Cybercrime is a rampant global phenomenon, but the UAE and other Middle Eastern countries have been relatively untouched. However, recent discoveries of cyber attacks on individuals and businesses in the UAE point to an alarming pattern of increasing cyber insecurity.
UAE Federal Decree-Law No. 45 of 2021 regarding the protection of data is intended to align with global best practice data protection principles.
The Data Protection Law of Dubai has been developed to control how personal or customer information is used by organisations or government bodies. The UAE federal data protection law, which came into force on 2 January 2022, provides greater clarity on what is permissible in terms of the collection, processing, review and transfer of personal data in onshore UAE.
The data protection law requires that all organisations operating in the UAE ensure that their processing of personal data complies with the law. Organisations must also have a privacy impact assessment (PIA) for any major project involving the collection and/or processing of personal information. Such enhanced rights may create challenges in conducting internal investigations.
In the last many years, the DIFC and ADGM amended their data protection laws to bring them in line with the EU's GDPR. As the UAE continues to develop its data protection law, it also recently amended its Cybercrimes Law. This law imposes criminal liability for data protection violations where the perpetrator does not have authorised access to that personal data, such as hackers.
The United Arab Emirates has a new data protection law that requires all employers to obtain consent from employees before collecting their personal information. The law also establishes the Emirates Data Office (EDO), an onshore data privacy regulator. The EDO will investigate data breaches, including alleged employer breaches through security measures, and establish mechanisms for complaints and appeals.
The new federal data protection law prohibits the collection, processing, review and transfer of personal data to jurisdictions lacking adequate data protection legislation. For example, consent is not required where the personal data is: publically available, required to comply with legal obligations or protect the public interest, or necessary for an employer to perform obligations or for an employee to exercise their rights.
Cybersecurity has quickly become a severe issue in the Middle East, and UAE's recent Data Protection Law is indicative of the growing threat. If a severe data breach occurs in your organisation, you could suffer significant financial losses, damage to your reputation, or both. Ensure that you are taking appropriate steps to prevent a cyber attack in the first place. Even better? Get expert help from Cyber Security experts familiar with cybersecurity best practices and able to devise an effective plan for your specific needs.