Security and Breach Reporting
Security and Personal Data (PD) Breach Reporting is a critical part of the DIFC Data Protection Law 2020 (DP Law 2020) and many data protection laws like it around the world. Making an honest, objective assessment of a breach, whether to report it and then, where necessary, reporting it are all valuable parts of the risk evaluation process of a company. It also shows transparency and willingness of an organisation to do the right thing by self-reporting to any relevant regulators and even to individuals, if needed.
PLEASE NOTE: To report strictly IT-related security breaches, please refer to the Information Security page of the DIFC website and use the tool available there to report. It may be required to report a Personal Data breach as well as an IT / IS breach. Please determine the requirements accordingly.
Should I Notify the Commissioner of a Personal Data or Security Breach?
The DP Law 2020 Article 41 / 42 Personal Data Breach Self-Assessment is for organisations and businesses to determine whether perceived PD or security breaches are notifiable and report them to us.
If your organisation has possibly suffered a PD or security breach that is likely to cause anyone serious harm, you are legally required to notify us and may also be required to notify affected individuals without undue delay.
If you have already determined that a PD or security at your organisation is notifiable, or wish to notify us in any case, please complete the Breach Reporting Form below.
Here is a checklist of what information is required.
Notify a PD or Security Breach
Reporting a PD or security breach is an important part of accountability and transparency, and in certain instances, it is a requirement under the DP Law 2020, Articles 41 and 42. If you have determined that your organization has suffered such a breach that is reportable to the DIFC Commissioner of Data Protection, please do so using this form. Note that it will be submitted to the DIFC Portal for notification to the Commissioner through case management.
If you determine that you are required under Article 42 to notify an individual data subject whose PD is involved in the breach, please do so separately as this form will not be shared with or reported to them by the Commissioner's Office.
Breach Reporting Form
If you need to update a privacy breach report you previously submitted to us, you can:
Email your update to: email@example.com
Or access your previous service request in the DIFC Client Portal. All data shared in the notification will be managed confidentially, and in accordance with the DIFC DP Law 2020 and the DIFC Online Data Protection Policy