Skip survey header

Country Risk Rating Assessment for Data Protection

In order to properly apply safeguards for international transfers and to generally comply with the DP Law 2020, or most data protection laws globally, a Controller or Processor should undertake risk assessments.  Doing so will help to truly understand the business and privacy culture of the organizations involved in any data sharing arrangements. Risk assessments for international transfers should not be based only on the DP law in a jurisdiction, but ideally should also be undertaken to best understand the environment to which you are sending Personal Data, so that it is treated with as much care and safety as at “home”. The same should apply to data protection authorities. 

Binary regulatory decisions, recommendations, and guidance issued that amount to a business making determinations like “use standard contractual clauses or don’t”, or “adequate and not adequate” for sending Personal Data to a third country is too basic, even where the receiving countries or jurisdictions have a data protection law in place.  To be fair, while there are quite a number of considerations in applying those safeguards, the end result is the same, in that it is rather black and white.  Risk assessment mandates much more than that.  For example, certain elements within a jurisdiction may reinforce privacy principles, while others leave Personal Data vulnerable to loss or misuse – again, even where a data protection regime is considered to be fully functioning.

These concepts are carried through to the DIFC DP Commissioner’s approach to Data Export and Sharing.  The goal is for DIFC to be a jurisdiction affording compatibility and flexibility, but with robust controls in place, to assure business can go on in as compliant a manner as possible but with room to allow it to grow.  This is one of many thematic reviews that the Commissioner’s Office is conducting to deepen the core value offering to its clients, especially in the X-tech / emerging tech and innovation space. 

To this end, the Ethical Data Management Risk Index (the Index) and methodology is a tool created by the DIFC Commissioner’s office to assess jurisdictions for holistic risk, including equivalence of the data protection law (if there is one) but also including all those other elements that perhaps make up for lack of a data protection law.  The results form an index with explanations about the types of risks to Personal Data in jurisdictions outside of the DIFC and potential, additional mitigation options. Moreover, and what is the most forward thinking aspect of this tool, is that it considers risks in jurisdictions already assessed or attributed with “adequate” data protection laws and environment.  It may even in some cases challenge these generally accepted and often untested “norms”.  A key principle found in the DIFC Data Export and Sharing Handbook sums it up best:

A DIFC (or any) entity has every right to insist on additional safeguards if it so wishes in accordance with the guidance provided in the Commissioner’s Ethical Data Management Risk Index or based on its own risk assessment and analysis, and regardless of whether the Third Country or International Organisation is deemed adequate (by any supervisory authority!).

As such, additional requirements for transfer or technical and organisational measures should be included in the relevant documentation about the chosen safeguard(s) that support the transfer, in whatever form.  Always document and re-review compliance controls that are in place, and always leave room to question when and how to apply extra measures to safeguard data, regardless of what accepted norms may be.

This is a tool only for regulators at the moment.  Please note that this is a prototype, and research on each country in the index is on-going.  The methodology for assessing risk using this tool is set out in Appendix 2 of the Data Export and Sharing Handbook.  The Index was developed in December 2020, and is the intellectual property of the Dubai International Financial Centre Authority.
2. Data Protection Law: *This question is required.
3. TI rating from DIFC AML Country List: *This question is required.
4. Non-privacy Laws with DP Elements? Please select all that apply:  *This question is required.
5. Independent regulator managing any privacy / security related aspects, enforcement: *This question is required.
6. Is security breach reporting to a Regulator (or other legal authorities) mandatory? *This question is required.
7. Is security breach reporting to individual data subjects mandatory? *This question is required.
8. Does the country have a separate cybersecurity regulator? *This question is required.
9. Are there any registration or licensing requirements for entities covered by these laws?
  *This question is required.
10. Are there specific requirements for processing sensitive / special category / criminal history data? *This question is required.
11. Are there any categories of personal data that are prohibited from collection or to which the DP Law does not apply? *This question is required.
12. Do the laws in the country require or recommend conducting risk assessments regarding data processing activities? *This question is required.
13. Adequacy recognition from another jurisdiction: *This question is required.
14. Right to privacy / general data protection principles in the data protection law or other laws? *This question is required.
Please select all principles that apply to Processing of Personal Data in this jurisdiction: *This question is required.
15. Access by law enforcement: *This question is required.
16. Surveillance / investigatory powers balanced with necessity and proportionality: *This question is required.
17. Access by government departments, agencies, international organizations? *This question is required.
18. Individual privacy rights such as access, restriction, erasure, evidenced in existing laws / policies? *This question is required.
19. Restrictions, limitations or exemptions that would impact / prevent individual privacy rights being protected / exercised? *This question is required.
20. Article 28 controls legislated by law or in country policy? *This question is required.
21. Judicial system / redress available for privacy violations: *This question is required.
22. Cybersecurity laws / national policies in place? *This question is required.
23. e-Privacy / direct marketing and digital footprint / tracking laws? *This question is required.
24. How much outreach and guidance is available from the DPA in this country?
26. Is personal privacy generally respected by individuals in this country?
27. Are there criminal or monetary penalties for misuse of personal information under any existing laws?
28. Does the DP law of this country include accountability and transparency requirements?
29. Does the DP law of this country require the appointment of a DPO or similar (compliance officer, MLRO)
30. Does the DP law of this country have extra-territorial applicability through any means?
Please provide the means by which it has such applicability:
31. Are there industry-specific codes of conduct that include data protection principles in this country?
33. Are international transfers of Personal Data permitted?
Please select the applicable answer: