DIFC Legislates For EU's New GDPR Data Protection Standards
by Lorys Charalambous, Lowtax.net, Cyprus
01 February, 2018
The Dubai International Financial Centre, the low-tax financial center in the United Arab Emirates, has upgraded its data protection regime to bring it into line with new requirements being introduced by the European Union.
Changes have been made to the DIFC's data protection regulations to bring them into line with international best practices, and to adapt to the EU's General Data Protection Regulation (discussed below).
In addition, a new law - the DIFC Laws Amendment Law, DIFC Law No. 1 of 2018 - has been passed, which aims to also clarify elements of the center's Data Protection Law of 2007.
The new regulations and law are available on the DIFC's website.
The DIFC is a free trade zone located in Dubai, which offers a number of perks to firms, including zero percent income tax guaranteed for 50 years and no exchange controls. It allows 100 percent foreign ownership.
The changes are necessary ahead of entry into effect of the EU's General Data Protection Regulation from May 25, 2018.
In summary, the GDPR strengthens and unifies data protection for all individuals within the EU, including in the areas of data portability, the "right to be forgotten," and children's data. GDPR also introduces new standards for notification of data breaches and tighter response deadlines by data holders where individuals seek to understand how much of their personal information an entity has retained.
The EU says that new ways of regulating the storage, processing, and use of personal data are necessary because of the sheer amount of information that companies now hold about individuals. What's more, the existing EU rules on data protection, enshrined in the 1995 Data Protection Directive, are now well out of date.
The GDPR requires that personal data shall be:
- processed lawfully, fairly, and in a transparent manner in relation to individuals;
- collected for specified, explicit, and legitimate purposes;
- adequate, relevant, and limited to what is necessary;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary; and
- processed in a manner that ensures appropriate security of the personal data.
The GDPR also requires that organizations appoint a data protection officer if they carry out large scale systematic monitoring of individuals or undertake large scale processing of special categories of data or data relating to criminal convictions and offences. However, the GDPR permits groups of companies to appoint a single data protection officer where appropriate.
See all of today's news