DIFC (LAW NO. 5 OF 2020) Execution Approach : Six steps to comply with DPL

Sameer Ahirrao -

The Data Protection Law (DIFC Law No. 5 of 2020) is the key legislation governing data protection in the Dubai International Financial Centre (DIFC), a financial free zone in Dubai, UAE. It came into force on July 1, 2020, and became enforceable from October 1, 2020. This law was introduced to align the DIFC's data protection standards with international best practices, particularly drawing from the EU's General Data Protection Regulation (GDPR).

Conduct PIA/DPIA/TIA (Risk Assessments)

Organizations should perform Privacy Impact Assessments (PIA), Data Protection Impact Assessments (DPIA), and Transfer Impact Assessments (TIA) to identify applications and business processes handling Personally Identifiable Information (PII). These assessments ensure compliance with data-sharing requirements, particularly for data transferred outside the UAE.

Law - Article 19, 20, 21, 22, 28 & 29

Regulation - 2, 4 & 10

Ardent Solution: The TurtleShield PA (Privacy Automation) automates and streamlines privacy-related processes and tasks. Conducting DPIAs and TIAs enhances privacy practices, ensures Dubai DPL compliance with applicable privacy laws, and also protects sensitive information.

Discover PII (Personal Data Bill of Materials)

To maintain a structured data governance approach, organizations must:

  • Conduct data discovery and data mapping
  • Build a Data Bill of Materials (DBoM)
  • Maintain a Record of Processing Activities (RoPA)

Regular audits and reviews should be conducted to evaluate compliance and data security.

Law - Article 15, 41, 52

Regulation - 2

Ardent Solution: Our Innovative and patented technology "TurtleShield DD (Data Discovery)" addresses these challenges by discovering hard-to-find datasets at scale, enabling quick actions, and reducing compliance costs. It locates and categorizes data based on regulatory requirements in DPL , ensuring companies maintain compliance, secure sensitive information, and minimize data breach risks.

Implement Data Subject Rights Management

Organizations should establish a secure portal that enables Data Subjects to exercise their rights, such as:

  • Right to Receive Information
  • Right to Request Transfer of Personal Data
  • Right to Stop Processing

Privacy teams must be equipped to manage and fulfill these requests efficiently using data discovery modules.

Law - Article 32, 33, 34, 35, 36, 37, 38, 39 & 40

Regulation - 9 & 10

Ardent Solution: TurtleShield DSAR streamlines the Data Subject Access Request (DSAR) process, ensuring efficient compliance with DPL. It offers a centralized portal for intake, automated data discovery, and secure response delivery.

Establish a Centralized Consent Management System

A centralized system should be implemented to manage:

  • Consent collection, storage, and withdrawal
  • Privacy notice and preference management (including digital marketing consent) for Data Subjects

Law - Article 12, 32, 34

Regulation - 9

Ardent Solution: TurtleShield CM (Consent Management) automates required user privacy notices, the gathering and management of consent/opt-out privacy preferences, and the operational honoring of preferences by both internal and downstream third-party data sharers.

Enforce Storage Limitation Requirements

Organizations must establish storage limitation policies by regularly reviewing personal data holdings and ensuring that data is erased or anonymized when no longer required.

Law - 22, 29, 30 & 33

Regulation - 8

Ardent Solution: TurtleShield DM (Data Minimization) helps you reduce the data and focus on enterprise-centric data. It can provide you detailed insights to get rid of non-essential data, reducing cost of security and storage and building confidence of business owners and data custodians.

Implement Data Disclosure and Data Breach Management and Notification

Organizations must automate their internal breach management and external notification processes to respond within stipulated timeframes. This includes enabling systems and workflows for notifying affected Data Subjects and the Bureau without delay.

Law - Article 41 & 42

Regulation - 8

Ardent Solution: TurtleShield DBM (Data Breach Management) module helps organizations efficiently verify, assess, contain, manage and respond to data breaches including notifying affected individuals and regulatory bodies as per the legal requirements. TurtleShield DBM streamlines data breach management process, handles stakeholder management, accelerates breach response, enabling organizations to notify regulators and stakeholders within the required timeframe.

Conclusion

The DIFC LAW NO. 5 OF 2020 sets forth a comprehensive approach to data privacy and protection. By implementing risk assessments, data discovery, consent management, and breach response mechanisms, organizations can ensure compliance while fostering trust among Data Subjects. Proactively adhering to these regulations not only mitigates risks but also strengthens data security and governance frameworks in the evolving digital landscape.