ADGM Data Protection Rules 2021-2022
“Availability of protection ensures reliability and timely access to data and resources to authorized individuals.”
Organizations must emphasize educating about their responsibilities under the new ADGM Data Protection Regulations, conducting a disparity test to find whether their current systems are vulnerable or appropriate, considering any changes to their structure, and taking the necessary steps to adhere.
The Abu Dhabi Global Market (ADGM) has passed new Data Protection Regulations for 2021. (The Regulations). Following a 12-month transition period for current businesses in ADGM before February 14, 2021, and a 6-month transition period for new companies based in ADGM on or after February 14, 2021, these Regulations will take effect and replace the current Data Protection Regulations 2015 regime. Going through a period of public engagement, the revised regulations were enacted. The policies are based on worldwide standards and best practices, including the EU General Data Protection Regulation (GDPR), but adjusted to the ADGM's requirements.
The new Regulations are closely linked with the UK's Data Protection Act 2018 and the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') following good input during a public consultation in November 2020. Regardless of whether the processing occurs in ADGM or not, the Guidelines apply to the processing of personal information in the framework of the activities of establishing a controller or processor in ADGM. Personal data is a broad term that refers to any information used to identify a living individual. This is crucial because unique IDs are widely used for technology and financial services.
To understand the mechanism set by ADGM, we need to closely analyze the data protection rules enforced by it.
Organizations (controllers) recognized in the ADGM and process personal information or sensitive data are subject to the law. The rule also applies to businesses that process data on behalf of these organizations, such as their vendors. Personal data collected and held outside of ADGM, but relating to ADGM-registered organizations, is protected by law. Processors who are registered in the ADGM and who process personal information for authorities outside the ADGM are, to a limited extent, protected by the law.
The ADGM DP Law protects personal data, defined as any data connected to an identified natural person or identifiable natural person. This also includes data containing opinions and intentions about identified or identifiable individuals. The ADGM DP law also applies to sensitive personal data, which is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data (where used for identification purposes), data about health, data about a person’s sex life or sexual orientation, personal data relating to criminal convictions and offenses or related security measures.
Features of rules 2021-2022
- The GDPR is closely related to the Regulations. As a result, organizations that now collect the personal data of EU citizens should be aware of important elements. The inclusion of the transparency obligation to the principles is one of them. Mobility, erasure, objection, limitations, and particular rights over real-time decision and profiling have been added to the list of data subject rights. Individuals now have the right to seek reparation from a controller or processor if the Regulations are broken.
- In some situations, a data protection officer ('DPO') is required. The DPO is not required to be based at the ADGM and might serve a group of enterprises. There is also an obligation to keep track of the processing cycle and perform Data Protection Impact Assessments ('DPIA') when proposed processing activities pose a significant danger to persons' rights and freedoms.
- In addition, the Regulations keep the duty to enroll with the Office of Data Protection ('ODP') but add a new responsibility to notify the ODP. Notice may be required in some cases, such as data breaches, DPIAs, and Binding Corporate Rules approvals.
- Micro-businesses functioning in the ADGM is granted some restricted exemptions under the Regulations. The data protection cost is waived for businesses with fewer than five employees. They are also excluded from the need for a DPO. On the other hand, the exclusions are not valid if the company engages in our high-risk processing operations.
- Businesses must comply with several data subject rights under the laws, including assisting persons in gaining access to personal data held about them. The revised timeframe for complying with such data subject access permissions is two months, with the possibility of a one-month extension "where appropriate, taking into account the complexity and volume of requests."
- Businesses will also be expected to retain records relating to their data processing, perform data security duties, and, in some cases, hire a data protection officer and conduct data protection impact evaluations under the laws. The new rules also specify the circumstances for which private data may be legally transmitted from the ADGM to certain other countries.
- The Regulations establish a separate Office of Data Protection (ODP) and a Data Protection Commissioner ('the Commissioner'). The revised Regulations define the Commissioner's function and obligations, which include administrative, regulatory, and compliance powers. The Regulations give the ADGM Commissioner of Data Protection the Middle East's toughest penalty mechanism. The Commissioner can impose financial penalties of up to USD 28 million.
- The ODP participates in a range of international forums. The ODP is a member of the Global Privacy Enforcement Network (GPEN) 2 and an observer to the Council of Europe's Consultative Committee on the Privacy of Persons concerning Automatic Processing of Personal Data ('Convention 108') and the Global Privacy Assembly. The ODP recently announced that it had become the Gulf's first data protection body to enter the International Enforcement Cooperation Working Group3. The ODP aspires to become one of the region's most important data protection bodies.
Changes in ADGM DPR 2021
1. Data Protection Officer is Required
- The ADGM suggests that a DPO be appointed.
- The DPO need not be a member of the ADGM or a data controller's employee. This would assure that the ADGM's businesses may benefit from their global DPO function.
- Without conflict, the DPO can also have numerous jobs in a company or work with multiple companies.
- An establishment with fewer than five employees is exempt from the requirement to appoint a DPO unless it engages in high-risk processing operations.
2. Administration and Ethics
The accountability principle is now included in the new law, which requires:
- Data security is built-in and is enabled by default.
- Data processing records
- Impact assessments on privacy protection
- Officers in charge of data protection
- Corporate norms that are legally binding
- Fee for data protection
3. Transfer across Countries
The following are some general transfer principles: Protection of personal data at a high degree by adding protections such as:
- The receiving region ensures that personal data is adequately protected.
- Model clauses and binding corporate regulations (BCRs).
- In the ADGM, a transfer is needed for important grounds of public interest — UAE law enforcement agencies request a transfer.
- To save a person's life, a transfer is required.
“Data is the pollution problem of the information age, and protecting privacy is the environmental challenge.”
The UAE has made a rational and coordinated effort to embrace and conform data protection standards and best practices, as shown by the GDPR. This will benefit businesses in the UAE because the new system is likely to expand and support data protection transit between the UAE and other data-protective countries, such as European Union member states or the United Kingdom. In light of this global shift toward more comprehensive data protection, we propose that all ADGM enterprises engage rapidly in their arrangements for the Regulations' implementation to prevent additional disruptions and fines for non-compliance.