In order to properly apply safeguards for international transfers and to generally comply with the
DP Law 2020, or most data protection laws globally, a Controller or Processor should undertake risk assessments. Doing so will help to truly understand the business and privacy culture of the organizations involved in any data sharing arrangements. Risk assessments for international transfers should not be based only on the DP law in a jurisdiction, but ideally should also be undertaken to best understand the environment to which you are sending Personal Data, so that it is treated with as much care and safety as at “home”.
At the same time, the goal is for DIFC to be a jurisdiction affording compatibility and flexibility, but with robust controls in place, to assure business can go on in as compliant a manner as possible but with room to allow it to grow.
To this end, the Ethical Data Management Risk Index+ (EDMRI+) and methodology was created by the DIFC Commissioner’s Office to assess the compliance risk of the business in a jurisdiction holistically, including compliance with the applicable data protection law (if there is one) but also including all those other elements that perhaps make up for lack of a data protection law.
Moreover, by completing the EDMRI+ Due Diligence Risk Assessment, you can evaluate and document what data protection risks exist in the importing organisation, even if it sits in a jurisdiction or jurisdictions already deemed to have “adequate” data protection laws and environment. This is important because even with adequacy or other transfer control mechanisms in place for your data sharing activities, you should seek to understand whether the businesses your company engages with are fostering privacy in its own organisation. A key principle found in the DIFC
Data Export and Sharing Handbook sums it up best:
A DIFC (or any) entity has every right to insist on additional safeguards if it so wishes in accordance with the guidance provided in the Commissioner’s Ethical Data Management Risk Index or based on its own risk assessment and analysis, and regardless of whether the Third Country or International Organisation is deemed adequate (by any supervisory authority!).
As such, additional requirements for transfer or technical and organisational measures should be included in the relevant documentation about the chosen safeguard(s) that support the transfer, in whatever form. Always document and re-review compliance controls that are in place, and always leave room to question when and how to apply extra measures to safeguard data, regardless of what accepted norms may be.
If your business exports (or transfers) personal data to another processor or controller in a high risk and very high risk jurisdiction, the Commissioner's Office urges you to complete the EDMRI+ Due Diligence Risk Assessment, but at this time it is not mandatory. Please refer to the EDMRI Guidance to view the risk rating and explanations for each country evaluated so far, as published by the commissioners office.
The detailed methodology for the EDMR Index is set out in Appendix 2 of the
Data Export and Sharing Handbook.
The Index was developed in December 2020, and is the intellectual property of the Dubai International Financial Centre Authority.
For further assistance, please review the Commissioner’s comprehensive
Guidance on DP Law 2020 as well as specific
Data Export and Sharing Handbook. Please note that all such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office. Personal data, if any, that is collected as a result of completing this assessment will be handled in accordance with the
DIFC Online Data Protection Policy.