Last review date: 23 December 2024

Yes.

• general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

Last review date: 23 December 2024

There are no such DIFC-specific regulations or laws. Please see the UAE chapter for information on obligations applicable to the UAE as a whole.

Data privacy

Last review date: 23 December 2024

Yes.

Data breaches that compromise a data subject's confidentiality, security or privacy must be notified to the Commissioner as soon as practicable in the circumstances. No specific time-frame is specified in the law and no further written guidance has been offered on how the requirement 'as soon as practicable in the circumstances' should be interpreted. In practice, the Commissioner of Data Protection has confirmed that they will not hold companies to a 72-hour reporting timeframe. However, equally it is a safe assumption that reporting within 72-hours, even if only to make a preliminary notification, will be considered sufficient to satisfy the requirement.

Processors are also obliged to notify the Controller without undue delay after becoming aware of a breach. Again, there is no specific timeframe specified in the legislation. In the absence of further guidance as to what 'without undue delay' means we would recommend that the words are given their ordinary meaning in everyday language and that the term is interpreted on a case-by-case basis, taking into account the circumstances.

Last review date: 23 December 2024

• data protection authorities
  
  Namely the DIFC Commissioner of Data Protection

• affected individuals
  
  Where a personal data breach is likely to result in a high risk to the security or rights of a data subject, the controller shall communicate the breach to the affected data subject(s) as soon as practicable in the circumstances. If there is an immediate risk of damage to the data subject, the controller shall promptly inform the affected data subject. No specific timeframe has been defined in the legislation, and no further written guidance has been offered on how these requirements should be interpreted in practice.

Last review date: 23 December 2024

• controller/ owner
  
  The processor must inform the relevant controller without undue delay after becoming aware of the personal data breach. There is no specific timeframe specified in the legislation. In the absence of further guidance as to what 'without undue delay' means we would recommend that the words are given their ordinary meaning in everyday language and that the term is interpreted on a case-by-case basis, taking into account the circumstances.

Last review date: 23 December 2024

Yes.

• financial services requirements

Under the DFSA Rule Book, any entity regulated by the DFSA must advise the DFSA immediately if it becomes aware, or has reasonable grounds to believe, that any of the following matters may have occurred or may about to occur:

1. any matter which could have a significant adverse effect on the [regulated entity’s] reputation
2. any matter in relation to the [regulated entity] which could result in serious adverse financial consequences to the financial system or to other firms
3. a significant breach of a rule by the [regulated entity] or any of its employees, and
4. any significant failure in the [regulated entity’s] systems or controls, including a failure reported to the [regulated entity] by the firm’s auditor.

There are various other provisions that might be relevant here and we have only selected a few. Notably, due to the fact that the DIFC is a free zone, which caters to banks and financial services companies, amongst others, many DIFC entities will also be regulated by the DFSA.