ADGM: ODP updated guidance under Data Protection Regulations 2021 - Part 2 - Controller accountability and obligations
Nearly six months after the enactment of the Data Protection Regulations 2021 ('the 2021 Regulations') within the Abu Dhabi Global Market ('ADGM') , and teasing the release of updated guidance on the same, the newly established Office of Data Protection ('ODP') released, on 11 August 2021, eight detailed guides, accompanied by compliance tools, to aid establishments in compliance with the range of new data protection requirements.
For an overview of the new guidance and further resources, see Part 1 of this Insight series: ADGM: What You Need to Know: Part 1 - ODP updates guidance under Data Protection Regulations 2021. This Insight article outlines and summarises the accountability-related obligations of controllers addressed in the guides.
Accountability under the DPR 2021
Accountability-related obligations under the DPR 2021 are in particular addressed in guides listed below:
- Part 3: Data Protection by Design and Default, the data protection fees, the record of processing activities ('ROPAs'), the requirement for a Data Protection Officer ('DPO') and processor obligations ('the Part 3 Guidance');
- Part 4: Data Protection Impact Assessments ('DPIAs') ('the Part 4 Guidance'); and
- Part 5: Security of processing, the cessation of processing, and managing personal data breaches, which includes notification requirements (the Part 5 Guidance').
The 2021 Regulations do not explicitly refer to or define the principle of accountability.
However, Section 1(e) outlines that the objects of the 2021 Regulations include establishing the primary responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf. Furthermore, Section 4(2) provides that the controller is responsible for, and must be able to demonstrate compliance with, Section 4(1), which details principles for processing personal data. According to Section 59(2) and (3) of the 2021 Regulations, any controller involved in processing is liable for the damage caused by processing which contravenes the Regulations. A processor is liable for the damage caused by processing only where it has not complied with obligations of these Regulations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
Additionally, the 2021 Regulations outline further controller obligations throughout the legislation pertaining to different stages of the life cycle of personal data used by organisations, including obligations relating to the security of processing personal data, cessation of processing ,as well as notifying relevant persons in the event of a personal data breach (Sections 30(1),(3), 31(1),(6), 32(1),(5) and 33(1) of the 2021 Regulations).
Part 3 Guidance
The Part 3 Guidance outlines requirements from the 2021 Regulations pertaining to respecting the principles of Data Protection by Design and Default, paying the data protection fee and renewal fee through the Registration Authority's platform, maintaining a ROPA, appointing a DPO, and engaging with processors.
Data Protection by Design and by Default
Section 23 of the of the 2021 Regulations outlines that controllers must comply with the Data Protection by Design and Data Protection by Default principles when processing personal data.
The Part 3 Guidance further expands on how controllers may comply with the Data Protection by Design obligation in Section 2.2, stating that controllers should:
- consider privacy and data protection at the design phase of any system, service, product, or process, and throughout its implementation, operation, including any updates or expansion, migration and termination;
- put in place technical and organisation measures designed to implement data protection principles effectively; and
- build safeguards into processing activities to meet the requirements of the 2021 Regulations and protection data subject rights.
Similarly, the Part 3 Guidance expands on how controllers may comply with the Data Protection by Default obligation in Section 2.3, stating that controllers should consider the following:
- only processing personal data that is necessary to achieve their purposes;
- adopting a 'privacy-first' approach with any default settings of systems and applications;
- ensuring an illusory choice is not provided to individuals in relation to the personal data that will be processed;
- ensuring personal data is not automatically made publicly available to others;
- implementing organisational measures designed to collect and process only the minimum amount of personal data necessary for the specific purpose, including access controls that ensure only individuals which need personal data to perform their function have access to it; and
- providing individuals with sufficient controls and options to exercise their rights.
Notably, Section 2 of the Part 3 Guidance also states that controllers should aim to comply with their Data Protection by Design and by Default obligations by:
- taking an organisation-wide approach with buy-in from key stakeholders, embedding measures at all levels; and
- implementing a set of practical and actional guidelines that individuals and stakeholders can access.
Records of processing activities
Section 28 of the 2021 Regulations outlines that controllers and processors must maintain a ROPA in writing, which can be in electronic form and should be made available to the Commissioner of Data Protection ('the Commissioner') upon request.
Section 28(1) of the 2021 Regulations outlines what should be included in the controller's ROPA.
For organisations acting as both controllers and processors, Section 4.4 of the Part 3 Guidance outlines that organisations could either:
- have two separate records, one which covers their activities as controllers and the other as controllers; or
- have on record which covers both but clearly distinguishes the capacity in which they are acting.
The Part 3 Guidance further advises in Section 4.4 that in creating a ROPA, organisations can carry out an audit or data-mapping exercise to help them find out what and where personal data is held. Furthermore, the Part 3 Guidance recommends in Section 4.8 that processing records be regularly updated to ensure they remain current and accurate, advising organisations to appoint privacy champions within the organisation to take responsibility for doing so.
Data protection fees and notification
Controllers are required to pay a data protection fee to the Commissioner before, or as soon as reasonably practicable after, they start processing personal data (Section 24(1) of the 2021 Regulations). In this regard, each year, within one month of the expiry of the date on which a controller commenced processing, it must also pay a 'renewal fee' (Section 24(2) of the 2021 Regulations).
Notably, the amounts for the data protection fee and renewal fee a controller must pay are specified by the Commissioner in the Data Protection (Fees) Rules 2021 as amounting to $300 each (Section 62(1) of the 2021 Regulations).
Additionally, controllers must notify the Commissioner of (Section 24(1) of the 2021 Regulations):
- its name and address; and
- the date it commenced processing personal data.
The requirement of paying a fee and renewal fee do not apply to establishments employing fewer than five employees unless they carry out high risk processing activities (Section 24(3) of the 2021 Regulations).
Appointment of a DPO
As per Section 35(1) of the 2021 Regulations, controllers and processors must appoint a DPO where:
- processing is carried out by a public authority, except for courts acting in their judicial capacity;
- their core activities consist of processing operations which require regular and systematic monitoring of data subjects, on a large scale; or
- their core activities consist of processing on a large scale of special categories of personal data.
More information on the meaning of 'core activities', 'regular and systematic monitoring of data subjects on a large scale' and clarification on what is considered processing 'on a large scale' can be found in Section 5.3 of the Part 3 Guidance.
Notably, an assessment has been released by the ODP to help organisations understand whether they're required to appoint a DPO.
Moreover, in relation to requirements attached to the appointment of a DPO, Section 5 of the Part 3 Guidance states the following:
- the DPO's level of knowledge and expertise should be reflective of the risk associated with the type of data processing carried out in an organisation;
- the Commissioner must be notified of the appointment or resignation of a DPO by the controller or processor, and the notification must include:
- the contact details of the new DPO; and
- in the case of resignation, reasons for the resignation;
- the DPO can, but does not need to be, an employee;
- the DPO, if an employee, can perform other roles within the organisation as long as they do not conflict with his/her obligations under the 2021 Regulations; and
- the DPO does not need to be located in the ADGM, but must be easily accessible to employees, the Commissioner, and data subjects.
The requirement to notify the Commissioner of a data breach and/or a Data Protection Impact Assessment ('DPIA') which is likely to result in a high risk to data subjects must also be accompanied with the DPO's contact details (Section 5.10 of the Part 3 Guidance).
Notably, a DPO can be appointed in respect of a single entity, a group, or multiple, independent entities as long as he/she is able to perform their tasks effectively. In this regard, it is the responsibility of the controller and/or processor who appoints the DPO to ensure he/she receives the necessary support to perform their role effectively (Section 5.5 of the Part 3 Guidance).
The Part 4 Guidance
The Part 4 Guidance outlines when a DPIA must be carried out, how to conduct it, and what should be covered therein.
Further to the definition in Part VIII of the 2021 Regulations, Section 2 of the Part 4 Guidance outlines that a DPIA is a tool by which a controller can assess the risks to personal data that may be caused by implementing a process, operation, or service that processes personal data, and identifying steps to mitigate these risks.
When to carry out a DPIA?
A controller must carry out a DPIA in the following circumstances:
- prior to processing that is likely to result in a high risk to the rights of natural persons (Section 31(4) of the 2021 Regulations); and/or
- where the controller seeks to rely on one of the exceptions in Section 31 of the 2021 Regulations to the requirement for it to securely and permanently delete, anonymise, pseudonymise, encrypt, or put personal data beyond further use (Section 31(5) of the 2021 Regulations).
In this regard, the term 'high risk' implies a more than remote chance of some harm to data subjects and refers to the potential for any significant physical material or non-material harm to them (Section 3.2 of the Part 4 Guidance). Section 62(1) of the 2021 Regulations further clarifies what activities may be considered as 'high risk processing activities'.
Section 3.5 of the Part 4 Guidance provides a non-exhaustive list of the types of processing activities which require a DPIA before commencing:
- using profiling, automated decision-making, or special category data to help make decisions on someone’s access to a service, opportunity, or benefit;
- systematically monitoring a publicly accessible place on a large scale;
- processing special-category data on a large scale;
- collecting biometric data on employees for the purposes of identifying them;
- carrying out profiling, as defined in Part VIII of the DPR 2021, on a large scale;
- combining, comparing, or matching data from multiple sources to compile a fuller picture around an individual; and
- processing personal data that could result in a risk of physical harm in the event of a security breach.
What should your DPIA include?
The minimum requirements for what must be described in a DPIA are outlined in Section 34(5) of the 2021 Regulations. Furthermore, Section 4 of the Part 4 Guidance highlights that while there is no specified format for a DPIA, a DPIA template is available on the ADGM website for use by organisations.
A DPIA should be used as a flexible tool to help organisations determine whether the level of risk attached to a certain process is acceptable in the circumstances (Section 4.1 of the Part 4 Guidance).
Non-exhaustive lists of possible risks to be included in organisations' DPIAs and measures to mitigate risks identified can be found in Section 4.2 of the Part 4 Guidance. These include loss of opportunity and wider access to personal data within the organisation in relation to the former, and seeking alternative technological solutions and educating internal stakeholders for the latter.
Section 4.3 of the Part 4 Guidance also outlines what a best practice DPIA would cover, which includes an explanation of why the controller needs a DPIA, and of the relationships between controllers, processors, data subjects, and any systems using both text and data-flow diagrams where appropriate.
When to notify a DPIA?
If a DPIA identified that the processing in question is likely to result in a high risk to the rights of natural persons despite any risk mitigation measures taken by the controller, the controller must notify the Commissioner prior to carrying out such processing. Such notification should include all the information required by Section 34(5) of the 2021 Regulations and can be done by submitting the DPIA using the Registry Platform. (Section 6 of the Part 4 Guidance).
The Commissioner will then provide feedback on the processing and may require corrective action to be taken prior to commencement of the processing activity by the organisation (Section 6 of the Part 4 Guidance).
Section 7 of the Part 4 Guidance emphasises the importance of continually monitoring compliance, including carrying out reviews to assess if processing is performed in accordance with the DPIA.
Lastly, processors are not required to perform DPIAs under the 2021 Regulations, however they are required to assist controllers in ensuring compliance with the 2021 Regulations, including Section 34 of the same.
The Part 5 Guidance
The Part 5 Guidance outlines obligations around security of processing personal data, cessation of processing, and personal data breaches.
Security of processing - technical and organisational measures
The 2021 Regulations provide that controllers must implement technical and organisation measures to ensure and be able to demonstrate that processing is performed in compliance the Regulations, including data protection policies (Section 22(1) and (2) of the 2021 Regulations).
Section 2.3 of the Part 5 Guidance outlines that technical measures encompass physical security measures and IT/cybersecurity measures and gives examples on each. These include access controls to the organisation's premises and how IT equipment is kept secure in relation to physical security measures and, security of network and information systems in relation to IT/cybersecurity measures.
Similarly, Section 2.4 of the Part 5 Guidance outlines that organisational measures include:
- carrying out information risk assessments, which may involve:
- reviewing the personal data held by the organisation and considering the risks that could result if the data was compromised;
- taking into account the nature and extent of the organisation's premises and systems;
- assessing the number of staff and their access to personal data; or
- the processing carried out on the organisation's behalf;
- appointing a person within the organisation and designating day to day responsibility for information security;
- building a culture of security awareness in the organisation e.g. via regular training and awareness-raising campaigns; and
- developing an information security policy.
Furthermore, the Part 4 Guidance highlights that controllers and processors must take steps to ensure that anyone acting under their authority only processes personal data under the controller's instructions (Section 2.5 of the Part 5 Guidance).
What security measures should be used?
While no particular security measures are specified by the 2021 Regulations, Section 30 outlines some factors to take into account to judge what is appropriate in the circumstances.
The 2021 Regulations outline some examples of security measures that can be used by organisations, including (Section 30 of the 2021 Regulations):
- pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems;
- the ability to restore the availability and access to personal data in a timely manner in the event of an incident; and
- a process for regularly testing, assessing, and evaluating the effectiveness of the security measures in place.
Section 2.2 of the Part 5 Guidance further expands on the meanings of each of pseudonymisation, encryption, confidentiality, integrity, availability, and resilience.
Furthermore, the Part 4 Guidance highlights that the results of testing, assessment, and evaluations processes and any changes made as a result should be documented by the organisation (Section 2.3 of the Part 5 Guidance).
Cessation of processing
Where the basis for processing changes, ceases to exist, or a controller is required to cease processing due to the exercise of a data subject's rights, controllers must ensure that all personal data, including that held by processors is (Section 31 of the 2021 Regulations):
- securely and permanently deleted;
- pseudonymised; or
- securely encrypted.
If data cannot be deleted, anonymised, pseudonymised, or encrypted, the data should be put beyond further use as per the steps in Section 31(3) of the 2021 Regulations. Provided that these steps are followed, organisations would not be expected to use any of the data put beyond use in response to a data subject access request (Section 3.2 of the Part 5 Guidance). Exceptions to this obligation may be found in Article 31(4) of the 2021 Regulations.
Section 3.3 of the Part 5 Guidance advises that organisations that rely on one of the exceptions must have a policy and process for managing the relevant personal data when the exception no longer applies.
Personal data breach notifications
A personal data breach is defined a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (Part VIII of the 2021 Regulations).
An assessment has been released by the ODP to help organisations understand their notification requirements in relation to personal data breaches.
To the Commissioner
The Controller must notify a personal data breach to the Commissioner without undue delay, no later than 72 hours after becoming aware of it, unless it is unlikely to result in a risk to the rights of individuals (Section 32(1) and (2) of the 2021 Regulations). In this regard, if an organisation is not able to notify within 72 hours, it must explain why that is when the breach it ultimately reported.
Furthermore, if, after an assessment of the circumstances of an incident, an organisation concludes that risk to individuals is unlikely and thus notification is not required, it should keep a record of this decision to be able to justify it if required (Section 4.2 of the Part 5 Guidance).
Details on what should be included in the breach notification can be found in Section 32(3) of the 2021 Regulations.
To data subjects
If an organisation finds that a breach is likely to result in a high risk to the rights of individuals, the affected individuals must be told without delay, unless one of the exceptions in Section 33(3) of the 2021 Regulations applies.
Content of notification
Section 32(3) of the 2021 Regulations specifies what should be included in a personal data breach notification.
How to notify
A breach can be reported via the Online Registry Solution and more information on how to do can be found here.
All data breaches must be documented regardless of whether they are notified to the Commissioner and such record should contain all necessary information to enable the Commissioner to verify an organisation's compliance with the 2021 Regulations (Section 32(5) of the 2021 Regulations).
Processors must notify the controller whose personal data they are processing on its behalf without undue delay once they become aware of a breach but are not required to notify the Commissioner or data subjects (Section 32(2) of the 2021 Regulations).
Alice Muasher Privacy Analyst