With technological growth and an incredible proliferation of data, the incidences of data breaches have also been on the rise. Confidential information has never been so vulnerable to exploitation by bad actors. This threat of data breach violates the fundamental right to privacy of individuals, and hence global organisations such as the OECD have played a very important role in developing policies for the protection of personal data. Shomayle Ahmed Faruqi, Director of Cyber Security and IT Advisory at AKW Consultants says: “The interconnected world which we live in, protecting personal data isn’t just a matter of personal concern; it’s a global imperative.”
The Data Protection Law of the Dubai International Financial Centre (DIFC) regulates the processing of personal data by entities within its purview, including healthcare companies. Personal data, in the context of the law, is any information that specifically identifies an individual and can include an individual's biometric data, photographs, and even IP addresses. The legislation, among other things, prescribes rules and obligations regarding the collection, handling, and processing of data.
The DIFC’s Data Protection Law reflects a broad commitment by the regulatory authorities to privacy and security in a digital age.
The DIFC Data Protection Law, which came into effect on 1 July 2020, plays an important role in preserving the trust between patients and healthcare companies. It is also rigorous and maintains a high standard when it comes to regulating personal data. Faruqi highlights, "Non-compliance with these regulations can lead to hefty fines,” underscoring the vital importance of adherence to the law. Schedule 2 of the DIFC Data Protection Law notes specific administrative fines for failure to comply with specific articles of the law. Non-compliance in lawful processing, obtaining consent, and maintaining accountability can lead to damaging fines for healthcare companies. The fines can range anywhere between US $10,000 to US $100,000 depending upon which particular article has been breached.
In the context of this law, one of the most important requirements for healthcare companies under DIFC’s jurisdiction is to register with the DIFC Commissioner. Article 14(7) specifies that a “Controller or Processor shall register with the Commissioner by filing a notification of Processing Operations”. Failing to register with the Commissioner according to Article 14(7) can lead to a fine of up to US $25,000. Faruqi says, “At AKW Consultants we recognise the challenges healthcare companies face in these areas. That’s why we assist companies with the registration process. It involves filling in applications that require technical knowledge that are usually filled in by the appointed Virtual or on-site Data Protection Officer.”
The DIFC’s Data Protection Law reflects a broad commitment by the regulatory authorities to privacy and security in a digital age. The law is consistent with EU and UK data protection laws and with OECD guidelines. Healthcare providers, like other companies under the jurisdiction of this law, need to adhere to the principles of confidentiality embedded in the law. By adhering to the standards, healthcare companies also uphold the importance of building a culture of trust and integrity in a data-rich digital ecosystem.
