What Companies Need to Know About the ADGM Data Protection Regulation
In February this year, the Abu Dhabi Global Markets (ADGM) passed the Data Protection Regulation (DPR2021), which bears a striking resemblance to the EU GDPR, and the U.K. GDPR specifically. The former legislation, dating back to 2015, was based on the Organization for Economic Co-Operation and Development (OECD) guidance, which was significantly different from GDPR’s standards. What this means is that for companies operating in the ADGM, major regulatory changes are afoot.
Companies already established in the region will have 12 months to become compliant with the new law, while new companies will have only six months. Considering that EU GDPR provided two years to prepare, and many companies still struggled to operationalise all the requirements on time, six to 12 months will be a difficult deadline to meet. Companies will need to prioritise the changes. necessary for compliance with the new law, and follow a clear, actionable plan.
What does this mean for companies based in the ADGM, or planning on setting up in the ADGM?
Several key factors that were not included in the AGDM’s previous data privacy requirements stand out in the new law. These include:
Accountability and governance
A major area of focus is the introduction of accountability and governance, particularly for data controllers, which were notably absent from the previous law. Data controllers will now be asked to prove that they have appropriate controls in place across the organisation to demonstrate that data privacy is taken seriously. This includes a mandate to appoint a Data Privacy Officer (DPO), which may be an employee or an outsourced expert.