As the region approaches the end of the DIFC Data Protection Law transition period, PrivSec spoke with Mohammad Khalaf, Senior Regulatory Compliance Officer at Arab Bank in Jordan to discuss the significance of the new law.

What is the significance of the new DIFC Data Protection Law?

The new DIFC Data Protection Law No.5 of 2020, is highly significant to the privacy landscape in the United Arab Emirates. It is the first comprehensive privacy Law in the country, embodying international best practices and consistency with European Union (EU) regulations and Organisation for Economic Co-operation and Development (OECD) guidelines.

The law would establish an enhanced privacy governance landscape within the DIFC, placing the DIFC on par with international standards and it shall contribute to achieving “adequacy” status, which would facilitate the transfer of personal data from Europe.

Currently there is an absence of a national data privacy law within the UAE but the new DIFC law can be considered a blueprint which a national privacy law could be developed on. It would give institutions an idea of what a national privacy law in the UAE would look like and an idea of how to comply with it.

As with any other new law, it would require significant changes from institutions in the DIFC and would require a change mandated from the top down in regard to how institutions deal with personal data. 

This would require research, training, amending policies, developing operating procedures, updating IT system settings, hiring a Data Protection Officer in certain cases, and changing the culture of how institutions use personal data as a whole. 

Even institutions that have complied with the GDPR would still need to perform a gap analysis between the two laws, and build a compliance framework specific to the DIFC Privacy Law, as there are areas of difference between the two laws concerning “data subject rights”, “Lawfulness”, and “records of processing” amongst other areas.

Due to the DIFC being the financial centre of Dubai, institutions within the DIFC are constantly sharing data with third countries and with other jurisdictions within the UAE. 

Due to the absence of a federal privacy law in the UAE, transferring data to other jurisdictions in the UAE is the same as transferring data to a non-adequate third country and new mechanisms must be put in place for transfers of personal data even within the UAE.

What has struck you as one or two of the most important Privacy Issues arisen because of the pandemic?

Data regarding the health of individuals is considered “sensitive personal data” and requires an added level of protection. However, during a pandemic, health data is used, shared, and processed excessively. Nations are loosening their privacy regulations regarding sensitive data as well, allowing for the sharing of sensitive health data in order to battle the spread of the virus and perform medical research. 

While it is reasonable to expect that a pandemic requires more flexibility, the risks of processing sensitive personal data remain, and require mitigating. Thus, government agencies, medical professionals, private businesses, and the media must look at their own practices, evaluate the risks of processing sensitive data and ensure that technical and organizational measures are in place to mitigate those risks.

Many nations are also implementing digital surveillance solutions to track the spread of the Coronavirus and such measures obviously create new privacy issues for individuals. Monitoring individuals every move and who they have been in contact with can expose personal information which individuals would rather keep private and would be considered a breach of privacy under any other circumstance, guaranteeing an increase in complaints by individuals regarding privacy violations. As such, governments must identify the balance between managing the pandemic and preserving privacy, they must ensure that these methods, which constitute privacy-violations on a large scale, cease to exist once the pandemic is over and the private data collected for the said purpose be destroyed. 

Considering what the GDPR looks like two years on, how will it shape data protection in the UAE?

The GDPR has created unprecedented noise and awareness around the topic of data privacy, individuals globally are demanding more protection of their personal information from their governments, and the UAE is no exception. So far, Bahrain and Qatar have implemented Federal Data Privacy Regulations similar to the GDPR, and the expectation is that other Gulf Cooperation Council countries are soon to follow as pressure increases.

Considering that the UAE has a large European expat population and is a business hub in the region with many of its global companies serving users in the EU, it is believed that the GDPR could become a model for a federal privacy law in the UAE.

It would make sense as many businesses in the UAE are forced to adapt to the GDPR by virtue of their business operation, and the UAE would create an environment for trust with people concerning their personal data. In addition, a GDPR-inspired data privacy law would ensure the UAE being placed on the list of countries offering adequate protection, and would allow for the flow of personal data from the EU to the UAE which is vitally important considering the expat population and globalized business operations in the UAE.

What advice would you have for privacy practitioners working in the MENA region who want to develop their career?

Privacy Professionals must first understand the concept of privacy, why privacy regulations are in place, and why privacy is such a crucial issue. 

Only then will a privacy practitioner be able to study and understand regulations and the regulatory requirements, which institutions must comply with. Gaining privacy knowledge is not a one-time thing, practitioners must regularly keep up to date with the latest developments in the privacy world including technologies, regulatory updates, and best practices, as well as transferring this knowledge across an organization.

Nowadays personal information via mostly processed via information systems, thus privacy practitioners should increase their knowledge of information systems and how they work as much as possible. Although not a strict requirement, a Certified Information Systems Auditor (CISA) designation would benefit a privacy professional greatly in understanding how to audit information systems where personal information is usually processed.

Understanding Privacy, Regulations, and information systems is one thing, managing a privacy programme is another. Privacy Practitioners must work on developing their privacy programme management skills. One certification I thought to be extremely helpful is the CIPM (Certified Information Protection Manager) from the International Association of Privacy Professionals, it allows privacy practitioners to understand what it takes to build an efficient privacy program in an organization. 

Privacy professionals must work on developing their leadership and public speaking skills, as more often than not a privacy professional within an organization will need to be able to influence upper management and lines of business to “buy-into” the concept of privacy. They will need funding, resources, changing policies and procedures, among other requirements, which would need convincing upper management in an organization to support. Thus, a crucial part of a privacy professional’s deliverables is receiving buy-in, which requires development of leadership, public speaking, and communication skills.

To register to watch Mohammad Khalaf as well as Ibrahim Krishan, DPO and Head of New Business & Venture Compliance Support and International Compliance at QNB Group, and Mohammed Embaby, Data Protection Lead at Vodafone Egypt discuss “Implementing a Robust Data Protection Program” at PrivSec Global on 30 November, click here.