Guidance

Comprehensive Data Protection Guidance & Assessment Tools

Guidance and Handbooks

The guidance documents and tools on this page provide important insights on interpretation of DIFC DP Law 2020. Please note that some guidance documents or handbooks may be repeated under certain headings as they cover elements of several important data protection concepts.

Also, please note that the Commissioner's guidance and handbooks are not meant to express an opinion on lawfulness of specific business activities, nor do they have the force of law, and are not intended to constitute legal advice. Please contact legal counsel for assistance in determining your business's data protection and privacy requirements in respect of the topics addressed below, to ensure compliance with the applicable laws and regulations. The Commissioner does not make any warranty or assume any legal liability for the accuracy or completeness of the information herein as it may apply to the particular circumstances of an individual or a firm. For information about interpretting the guidance or the DP Law 2020 and Regulations, please contact commissioner@dp.difc.ae. If you have questions about the DIFC Portal, i.e., submitting forms regarding inspections or notifications, please contact the DIFC Services Help Desk.


General Requirements for DP Law 2020

  • Comprehensive Guide to Data Protection Law, DIFC Law No. 5 of 2020 and DP Regulations
  • Overview of DIFC Data Protection Regime
  • Webinar: Introduction to DIFC DP Law 2020
  • Webinar: FAQs


Lawful Processing

  • Consent
  • Processing Personal Data Through Autonomous & Semi-Autonomous Systems (Reg 10)
  • Regulation 10 FAQs - DIFC AI Regulations

Accountability & Notifications

  • Comprehensive Guide to Notification of Processing Operations
  • Step by Step Portal Guide to Notifying the DIFC DP Commissioner of Processing Operations
  • Step by Step Portal Guide to DP Inspections
  • Sample DIFC Record of Processing Activities
  • Webinar: Accountability, Supervision and Enforcement
  • Webinar: Applicability and Notifications

Data Protection Officers

  • High Risk Processing & DPO Appointments
  • Webinar: DPO Appointments


Risk Assessments (DPIAs, DPO Annual Assessment)

  • Data Processing Impact Assessments with "DPIA Required" List
  • Sample Compliance Checklist and DPIA
  • DPO Annual Assessment - Checklist & FAQs
  • Sample DPO Annual Assessment and Risk Matrix - 2023


Obligations of Controllers & Processors

  • Controller & Processor Agreements
  • Article 24 Contract Clauses & DIFC Abbreviated SCCs
  • Retention & Storage of Personal Data

Data Export & Sharing

  • DIFC Data Export & Sharing Handbook
  • Guidance on Article 28 of DIFC DP Law 2020
  • DIFC DP Law 2020 - Article 28 FAQs
  • ** UPDATED: DIFC EDMRI Guidance - December 2023
  • DIFC EDMRI FAQs
  • Webinar: Data Export and Sharing
  • DIFC A 27 SCCs - DIFC Exporter transferring to Non-DIFC Importer
  • DIFC Abbreviated SCCs - 2023


Information Provision & Rights of Individuals

  • Individuals’ Rights to Access and Control Personal Data Processing
  • Individual Rights & Remedies Checklist
  • Complaints & Mediation Processes
  • Direct Marketing & Electronic Communications


Personal Data Breaches

  • Notifying the Commissioner of a Personal Data Breach
  • Webinar: Personal Data Breaches

Remedies, Liability and Sanctions

  • Commissioner's Powers, Fines & Sanctions
  • Individual Rights & Remedies Checklist
  • Complaints & Mediation Processes


Data Protection Tuesday Talks

  • DIFC DP Talks #1: Overview and DP Website
  • DIFC DP Talks #2: Amendments and Consultation
  • DIFC DP Talks #3: Notifications
  • DIFC DP Talks #4: Inspections
  • DIFC DP Talks #5: DPO Annual Assessment
  • DIFC DP Talks #6: Article 28
  • DIFC DP Talks #7: Supervision & Enforcement
  • DIFC DP Talks #8: Benefits of a DPMP
  • DIFC DP Talks #9: Localisation and CLOUD Act
  • DIFC DP Talks #10: AI Regulation
  • DIFC DP Talks #11: Q1 2023 Review & Catch Up
  • DIFC DP Talks #12: EU Enforcement & Impact on DIFC-based Controllers and Processors
  • DIFC DP Talks #13: China PIPL and SCCs
  • DIFC DP Talks #14: KSA PDPL and Regulations
  • DIFC DP Talks #15: Regulation 10 (AI)
  • DIFC DP Talks #16: Colombia Adequacy
  • DIFC DP Talks #17: Year in Review 2023
  • DIFC DP Talks #18: Regulation 9 (Marketing)


External Guidance, Policies & Other Presentations

  • Covid 19 Data Collection FAQs
  • DIFC Privacy Day 2022 - Jan 25 Webinar on UAE DP Law
  • DIFC Privacy Day 2022 - Jan 27 Webinar on DIFC Data Export and Sharing
  • Webinar: Continuous Improvement and Compliance 2022
  • OECD Privacy Site with Link to Guidelines
  • OECD Declaration on Government Access to Personal Data Held by Private Sector Entities
  • OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity


Data Protection Assessment Tools

Please note that these assessment tools are not meant to express an opinion on lawfulness of specific business activities, the outcomes provided do not have the force of law, and they are not intended to constitute legal advice. Please contact legal counsel for assistance in determining your business's data protection and privacy requirements in respect of the topics addressed below, to ensure compliance with the applicable laws and regulations. The Commissioner does not make any warranty or assume any legal liability for the accuracy or completeness of the information herein as it may apply to the particular circumstances of an individual or a firm.

DP Assessment Tool – Applicability (Article 6)

Conduct assessment

DP Assessment Tool – Notifications to the Commissioner of Processing Operations (Article 14(7))

Conduct assessment

DP Assessment Tool - High Risk Processing (Article 16)

Conduct assessment

DP Assessment Tool – Data Protection Officers (Articles 16 to 19)

Conduct assessment

DP Assessment Tool – Data Protection Impact Assessments (Article 20)

Conduct assessment

DP Assessment Tool - Controller and Processor Obligations (Articles 23 to 25)

Conduct assessment

DP Assessment Tool – Data Export / International Transfers (Articles 26 & 27)

Conduct assessment

DP Assessment Tool - EDMRI+ Due Diligence Assessment (Articles 26 & 27)

Conduct assessment

DP Assessment Tool - Government Data Sharing (Article 28)

Conduct assessment

DP Assessment Tool - Privacy Notices (Articles 29 & 30)

Conduct assessment

DP Assessment Tool - Rights Request Response Assessment (Articles 32 to 40)

Conduct assessment

DP Assessment Tool – Personal Data Breach Reporting Obligations (Articles 41 & 42)

Conduct assessment

DP Assessment Tool - Marketing and Electronic Communications

Conduct assessment