ADGM: What You Need to Know: Part 1 - ODP updates guidance under Data Protection Regulations 2021
The Abu Dhabi Global Market ('ADGM') is a broad based international financial centre, established in 2013 in the Emirate of Abu Dhabi with its own civil and commercial laws based on English common law.
Nearly six months after the enactment of the Data Protection Regulations 2021 ('the 2021 Regulations')1 within the ADGM, and teasing the release of updated guidance on the same, the newly established Office of Data Protection ('ODP') released, on 11 August 2021, eight detailed guides, accompanied by compliance tools, to aid establishments in compliance with the range of new data protection requirements (collectively 'the Data Protection Guidance 2021')2.
This Resources Page summarises what establishments need to know to comply with the 2021 Regulations as well as the ODP's new supporting guidance and resources. We are updating our internal content to reflect the additional guidance from the ODP and we will continue to update this Resources Page accordingly.
Data Protection Guidance 2021
In particular, the Data Protection Guidance 2021 consists of the following eight parts covered within dedicated guides:
Part 1: An overview of the Regulations, including key concepts, terms, scope, principles of processing, and the lawful bases for processing personal data and special categories of personal data3;
- Part 2: Data subject rights ('DSRs') and data controller's obligations with regards to individual rights requests4;
- Part 3: Data Protection by Design and Default, the data protection fees, the record of processing activities ('ROPAs'), the requirement for a Data Protection Officer ('DPO') and processor obligations5;
- Part 4: Data Protection Impact Assessments ('DPIA')6;
- Part 5: Security of processing, the cessation of processing, and managing personal data breaches, which includes notification requirements7;
- Part 6: International transfers and mechanisms for the same8;
- Part 7 Codes of Conduct, the role of the Commissioner of Data Protection and the ODP9; and
- Part 8: Individual rights and remedies10.
Part 1: Overview
Part 1 offers an introduction to the 2021 Regulations and the Data Protection Guidance 2021 as a whole. It introduces key concepts and expands upon definitions for, among other things, personal data, when an individual can be considered as identified/identifiable, special categories of personal data, determining controllers and processors, and principles relating to processing of personal data.
The Data Protection Guidance 2021 clarifies that the 2021 Regulations are closely based on the GDPR, adapted to meet the needs of the ADGM, and that it has taken into account guidance released by the UK's Information Commissioner's Office and the European Data Protection Board (Section 1.7 of Part 1 of the Data Protection Guidance 2021).
The Data Protection Guidance 2021 is aimed at anyone within an ADGM-established entity which collects and processes personal data who has day-to-day responsibility for personal data. Although it is aimed primarily at small and medium sized enterprises, it may also be useful for larger organisations and their legal advisors (Section 1.3 of Part 1 of the Data Protection Guidance 2021).
An establishment is any authority, body corporate, branch, representative office, institution entity, or project, which is established, registered or licensed to operate or conduct any activity within the ADGM (Section 3.6. of Part 1 of the Data Protection Guidance 2021).
Regarding extraterritorial application, businesses outside the ADGM may also have to comply with the 2021 Regulations and as such the Data Protection Guidance 2021 is useful in these cases (Section 1.3 of Part 1 of the Data Protection Guidance 2021).
Differences from the 2015 Regulations
Part 1 explains key changes introduced in the 2021 Regulations compared to the previous ADGM Data Protection Regulations 2015 ('the 2015 Regulations'), including the introduction of:
- appointment of DPOs, where necessary;
- data subject rights;
- exemptions from the requirement to comply with data subject requests in specific circumstances;
- 72 hour data breach notification requirement to the Commissioner of the ODP;
- revised grounds for transfers of personal data to other jurisdictions;
- implementing an appropriate policy document where processing special categories of personal data, in order to imbed transparency and governance around the processing activity; and
- the ability to issue fines of up to $28 million for violations of the 2021 Regulations.
Part 2: DSRs
Part 2 elaborates upon the data subject rights provided within the 2021 Regulations, namely the right to be informed, right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, and rights relating to automated individual decision-making including profiling. Furthermore, it clarifies the restrictions on data subjects' rights, whilst noting that restrictions must not be routinely relied upon to applied in a blanket fashion but rather on a case-by-case basis, taking into account the detail of the restriction itself and the processing activity being carried out. Reasons for relying on an exemption must be justified and documented (Section 11 of Part 2 of the Data Protection Guidance 2021).
Part 3: Data Protection by Design and Default, Fees, ROPAs, DPOs and Processors
Part 3 of the Data Protection Guidance 2021 outlines requirements from the 2021 Regulations pertaining to respecting the principles of Data Protection by Design and Default, paying the data protection fee and renewal fee through the Registration Authority's platform, maintaining a ROPA, appointing a DPO, and engaging with processors.
It is the responsibility of the controller, under Section 23 of the 2021 Regulations, to comply with Data Protection by Design and Default, although the Data Protection Guidance 2021 adds that controllers must take specific considerations under Section 26 of the 2021 Regulations when choosing a processor which enables controllers to meet obligations.
The Data Protection Guidance 2021 also provides practical examples of ways in which each concept might be implemented.
Both controllers and processors must maintain a ROPA in writing which must be made available to the Commissioner upon request. There is no prescribed format for the ROPA, except for being well structured, digestible, consistent in its use of terminology, and easily updatable. The Data Protection Guidance 2021 details the information to be included for both sides, as well as how to react where an organisation acts in some capacity as both controller and processor (Section 4 of Part 3 of the Data Protection Guidance 2021).
Part 4: DPIAs
Part 4 of the Data Protection Guidance 2021 outlines when a DPIA should occur, how to conduct it, and what should be covered therein.
Only controllers are required to perform DPIAs under the 2021 Regulations, however processors are required to make contractual commitments to assist under Section 34 (Section 8 of Part 1 of the Data Protection Guidance 2021).
Controllers must carry out a review to assess if processing is performed in accordance with the DPIA, including where there is a change of the risk represented by processing activities (Section 7 of Part 4 of the Data Protection Guidance 2021).
Part 5: Security of processing, cessation of processing, and personal data breaches
A key change from the 2015 Regulations, the Data Protection Guidance 2021 highlight that organisations must notify the Commissioner of personal data breaches without undue delay, and within 72 hours of discovering the breach where feasible, unless the breach is unlikely to result in a risk to the rights of individuals. A record of a decision not to notify must be maintained (Section 4.2 of Part 5 of the Data Protection Guidance 2021).
Further information can be submitted after an initial notification if organisations do not have all the information that must be contained within a report within the first 72 hours (Section 4.3 of Part 5 of the Data Protection Guidance 2021).
In addition, Part 5 describes organisations' obligations to ensure data security, for example via implementing technical and organisational measures. Practical examples of subcategories of each are provided, for example physical security measures, IT/cybersecurity measures, among other things.
Part 6: International transfers
Part 6 explains the rules regarding international transfers of personal data to a jurisdiction outside of the ADGM or to an international organisation, which are restricted under the 2021 Regulations.
Transfers are not altogether prohibited and may take place where individuals' rights are protected using some other mechanism, or where one of the exceptions applies (Section 2.1 of Part 1 of the Data Protection Guidance 2021).
Onshore UAE counts as a non-ADGM jurisdiction (Section 2.3 of Part 6 of the Data Protection Guidance 2021).
Part 6 of the Data Protection Guidance 2021 is supported by the adoption of new SCCs by the ODP11 and a list of adequate jurisdictions12.
Part 7: Codes of Conduct and the role of the Commissioner/ ODP
Part 7 introduces a new mechanism for submission, approval and monitoring of Codes of Conduct, and details the role of the Commissioner as well as the ODP with investigative and enforcement powers.
The ODP will register and publish ADGM codes approved by the Commissioner on its website, including the name of the code owner, code title, sector, and date and version of the code as approved (Section 2.9 of Part 7 of the Data Protection Guidance 2021).
Part 8: Individual rights and remedies
Part 8 discusses individual rights and remedies, notably how individuals can raise concerns, exercise their rights, and seek redress.
Templates and assessments
The ODP also released templates for the following documents to accompany the Data Protection Guidance 2021:
- Appropriate Policy Documents13;
- Data Protection Agreement Standard Contractual Clauses14;
- DPIAs15; and
Assessments are 'coming soon.'
Compliance dates to remember
The Regulations propose a 12 month transition period for current establishments to comply, and six months for new establishments, both of which commenced from 14 February 2021. Therefore, the 2021 Regulations became effective on 14 August for the latter.
HOW ONETRUST DATAGUIDANCE HELPS
OneTrust DataGuidance also provides the following resources to aid in compliance with the data protection requirements in the ADGM, among others:
- EU - Abu Dhabi Global Market: GDPR v. Data Protection Regulations 2021;
- ADGM – Data Protection Overview;
- ADGM Jurisdiction Dashboard, collating all Platform content for ADGM including legal research, Insights, News and Guidance Notes on areas such as Data Subject Rights, Data Protection Impact Assessments, Data Processing Notification and more;
- News filtered for ADGM; and
- Sayid Madar, Senior Specialist at the ADGM Office of Data Protection provides insight in ADGM: Data Protection Regulations 2021 and what they mean for businesses.
OneTrust DataGuidance™ is the industry’s most in-depth and up-to-date source of privacy and security research, powered by a contributor network of over 500 lawyers, 40 in-house legal researchers, and 14 full time in-house translators. OneTrust DataGuidance™ offers solutions for your research, planning, benchmarking, and training.
OneTrust DataGuidance solutions are integrated directly into OneTrust products, enabling organisations to leverage OneTrust to drive compliance with hundreds of global privacy and security laws and frameworks. This approach provides the only solution that gives privacy departments the tools they need to efficiently monitor and manage the complex and changing world of privacy management.
Amelia Williams EMEA Privacy Analyst
1. See: https://www.adgm.com/operating-in-adgm/office-of-data-protection/guidance
2. See: https://adgmen.thomsonreuters.com/rulebook/data-protection-regulations
3. See: https://www.adgm.com/documents/office-of-data-protection/guidance/adgm-dpr-2021-guidance-part-1.pdf
4. See: https://www.adgm.com/documents/office-of-data-protection/guidance/adgm-dpr-2021-guidance-part-2.pdf
5. See: https://www.adgm.com/documents/office-of-data-protection/guidance/adgm-dpr-2021-guidance-part-3.pdf
6. See: https://www.adgm.com/documents/office-of-data-protection/guidance/adgm-dpr-2021-guidance-part-4.pdf
7. See: https://www.adgm.com/documents/office-of-data-protection/guidance/adgm-dpr-2021-guidance-part-5.pdf
8. See: https://www.adgm.com/documents/office-of-data-protection/guidance/adgm-dpr-2021-guidance-part-6.pdf
9. See: https://www.adgm.com/documents/office-of-data-protection/guidance/adgm-dpr-2021-guidance-part-7.pdf
10. See: https://www.adgm.com/documents/office-of-data-protection/guidance/adgm-dpr-2021-guidance-part-8.pdf
11. See: https://www.adgm.com/documents/office-of-data-protection/scc/adgm---dpr-2021-data-transfer-sccs.pdf
12. See: https://www.adgm.com/operating-in-adgm/office-of-data-protection/jurisdictions
13. See: https://www.adgm.com/documents/office-of-data-protection/templates/adgm-dpr-2021-appropriate-policy-document.pdf
14. See: https://www.adgm.com/documents/office-of-data-protection/templates/adgm-dpr-2021-article-26-sccs.pdf
15. See: https://www.adgm.com/documents/office-of-data-protection/templates/adgm-dpr-2021-data-protection-impact-assessment.pdf
16. See: https://www.adgm.com/documents/office-of-data-protection/templates/adgm-dpr-2021-record-of-processing-activity.xlsx