Supervision & Enforcement
Supervision
Each year the Commissioner's Office undertakes supervisory actions, including inspections. Now through an automated process via the DIFC Client Portal, the inspection methodology, risk assessment and reporting process reaches at least 100 entities per year.
Inspection statistics will be posted on a regular basis, to help you see what kind of information is required to report but also how to assess the risks regarding any non-compliance issues.
Statistics regarding investigations (on-going and completed) are also important to knowing how complaints intake, mediation, review and determination works, the timelines involved, and what the Commissioner's Office's fact finding process looks like. Please see information about the complaints and mediation process in FAQs and Guidance.
Finally, Presidential Directives are a form of supervision that DIFC Controllers and Processors must take note of. Apart from guidance, Presidential Directives set out specific requirements about regulatory requirements of DIFC laws. Please refer to this section of the Supervision & Enforcement for the latest applicable Directives.
-- INSPECTIONS
Total Inspections in 2023 (end Q2): 54
- Completed: 24
Compliant: 20
Minor Non-compliance: 4
Major Non-compliance / Fines: 0
- Ready for Review / Reporting:
- Initial Inspection Notice Issued: 14
-- INVESTIGATIONS
Total Investigations in 2023 (end Q2): 1
Status - pending further feedback
Total Complaints in 2023 (end Q2): 4
- Regarding DIFC-based entities: 3
- Regarding non-DIFC entities: 1
Total Breach Reports in 2023 (end Q2): 4
- Regarding DIFC-based entities: 4
- Regarding non-DIFC entities: 0
-- DIRECTIVES
Presidential Directives related to Data Protection in 2022: 1
Directive No. 4 of 2022, the Public Authority Personal Data Sharing Directive
The Public Authority Personal Data Sharing Directive, No 4 of 2022, primarily deals with the applicability of the Data Protection Law, DIFC Law No 5 of 2020 (the DP Law 2020), to data sharing protected by safeguards enumerated in Article 28. Government authorities and law enforcement may request personal data from a DIFC entity, of course. Article 28 imposes safeguards for ensuring that the Requesting Authority, either by written and binding assurances or by the sharing entity's own risk assessment, or both, is processed in accordance with the DP Law 2020. For more information about the applicability and importance of compliance with Article 28, please review the guidance and FAQs available on the Data Export & Sharing page of the DP website.
-- Thematic Assessment Reports
Reports Related to Implementation of DIFC DP Law 2020: 1
Data Protection Report No. 1 of 2023 on a Thematic Assessment of Article 28 was prepared to better understand the origination and types of and the reasons for government authority data sharing requests made to DIFC-based entities. It also explores how DIFC-based entities are implementing Article 28, and any recommendations to the Commissioner's Office to further support, supervise and monitor such implementation.
Enforcement
Enforcement, including remedial actions, directions, decision notices and fines, are a necessary part of data protection law regulation.
Decision notices are issued by the Commissioner usually when a complaint has been made and investigated, and a conclusion drawn about contravention or no contravention of the DIFC DP Law, in accordance with the Commissioner's powers and functions set out in Part 8 of the DIFC DP Law 2020 and Part 9 addressing Remedies, Liability and Sanctions. Decision notices will be provided below.
--DECISION NOTICES
-- FINES
Total number of Fines issued in 2023 (end Q2): pending update
Total number of Fines issued in 2022 (end Q4): 41
- Failure to notify: 1
- Failure to renew notification: 37
- Other fines: 3
Total number of Fines issued in 2021: 146
- Failure to notify: 95
- Failure to renew notification: 51
- Other fines: 0
Analysis
Apart from the "notification renewal" fines, the fines statistics above may have resulted from investigations of complaints or findings of non-compliance through inspection or thematic assessment.
Regarding new notifications or incorrect, existing notifications, for example, the difference between years 2021 and 2022, is likely the result of two thematic assessments that were issued in mid-2021. The assessments were for the same purpose, i.e., to clarify why the DIFC entity notified that it does not process Personal Data (PD). The thematic review questions were sent to 1) retail entities and 2) fintech entities that notified that they do not process PD.
The responses led to supervisory action including outreach and in person discussions about DP compliance obligations, as well as fines for non-compliance in certain cases where the entity was directed to notify that it does process PD, but did not do so. The Commissioner's Office undertook extensive remedial action to refine its processes, and to ensure that DIFC entities are clearer about notification requirements under Article 14(7). As such, the notifications process was revised to automatically reduce the number of invalid submissions through asking only 2 simple questions up front and requiring validations where account information indicated that the submission may be incorrect. Also, since the DP Law 2020 was enacted, increased general outreach sessions, publication of specific guidance and simple, clear assessment tools have also contributed to better understanding of the notification requirement.
Consequently, the number of submissions by entities stating (in many case, incorrectly) that they do not process PD in the first instance has dropped significantly, from 220 out of 735 newly formed entities in 2020, to 195 out of 996 newly formed entities in 2021, and then down to 90 out of 806 newly formed entities so far in 2022. There have been only 36 notifications of not processing PD out of since the revised notification process went live in April 2022. This shows that DIFC entities now have a better overall understanding of the notification requirement and are on the path to creating a positive data processing and compliance culture. And further to that, the number of fines for invalid notifications has also dropped, as set out above.