ADGM enacts new data protection laws

Tom Bicknell of Pinsent Masons, the law firm behind Out-Law, made the recommendation after the transitional periods before the ADGM Data Protection Regulations 2021 take effect began to apply.

The new regulations were enacted on 11 February and published on 14 February. The rules take effect for businesses established after 14 February on 14 August 2021, and on 14 February 2022 for older businesses. The existing Data Protection Regulations 2015 continue to apply until the end of those transitional periods.

The new regulations have been enacted following a period of public consultation. The regulations draw on international standards and best practices, particularly the EU General Data Protection Regulation (GDPR), but are tailored to the needs of the ADGM.

Under the reforms, a new independent Office of Data Protection (ODP) will be established. Its regulatory activities will be funded through an annual data protection fee payable to the head of the ODP, the commissioner of data protection, from the commencement of processing personal data.

Stiffer penalties for non-compliance have also been introduced under the new regime, with the regulator able to issue fines of up to $28 million for serious breaches of the regulations.

A new mandatory data breach notification regime will also apply under the new regulations. The provisions largely mirror those in force under the GDPR and require businesses to notify the head of the ODP, the commissioner of data protection, "without undue delay and, where feasible, not later than 72 hours" after they become aware of a personal data breach. They also notify the data subjects affected in cases where the breach "is likely to result in a high risk to the rights of natural persons". Where data processing is outsourced, processors experiencing a personal data breach must notify controllers of that breach without undue delay after becoming aware of it.

The regulations require businesses to observe a range of data subject rights, including helping individuals to gain access to the personal data they hold about them. The new deadline for responding to these data subject access requests is two months, though a further one month extension is possible "where necessary, taking into account the complexity and number of the requests".

Under the regulations, businesses also face record keeping obligations in relation to their data processing, duties in relation to data security, and in certain circumstances will be required to appoint a data protection officer and carry out data protection impact assessments. The new regulations also set out conditions under which personal data may be transferred lawfully from the ADGM to other jurisdictions.

Bicknell said: "By largely adopting the internationally recognised GDPR standards, organisations incorporated in the ADGM may commercially benefit from also complying with other similar data protection laws globally. Trust is established between areas with similar GDPR aligned data protection laws as organisations must demonstrate, also to its employees and customers, that it is responsible in handling personal data to a high standard. Furthermore, it allows for business activities to be executed more conveniently with the opportunity for safe data being transferred between jurisdictions."

"The six or 12 month transition period grants the opportunity for organisations to assess and act immediately. Organisations must prioritise understanding their obligations under the new ADGM Data Protection Regulations, conduct a gap analysis to identify whether its existing systems are exposed or adequate, consider any changes to its framework and take the necessary steps to comply with the regulations. Failure to do so may result in facing irrecoverable, complex and expensive consequences through penalties," he said.