The compliance of the DIFC data protection law 2020 is administered by the “Commissioner” of Data Protection who will be the regulatory authority for the Data Protection regulation. The home of the regulator is found at here
Unlike the Indian DPA which will be a 7 member body, Dubai regulator will consist of one person namely the “Commissioner” who is appointed in consultation with the DIFCA Board of Directors and he shall be a person who is appropriately experienced and qualified. The appointment is contractual for a period of 5 years and the upper age limit for the commissioner is 75 years as against 65 years in India.
DIFC DPA 2020 however permits the delegation of powers and establishment of an advisory committee with its own chairman and secretariat.
The Commissioner may establish codes of practice and certification schemes.
One of the major changes that the new version of the Dubai law has brought in is the provision for appointment of a Data Protection Officer. According to Article 16, a Controller or a Processor “May elect” to appoint a DPO.
However DIFC bodies other than the Courts and Controllers or Processors performing “High Risk Processing” on a systematic or regular basis need to mandatorily appoint a DPO. For others appointment of DPO is optional but the Commissioner has the right to direct an entity to appoint a DPO if it finds it necessary. However where a DPO is not designated, the entity should still designate a person with responsibility for compliance.
Like in the case of GDPR, DPO may be an internal employee or an external contractual person.
The DPO must reside in Dubai unless he is a common DPO for the group entity.
The details of the DPO must be made public.
One of the responsibilities of the DPO is submission of an annual report to the Commissioner similar to the “Annual Data Audit” in the Indian PDPA.. DPO will also be responsible for overseeing the DPIA as and when undertaken.
As regards the role and tasks of the DPO, the law states that the DPO shall be provided with sufficient resources to carry out his duties and freedom to act independently and without conflict.
The DPO besides being the contact person for the Data Subject, is expected to monitor the compliance activities in the organization,inform and advise the organization and its employees, cooperate with the Commissioner, be the point of contact for the Commissioner etc.
It is noted that the Act specifies that the DPO shall be able to advise the entity not only on the Dubai Data Protection law but also on other relevant laws to which the organization may be subject to “including where the organisation is subject to overseas provisions with extra-territorial effect”.
Overall, the passage of the new law adds to the responsibilities of all organisations that have a presence in Dubai. Some of them may be “Controllers” or “Joint Controllers” and they need to take suitable steps for compliance.