In order to properly apply safeguards for international transfers and to generally comply with the
DP Law 2020, or most data protection laws globally, a Controller or Processor should undertake risk assessments. Doing so will help to truly understand the business and privacy culture of the organizations involved in any data sharing arrangements. Risk assessments for international transfers should not be based only on the DP law in a jurisdiction, but ideally should also be undertaken to best understand the environment to which you are sending Personal Data, so that it is treated with as much care and safety as at “home”.
The same should apply to data protection authorities.
Binary regulatory decisions, recommendations, and guidance issued that amount to a business making determinations like “use standard contractual clauses or don’t”, or “adequate and not adequate” for sending Personal Data to a third country is too basic, even where the receiving countries or jurisdictions have a data protection law in place. To be fair, while there are quite a number of considerations in applying those safeguards, the end result is the same, in that it is rather black and white. Risk assessment mandates much more than that. For example, certain elements within a jurisdiction may reinforce privacy principles, while others leave Personal Data vulnerable to loss or misuse – again,
even where a data protection regime is considered to be fully functioning.
These concepts are carried through to the DIFC DP Commissioner’s approach to Data Export and Sharing. The goal is for DIFC to be a jurisdiction affording compatibility and flexibility, but with robust controls in place, to assure business can go on in as compliant a manner as possible but with room to allow it to grow. This is one of many thematic reviews that the Commissioner’s Office is conducting to deepen the core value offering to its clients, especially in the X-tech / emerging tech and innovation space.
To this end, the Ethical Data Management Risk Index (the Index) and methodology is a tool created by the DIFC Commissioner’s office to assess jurisdictions for holistic risk, including equivalence of the data protection law (if there is one) but also including all those other elements that perhaps make up for lack of a data protection law. The results form an index with explanations about the types of risks to Personal Data in jurisdictions outside of the DIFC and potential, additional mitigation options. Moreover, and what is the most forward thinking aspect of this tool, is that it considers risks in jurisdictions already assessed or attributed with “adequate” data protection laws and environment. It may even in some cases challenge these generally accepted and often untested “norms”. A key principle found in the DIFC
Data Export and Sharing Handbook sums it up best:
A DIFC (or any) entity has every right to insist on additional safeguards if it so wishes in accordance with the guidance provided in the Commissioner’s Ethical Data Management Risk Index or based on its own risk assessment and analysis, and regardless of whether the Third Country or International Organisation is deemed adequate (by any supervisory authority!).
As such, additional requirements for transfer or technical and organisational measures should be included in the relevant documentation about the chosen safeguard(s) that support the transfer, in whatever form. Always document and re-review compliance controls that are in place, and always leave room to question when and how to apply extra measures to safeguard data, regardless of what accepted norms may be.
This is a tool only for regulators at the moment. Please note that this is a prototype, and research on each country in the index is on-going. The methodology for assessing risk using this tool is set out in Appendix 2 of the
Data Export and Sharing Handbook. The Index was developed in December 2020, and is the intellectual property of the Dubai International Financial Centre Authority.
Personal data, if any, that is collected as a result of completing this assessment will be handled in accordance with the DIFC Online Data Protection Policy.