DP Assessment Tool – Data Protection Officers

The DP Law 2020 introduces a duty for you to appoint a data protection officer (DPO) if you are a DIFC Body (apart from the Courts if acting in judicial capacity), or if you carry out certain types of processing activities. DPOs monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Commissioner’s Office. The DPO must be independent, must have knowledge of this Law and its requirements, must be adequately resourced, and have direct access and ability to report directly to senior management of the Controller or Processor.

A DPO can be an existing employee locally or within a group of companies, or may be externally appointed. A DPO may hold other roles or titles within a Controller or Processor or each respective entity group, and may fulfil additional tasks and duties.

Please note that this assessment tool / guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.

Personal data, if any, that is collected as a result of completing this assessment will be handled in accordance with the DIFC Online Data Protection Policy.

1. Are you a DIFC Body?

Are you the DIFC Courts acting in its judicial capacity?

Are you a Controller or Processor performing High Risk Processing Activities on a systematic or regular basis?

High Risk Processing is defined in the DP Law 2020 in Schedule 1, Article 3 as:
Processing of Personal Data where one (1) or more of the following applies:

(a) Processing that includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a Data Subject or renders it more difficult for a Data Subject to exercise his rights;
(b) a considerable amount of Personal Data will be Processed (including staff and contractor Personal Data) and where such Processing is likely to result in a high risk to the Data Subject, including due to the sensitivity of the Personal Data or risks relating to the security, integrity or privacy of the Personal Data;
(c) the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated Processing, including Profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or
(d) a material amount of Special Categories of Personal Data is to be Processed.

Has the DIFC Commissioner of Data Protection directed or otherwise required you to designate a DPO?