Given the increasing importance of data in the day-to-day operations of businesses of all kinds and sizes, we are seeing increasing regulations put into place around the world to safeguard customers’ information, such as the EU’s General Data Protection Regulation (GDPR), which was implemented in 2018.
In Abu Dhabi, Abu Dhabi Global Market (ADGM), the Emirate’s international financial centre and free zone, had instated data protection regulations in 2015, which it later amended in 2018.
During February of this year, ADGM completely revamped these regulations under a new framework: the Data Protection Regulations 2021, or DPR 2021 for short.
Sayid Madar, Head of Operations at the ADGM Office of Data Protection (ODP), provides the AD SME Hub with insights into this new regulatory framework, and what it means for ADGM businesses, Abu Dhabi and organisations with a presence in ADGM.
Why was it important to instate the new 2021 Data Protection Regulations this past February, and how will these improve upon ADGM's previous framework first instated in 2015 (later amended in 2018)?
On the 11th of February 2021, ADGM enacted the new DPR 2021. Following substantive updates to key international legal frameworks for data protection, ADGM identified the need to update and address gaps in the 2015 Data Protection Regulations to be in line with international best practice. We conducted a benchmark of key frameworks, such as the GDPR and the UK’s Data Protection Act 2018 (UK DPA). We also went out for public consultation during November 2020.
This eventually led to the enactment of the DPR 2021, including the appointment of a new Commissioner of Data Protection. The ODP is the independent supervisory authority headed by the Commissioner whose sole responsibilities are to regulate and administer the DPR 2021.
It was essential for ADGM to align its data protection framework with international best practice in order to promote interoperability between ADGM and other jurisdictions. The importance of data, tech and the digital economy to Abu Dhabi and the ADGM is well recognised. It is also important to be aware that there are over 130+ jurisdictions with some form of data protection and privacy laws. Many of those are aligned with EU standards.
In order to support growth in these key sectors, it was essential that our framework provides ADGM entities with a legal platform that would support growth through consistency with international frameworks. Compliance with the DPR 2021 will put ADGM companies at an advantageous position when expanding into new markets and territories. It would also enhance trust and credibility for Abu Dhabi as an important destination for data.
The DPR 2021 enhances but also improves upon the 2015 Regulations. Additionally, the DPR 2021 includes certain exemptions for small and medium enterprises: for example, the removal of permits and its associated fees. This is to support SMEs in particular.
What will the direct impact as a result of this be on companies working in Abu Dhabi?
The DPR 2021 applies to ADGM establishments. The law also applies an extraterritorial reach where the processing of personal data is in the context of the activities of an establishment in ADGM. This is consistent with international frameworks. It is important to note that ADGM and Abu Dhabi-based entities may already be liable to laws like the EU GDPR or UK DPA if they promote to or monitor the behaviours of individuals in the EU or UK respectively. This includes using web or application tracking technologies such as cookies or pixels.
The DPR 2021 builds upon the 2015 Regulations with the addition of new obligations and rights for individuals. All entities established in ADGM would need to ensure that they are aware of the data they collect and use. Only by understanding in detail the type of personal data they collect, its purpose, where the data is held, and for how long, can they put effective controls and measures in place to safeguard that information. DPR 2021 requires ADGM entities to take appropriate steps to safeguard, manage and maintain the information across its lifecycle.
Furthermore, the DPR 2021 includes a new accountability principle. This new principle puts responsibility on ADGM entities to demonstrate compliance with the DPR 2021. This was introduced to ensure transparency and good governance are a key part of a company’s internal compliance framework. Companies may also have additional compliance considerations in the event of a breach of personal data. For instance, there is an obligation to notify the ODP, and in some cases notify individuals, if the breach is likely to result in a high risk to them.
What about the impact on consumers whose data businesses handle?
The DPR 2021 provides individuals with specific rights over their personal data. This is to ensure that individuals, which includes consumers and employees, have a level of control over the use of their personal data.
Under the DPR 2021, individuals have the right to:
be informed of the purpose(s) for processing their data;
access their data stored within a company’s databases;
object to the collection of their data;
request the deletion of their data.
Businesses whose core activity may involve the large-scale processing of personal data would need to put in place appropriate processes to identify, respond to and manage individuals’ requests, as per their rights.
ADGM entities have two months to respond to individuals exercising their rights under the DPR 2021. Also, the DPR 2021 enhances the rights of individuals by providing them several avenues for redress and rectification. This includes putting in a complaint to the ODP or directly to the ADGM Courts for a resolution if personal data was processed in a way which is non-compliant with the DPR 2021, or if it had caused distress or detriment.
You announced last month that you will be issuing new rules for the Fees and Fines under the DPR 2021. Can you tell us more about this regulatory update, and the implications for businesses operating in Abu Dhabi?
The ADGM Board of Directors enacted new rules for data protection fees and fines. Since the DPR 2021 repeals the previous 2015 Regulations, the Board were required to clarify the new fees under the DPR 2021 and the penalty for non-payment.
The one-off Registration Fee will remain as is at $300 USD. This now applies to all entity types.
There will also be a renewal fee of $300 USD.
The data protection fees regime in ADGM remains one of the most cost-effective when benchmarked locally, regionally and internationally. This was intentionally done by ADGM leadership to support growth in Abu Dhabi.
What tools and resources does ADGM offer to businesses in Abu Dhabi to help them engage in best practices within regulatory guidelines such as the DPR 2021 and beyond?
The ODP is required by the DPR 2021 to provide guidance and support. We recently published a suite of guidance materials and tools to help ADGM entities comply with the DPR 2021. The resources include guides, standard contract clauses, tools and templates, and can be found here.
The ODP considered the needs of SMEs and micro-businesses when developing these resources. For instance, you will find many examples in all our guides that explain how the provisions could apply in practice within your organisation.
Furthermore, as highlighted earlier, since the DPR 2021 is aligned with international best practices, our templates could also be used to demonstrate compliance to certain provisions of data protection laws in various other jurisdictions, in particular, the UK and the European Union.