The new DIFC Data Protection Law, Law No. 5 of 2020 took effect on 1 July 2020 and will be enforced from 1 October 2020. The new law, which repeals the Data Protection Law No.1 of 2007, applies to the processing of data by controllers or processors incorporated in the DIFC, irrespective of whether the processing takes place in the DIFC. It also applies to controllers or processors that process personal data in the DIFC on a regular basis, regardless of the entity's place of incorporation.
Unlike with the EU General Data Protection Regulation (GDPR), where companies had a two-year transition period to become compliant, there has not been much time for DIFC entities to prepare for compliance with the new DIFC DP Law. With the enforcement date around the corner, it is important for companies, branches and other legal entities operating in the DIFC to take the time to achieve reasonable compliance with the new law. The fines for non-compliance are relatively high (even if lower than GDPR penalties), with maximum thresholds starting at US$10,000 and going up to US$100,000 depending on the contravention in question.