Organizations in the UAE are proactively working towards implementing privacy controls in compliance with new data protection regulations. In this article, we summarize the key requirements of the PDPL law (No. 45, 2021) and how organizations can establish a comprehensive data privacy program.
In a 2019 consumer privacy survey, Cisco identified a new subset of consumers called “Privacy Actives” who accounted for 32% of their responders . These consumers voiced that they care about their privacy, are willing to act to protect it, and did so by moving their business to organizations that are proactive in ensuring the privacy of consumers’ sensitive data. The global rise in cyber threats related to personal data and organizations' data has resulted in various regulations being made by governments across the globe to preserve data security and privacy.
The UAE government has developed an effective data protection law to foster advanced data practices. The soon-to-be-released implementation of the Federal Personal Data Protection Law (PDPL) , is a long-awaited step in the government’s commitment to personal data protection and privacy. In particular, Law No. 45 of 2021 is an extensive Personal Data Protection Law that outlines data subjects' rights, data breach requirements, data protection impact assessments, data transfer requirements, and notification/record keeping requirements.
Organizations and individual businesses are expected to comply with this law as an obligation to society in championing data integrity and security.
This law applies to all data subjects in the UAE, including organizations (controllers/processors) located in the UAE irrespective of whether the data processing activities take place inside or outside of the UAE. It also applies to organizations located outside the UAE that process the data of UAE data subjects. Exceptions include personal data held by government, security or judicial authorities, and personal health/banking data, which are subject to separate laws.
To implement the controls outlined by the law efficiently, organizations are advised to follow a methodological approach to define data privacy practices that comply with the regulations while also ensuring the privacy of their customers’ personal data.
Below is a recommended high-level approach to implement data privacy within an organization:
1. Applicability Assessment
The first phase in carrying out a comprehensive data privacy program is determining the applicability of the PDPL (and other data protection regulations). An Applicability Assessment is particularly important for organizations with employees working abroad. A company in the UAE may have operations abroad that requires them to comply with General Data Protection Regulations (GDPR)  and other regional privacy laws.
The steps of an applicability assessment are:
1. Understanding the personal data (including Personally Identifiable Information (PII)) landscape within the organization and identify all business processes using this data. Processes may be associated with third-parties.
2. Consolidating controls from all applicable data privacy frameworks (National/Global/Industry-specific) into an integrated controls framework.
2. Develop and Implement a Privacy Framework
Once the applicability assessment is complete, the organization should develop a privacy framework to address all privacy-related tasks within the organization. The essential elements of developing and implementing a privacy framework are:
- Identify key roles for Data Privacy within the organization and create a Responsibility Assignment Matrix (RAM), also known as RACI.
- Maintain record of processing activities and inventories of personal data, assets, and vendors. Gather information through discovery questionnaires/interviews.
- The organization should ensure Privacy/Data Protection Impact Assessments as performed on a regular basis and can develop a process for the same.
- Develop guidelines for Privacy by Design for any product that the organization may create.
- Develop process for processing DSARs (Data Subject Access Requests). Automate, if possible, for efficient response process.
- Develop a process for Privacy Incident Management. This process should enable the organization to meet requirements set forth by the law for notifying the data controller and the data subject.
- Conduct a gap assessment to assess maturity of the organization against the developed framework.
- Apply remediations to existing implementation of privacy controls (if any).
3. Training and Awareness
Organizations should train their employees on the established framework and the basics of data privacy to create awareness. It is advised to conduct focused trainings for departments that are accountable for data processing, such as HR, Marketing, etc.
4. Performance Monitoring
Once the framework is successfully implemented and the organizations’ staff have been trained, organizations should establish relevant metrics to monitor all areas of the established framework.
Companies can set apart themselves by taking deliberate initiatives towards privacy compliance.
Developing a comprehensive data privacy program and implementing associated controls not only gives an organization the opportunity to comply with local and international regulations but also ensures streamlined compliance, measurable results, reduced costs, and improved risk mitigation . Consumers will respond to companies that treat their personal information with care. Therefore, companies are urged to comply with applicable privacy laws at the earliest.
 UAE, "Personal Data Protection Law," [Online]. Available: https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws.
 European Parliament and Council of the European Union, "General Data Protection Regulation (GDPR)," [Online]. Available: https://gdpr.eu/tag/gdpr/.
 Cisco, "Consumer Privacy Survey," [Online]. Available: https://www.cisco.com/c/dam/global/en_uk/products/collateral/security/cybersecurity-series-2019-cps.pdf.
 Data Privacy Manager, "100 Data Privacy and Data Security statistics," [Online]. Available: https://dataprivacymanager.net/100-data-privacy-and-data-security-statistics-for-2020/.
 M. Khan, "A Four-Step Approach to Adopting a Privacy Framework," [Online]. Available: https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2021/a-four-step-approach-to-adopting-a-privacy-framework.
Caption - Organizations in the hashtag#uae are proactively working towards implementing privacy controls in hashtag#compliance with the new data protection regulations. In this article, we summarize how organizations can establish a comprehensive hashtag#dataprivacy program.