relating to security, integrity, or privacy of the data).
• If systematic and extensive evaluation, based on automated processing, might have legal implications or significantly affect the person or people in question. 
• If a material amount of ‘special categories’ of personal data (e.g. personal data revealing or concerning racial or ethnic origin, communal origin, political views, religious beliefs, criminal record, trade union membership, and health or sex life) is to be processed.

Please note that all data controllers and processors subject to the DIFC Data Protection Law need to clearly allocate responsibility for data protection compliance. You can also appoint a DPO even if you’re not strictly required to do so.

What does a DPO do?

• Monitor compliance with the DIFC Data Protection Law, and any policies relating to the protection of personal data.
• Advise relevant employees about what they need to do to become – and remain – compliant with the DIFC.
• Advise relevant employees on broader data protection considerations and data protection impact assessments.
• Work with the Commissioner of Data Protection and act as a point of contact between them and the company. 
• Take action in response to the Commissioner’s findings, recommendations, and directives.
• Act as a contact point for data subjects who wish to exercise their rights in accordance with the DIFC Data Protection Law.

What does a DPO need to know?

• They need to be familiar with the DIFC Data Protection Law, and ensure that the data controller or data processor complies with all its requirements, without fail. 
• They need to act independently and under their own authority, with enough resources available to them to be able to act effectively, objectively and independently. 
• A DPO needs to have timely and unrestricted access to information within the data controller or data processor to perform the duties of the DPO, and to have direct access to senior management. A DPO can perform other roles within a data controller or data processor, and for many organizations it would not be uncommon for the DPO role to be filled by a legal or compliance specialist, or an HR specialist, depending on the size and nature of the organization.

Who can (and cannot) act as a DPO?

A DPO can be a direct employee of a data controller or data processor, or work within their corporate group. They could also be a third-party service provider.

If an individual acts as a DPO to a corporate group, they can be based outside the UAE, but if that’s not the case, DPOs need to be UAE residents. If a corporate third-party service provider acts as a DPO, they need to be licensed to operate in the UAE.