Brief description of your business, the number of staff (divided as to

1
partners, professional and support staff)
Please provide a copy / copies of your business’s data protection /
2 privacy (DP) policies and procedures, including access to any online
policies, internal employee policies, security policies, etc (if any)
Please provide a brief indication of any data protection / privacy related
3 working activities, including an indication of how many hours/month,
that you spend on DP related activities (if any)
Please provide an explanation of the initial, annual and any on-going
4 DP training / updates given to employees, and a copy of such training
material (if any)
5 Any other background material you consider would be appropriate?
How will you collect, use, store and delete data? What policies do
you have in place governing personal data processing activities?

Will you be sharing data with any internal or external third parties?

What is the source of the data?

Refer to a flow diagram or another way of describing data flows

with regard to processing (IT systems, security measures, etc).
What types of processing identified as likely high risk are involved?

What is the nature of the data, and does it include special category
or criminal offence data?

How much data will you be collecting and using?

How long will you keep it?

Please describe how personal data including special category data

is processed or managed from an IT perspective, as well as in
terms of contractual arrangements to cover any controls and
safeguards

How many individuals are affected by the processing being

undertaken (estimated - large quantity? Exact numbers are best but
at least a general idea should be provided, if possible)?

What geographical area does it cover? Please state whether

personal data is transferred to or from a country or territory outside
the DIFC (please specify what country or territory) and any
safeguards in place to manage this processing.
What is the nature of your relationship with the individuals whose
personal data is being collected and processed?

How much control will the data subjects have in how your business
processes their data?

For what purpose(s) will you use or process the personal data?
Would they expect you to use their data in this way / have they
been notified?

Do the individual types include children or other vulnerable groups?

Are there prior concerns over this type of processing or security

flaws? Please describe any security measures in place.

Is the processing or data novel in any way?

What is your business's current state of technology used in this

area (biometric identification - i.e., fingerprints, AI, blockchain, cloud
servers, etc)?

Are there any current issues of public concern that you should
factor in with respect to the processing?

Are you committed to any approved code of conduct or certification

scheme (once any have been approved)?

What do you want to achieve by processing this personal data?

What is the intended effect on individuals?

What are the benefits of the processing for you, and more broadly?

Consider how to consult with relevant stakeholders: describe when

and how you will seek individuals’ views – or justify why it’s not
appropriate to do so. Who else do you need to involve within your
organisation?

Have you asked or do you need to ask your processors to assist?

Have you or do you plan to consult information security experts, or
any other experts?
What is your lawful basis for processing? Does the processing
actually achieve the intended purpose?

Is there another way to achieve the same outcome?

How will you prevent function creep?

How will you ensure data quality and data minimisation of the data
transferred to your business?

What information will be given to individuals about the collection

and processing, i.e., privacy notices?

How will you help to support data subjects' rights? What policies
and procedures do you have in place to address data subject
access requests as provided for under Articles 32 to 40 of the DP
Law No 5 of 2020.

Please state whether any functions are outsourced in relation to

any of the personal data, i.e., processors and sub-processors. If so,
please provide details. What measures do you take to ensure any
internal or external processors comply?

Please specify the purposes for making transfers of personal data

abroad.
1. Identify the need for a DPIA
Explain broadly what the entity aims to achieve and what type of processing it conducts. You may find it helpful to re
to other documents, such as a project proposal. Summarise why you identified the need for a DPIA.

Please refer to DP Law 2020 for your answers.

https://www.difc.ae/files/6115/9358/6486/Data_Protection_Law_DIFC_Law_No.5_of_2020.pdf

2. Describe the processing

a. Describe the nature of the processing:

b. Describe the scope of the processing:

c. Describe the context of the processing:

d. Describe the purposes of the processing:

3. Consultation process
4. Assess necessity and proportionality

5. Identify and assess risks

Describe the source of risk and nature of potential impact on individuals. Include associated compliance and corpora
necessary.

Risk Description

6. Identify measures to reduce risk

Risk
Likelihood of harm Severity of harm

Options to reduce or eliminate risk Effect on risk

Overall risk

Residual risk Measure approved

 COMPLIANCE CHECKLIST

Part 2A - Lawfulness of processing and

principles
Article 9

Article 10

Part 2D - Accountability / General

Requirements

Article 14

6
7

Article 15
Article 16
1

Articles 17 to 19

Article 20
Article 22

Articles 23, 24 and 25

Part 4: International Data Transfers

Article 26

Article 27
Part 5: Information Sharing

Article 29 and 30

Part 6: Data Subjects Rights

Articles 32 to 40

Part 7: Personal Data Breach Response

Articles 41 and 42
 COMPLIANCE CHECKLIST FOR DATA PROTECTION LAW 2020

Ensure your business adopts data protection principles

Documented legal justification for data protection activities

Requirement

Compliance program: based on data being processed, scale of

processing, type

Technical and organizational measures: security, IT, training, comms,

reporting, risk assessment

Privacy by design / default: privacy is built in from the outset to all new
processes and procedures
Default online preferences: Where a Controller is offering online
services through a platform, the default privacy preferences
of the platform shall be set such that no more than the minimum
Personal Data necessary to deliver or receive the relevant services is
obtained or collected. Data Subject should be prompted to actively
select his privacy preferences on first use and able to easily change such
preferences.

Written data protection policy

Codes of Conduct / Certification schemes (TBD - N/A for now)

Notification to Commissioner of Data Protection renewed on annual
basis

Requirement
Maintain a written record, which may be in electronic form, of
Processing
activities under its responsibility, which shall contain at least the
following information:
(a) name and contact details of the Controller, its appointed DPO,
where applicable, and Joint
Controller, if any;
(b) the purpose(s) of the Processing;
(c) a description of the categories of Data Subjects;
(d) a description of the categories of Personal Data;
(e) categories of recipients to whom the Personal Data has been or will
be disclosed, including
recipients in Third Countries and International Organisations;
(f) where applicable, the identification of the Third Country or
International Organisation that
the Personal Data has or will be transferred to and, in the case of
transfers under Article
27, the documentation of suitable safeguards;
(g) where possible, the time limits for erasure of the different categories
of Personal Data; and
(h) where possible, a general description of the technical and
organisational security measures
referred to in Article 14(2).

Requirement
Appoint a DPO if required

If not required, appoint a person responsible for DP compliance /

communications with Commissioner's Office

Review tasks, roles, and assessment requirements of DPO and list in

privacy policy if needed, or state that DPO will have skills and perform
tasks and assessments in accordance with Articles 17 to 19. ANNUAL
ASSESSMENT REQUIRED IF DPO APPOINTED FOR HRP ENTITIES

Suggest setting out procedures for such compliance if this approach is

taken

DPO / entity to regularly conduct Data protection impact assessments

when necessary, i.e., HRP (required); or at the start of a new project /
updating existing operations (best practice)
Where the basis for processing under Article 10 changes for any reason,
processes are in place for ensuring one of the following actions is taken
with respect to the Personal Data:

(a) securely and permanently deleted;

(b) anonymised so that the data is no longer Personal Data and no Data
Subject can be
identified from the data including where the data is lost, damaged or
accidentally released;
(c) pseudonymised;
(d) securely encrypted; or

Where a Controller is unable to ensure that Personal Data is securely

and permanently deleted, anonymised, pseudonynmised or securely
encrypted, the Personal Data must be archived in a manner that
ensures the data is put beyond further use (in accordance with Article
22(3) and accounting for Article 22(4)

Requirement
Sign appropriate written data processing agreements between your
organization and any 3rd parties

Ensure any privacy policies include a requirement that processing done

in your organization is confidentially and only under specific
instructions.

Requirement
Determine where and personal data is transferred for processing
outside of the DIFC. If adequate jurisdiction, no further action is
required but update notification to Commissioner

Requirement
Determine where and personal data is transferred for processing
outside of the DIFC. If not an adequate jurisdiction, ensure one of the
requirements in Article 27(1)(a to c) is met. Also update notification to
Commissioner

Requirement
Privacy notices (i.e., online privacy policy telling data subjects what
you're doing with the PD collected)

Requirement

Written policies that provides for data subjects rights contained in

relevant articles

Requirement
Written policy and / or incident management procedure that provides
for steps to take when a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or
access to, Personal Data transmitted, stored or otherwise Processed
occurs (aka a Personal Data Breach) that accounts for :

-- notification of DP Commissioner
-- where required, notification of data subject
MPLIANCE CHECKLIST FOR DATA PROTECTION LAW 2020

Yes / No?

Yes / No?

Yes / No?

N/A
Yes

Yes / No?
Yes / No?
Yes / No?

Yes / No?

Yes / No?
Yes / No?

Yes / No?

Yes / No?
References
internal privacy policy

References
internal privacy policy

References

internal privacy policy

online privacy policy / notification
procedures
internal privacy policy
online privacy policy / notification
security policy
training and communications (internal)
procedures

internal privacy policy

procedures
procedures

internal privacy policy

online privacy policy / notification
N/A (for now)
procedures

References
procedures
ROPA template (spreadsheet or other database)

References
internal privacy policy
online privacy policy / notification
procedures

internal privacy policy

procedures

internal privacy policy

procedures

internal privacy policy

procedures
internal privacy policy
procedures

References
contracts / agreements

internal privacy policy

procedures

References
internal privacy policy
online privacy policy / notification
notification to Commissioner
record of processing activities
contracts / agreements
https://www.difc.ae/business/operating/data-protection/adequate-
data-protection-regimes/

References
internal privacy policy
online privacy policy / notification
notification to Commissioner
records of processing activities
contracts / agreements

References
internal privacy policy (article 31(3))
online privacy policy / notification
procedures
sample: https://www.difc.ae/online-data-protection-policy/

References

internal privacy policy

online privacy policy / notification
procedures
sample: https://www.difc.ae/files/8415/9341/5367/DIFC-
Data_Subjects_Rights_Requests_-
_EXTERNAL_GUIDANCE__DPL_2020.pdf (this guidance may be
converted to an internal policy as well to instruct staff how to deal with
requests from individuals about what data an entity has about them)

References
internal privacy policy
procedures