SPEAKER_02 0:23

Hello, everyone, and welcome back to our podcast series exploring international privacy and data protection laws. Before we get into today's episode, I just want to briefly recap where we left off in part one of our two-part focus on the United Arab Emirates. Last time we concentrated on the UAE federal personal data protection law, and we spent a lot of time unpacking why the UAE's data protection landscape is unusually complex compared to many other jurisdictions. We looked at how the federal PDPL sits alongside sector-specific rules and how it differs from the GDPR in terms of lawful basis, enforcement maturity, and international transfers, and why executive regulations play such a central role in how the law is actually applied in practice. But the key theme we kept coming back to was this. In the UAE, the real compliance question isn't just what does the law say, it's which law applies to me. Because the federal DPL doesn't operate in isolation, it exists alongside separate legal regimes in free zones, and those regimes can impose very different obligations on organisations. And that brings us directly to today's episode. So I'm going to hand over to Katie now, who's going to introduce our focus for part two of this podcast episode.

SPEAKER_00 1:54

Thanks, Maria. Yeah, I'm just going to give an overview of where we're going to focus on today as opposed to last week. So this is part two of our UAE series, and we're going to turn our attention to the free trade zones. There's over 40 free trade zones in the country of the UAE, but we're going to choose two in particular for the purpose of this podcast: the Dubai International Financial Center, the DIFC, and the Abu Dhabi Global Market, which is the ADGM. They're both situated in the two of the most populous Emirates in the UAE, and they have a really big role to play in increasing foreign trade in commodities that aren't oil, basically. So that was the reason that we wanted to zone in on these, because these two zones have their own courts and commercial laws, and they also have their own data protection frameworks. And those frameworks are a lot more detailed and closer in structure to the GDPR than the federal PDPL, as we discussed last time. So in this episode, we're going to look mainly at how the DIFC and ADGM regimes work in practice, how they differ from the federal law, and how organizations can navigate the regulatory landscape, and how that can translate into governance procedures, international transfers, enforcement, and day-to-day compliance. So just like last week, we've got 12 questions and we're going to take them in turns as per usual.

SPEAKER_02 3:45

So I'll ask the first question, Katie. For our listeners who are new to the idea of the UAE free zones, can you explain what the DIFC and the ADGM actually are and why they have their own data protection laws?

SPEAKER_00 4:02

Thanks, Maria. So the DIFC and ADGM are what the UAE has created as their financial and commercial free zones. The DIFC, the Dubai International Financial Center, is an onshore financial center with the aim of fulfilling the financial needs of the region as it grows its economy. It also has the purpose of strengthening the links between the financial markets of Europe, the Americas, and Southeast Asia. Whereas the ADGM, the Abu Dhabi Global Market, is an international financial center located in the capital of the UAE, but its main focus is growing financial financial connection between the Middle East, Africa, and Asia. So they both kind of have a separate, I suppose, cultural purpose. The DIFC is more, you know, the Western world and Southeast Asia, and then the ADGM is for the Middle East, Africa, and the rest of Asia. So they both have their own courts, they have their own commercial laws, and they also have their own regulators. So when it comes to data protection, it's a logical extension of that model. If you're trying to attract international banks, asset managers, cloud providers, and multinationals, you're gonna need a regulatory framework that is similar to what they've already complied to. So that's the idea behind why they have their own separate systems and why their data protection regimes are far more prescriptive than the PDPL. Yeah, I hope that gives a good background to why they're very clear.

SPEAKER_02 6:08

Yeah, sorry.

SPEAKER_00 6:10

I'll I'll go to your question now, Maria, which is why were these free zone data protection regimes created in the first place? And what problem are they trying to solve?

SPEAKER_02 6:24

So I think you kind of covered that as well, Katie, in the first question. The short answer is really international credibility and legal certainty, I think. The federal PDPL that we looked at last week was designed as kind of a national baseline framework, and it's clearly influenced by the GDPR, but it's relatively high level and very consent focused. Um, and it's heavily dependent on executive regulations to flesh it out, like we saw in the first podcast that we did. So it's perfect for like a domestic legal system, but for international financial services, like you described, and for digital businesses, uh, that kind of uncertainty and you know the need to flesh it out more in the future uh could become a real problem, a real commercial problem. So I think that's why the DIFC and the AGGM kind of went with more of an international uh approach to data protection. They wanted to mirror international standards, so they went with something very similar to the GDPR because the GDPR is often seen as the gold standard for data protection globally. Um, and they wanted to give businesses a very clear, operationally detailed rule book that you know is similar to you know what the what organizations would be used to by doing business in Europe. And they wanted to provide strong independent regulatory oversight through specialist free zone authorities. So, like you said, the the the DIFC and the ADGM have their own data protection authorities, um, so that gives certainty to international organizations as well, you know. So I think they essentially were created to kind of remove any kind of friction um that may exist uh between you know cross-border transfers and so on. By having regimes that are very similar to the GDPR, companies that are already working with Europe or who are based in Europe would have very little problems um transferring or or setting up in these free zones. So the transfer of personal data would be much easier for them because uh each of these free zones have adequacy with a DPR. So it's just basically streamlining um international business, I think.

SPEAKER_00 9:07

For sure.

SPEAKER_02 9:09

So then moving on to question three, um, and just to be crystal clear, Katie, does the federal PDPL um apply ever in these DIFC, in the DIFC and the ABGM? Or are these zones completely and utterly carved out in terms of their data protection frameworks?

SPEAKER_00 9:34

Um so the PDPL does not apply to companies and establishments located in the free zones as far as they have their own legislation governing personal data protection. So that was another reason, I suppose, that we chose to explore the DIFC and the ADGM because the scope of the PDPL says that it applies, except in the case that a free zone has its own data protection regime. So for the purposes of where we're exploring today, they they have their own regulations. The PDPL does not apply. And we've also chosen zones that happen to operate in the financial services sector, so they tend to have their own specific laws governing financial services as well. So yeah, the the PDPL does not apply to organizations within these two zones that we're talking about today.

SPEAKER_02 10:43

Okay. You mentioned other regulations that will probably um have some sort of uh impact on uh compliance and you know governance in general.

SPEAKER_00 10:58

Yeah, um like they have within the UAE, they tend to be like I think we touched on it last week too, that certain sectors also have their own specific laws governing it. So it's not just the zones to look out for, it's also what sector you're in. I think was more relevant to our discussion last week.

SPEAKER_02 11:24

That's another thing to consider what if you're you know, if you're if you're doing business with these two free zones, okay.

SPEAKER_00 11:31

Um yeah, I think that kind of frames our next question, which is for you, Maria, which is in practice, how will an organization figure out which law is going to apply to them and what happens when they have operations across multiple zones?

SPEAKER_02 11:53

Thanks, Katie. Well, I've looked at this question, I've looked at this issue quite a lot, um, and I've been back and forth about it, but I think if you approach it like from a three-step uh approach, I think is the most transparent way that we can kind of look at it. So the first thing you need to do is you need to understand where you are licensed to do business. So, where did you set up your organization? If you've set it up in the DIFC, then your main jurisdiction would be the DIFC. If you set it up in the ADGM, then the ADGM data protection law would apply. And you know, so that the federal PDPL law would step aside in that in that scenario. But then if you if it gets if you're thinking about a second jurisdiction, so if you're set up in one of the free zones, but you're kind of recruiting um staff from will say the federal from the jurisdiction where the federal PDP applies, um, like onshore in Dubai or Abu Dhabi, then you've you've created what we would call a federal nexus. So you'll likely need to follow like the stricter of the two laws. So the second jurisdiction in that case would be the federal PDPL, but the main jurisdiction would be like the more complex and the stricter law, so you'd apply that law. Um, but of course, you would have to be um observant as well of the PDPL, but you would always take the higher or more stricter uh law into account when you're when you're considering compliance. And then the third one we just touched on um in your previous question, Katie, is regardless of the zone that you're in. So, regardless of whether you're in the jurisdiction of the PDP, the federal PDPL or the DIFC or the ADGM, there are certain the sector of where you're working in is important. So let's say if you were processing health data in one of these regions, one of these free zones, then the 2019 health data law would take precedence over the data protection law. But that's another thing you need to consider when trying to decide regulatory obligations in terms of compliance. But another thing that we're seeing, a trend that we're starting to see now, is instead of like building separate uh data protection programs or separate frameworks, uh, organizations are starting to look at the highest standard framework and go from there. Um and in this case, it would be the DIFC framework, and then you would just add a kind of a federal addendum to handle specific local notifications when you're processing data in the federal PDPL jurisdiction. I hope that's clear.

SPEAKER_00 15:07

Yeah, I think that is the best the best approach just to satisfy the move the most strict regime first.

SPEAKER_02 15:18

Yeah, and then you know take note of the extra requirements that you need to put in place for the lesser uh of the jurisdictions, the less strict um jurisdiction, and in this case it would be the federal PDPL. Okay, so moving on to question five, then Katie. For a GDPR compliant organization that are that's listening to this podcast, what parts of these free zone uh regulations would feel familiar straight away? And what are the parts that might they need to consider and that might catch them out?

SPEAKER_00 16:00

Um so I'd say the overall, I mean, in comparison to the federal PDPL anyway, the overall structure of these two laws is going to feel a lot more similar to GDPR, and I think that that's where the comfort might creep in because at the end of the day, there are those slight nuances, and I think one of the main differences with how these are going to apply in practice is that they're younger than the GDPR, so the regulators' expectations are going to be different, and I think we're going to talk about this a bit more later on, but they're gonna have they're gonna obviously take a different approach to the DPC or the ICO. So, I mean the DIFC is actually based a lot more on the UK GDPR rather than the EU GDPR, and they do rely on the ICO guidance, whereas the ADGM, I would say, even though their zone is aimed less so at Europe, but the actual regulation is more modelled on the EU GDPR than the UK GDPR. So little things like that I'd say look out for, and something that we keep talking about, which is how it interacts with the other laws applicable in whatever zone or whatever sector the organization is operating in.

SPEAKER_02 17:48

Okay. Um and another thing I'd like to just add as well is you know, you've got the the the same kind of controller processor model and the same six lawful bases as you have with the GDPR. Um but where people might get caught is the is like their enforcement style. So in the EU, regulators like the Irish DPC or the French Canil often start with massive turnover-based fines. Like you know, they're always coming in the news for breaches and so on. And the first thing that the authorities would do is impose a massive fine. Whereas in the ADGM and the DIFC, we're see we see more of a kind of a prescriptive approach. So they do fine, but the fines are don't seem to be a fraction of what they would be in Europe, and they focus more on kind of directions on how the organization could comply with the regulations in the future. So that's kind of something as well that's slightly different in these free zones.

SPEAKER_00 18:55

Yeah, I would I would agree. Yeah, I suppose it is it is the regulators who are interpreting, applying, and enforcing the regulation at the end of the day. I mean, if they use the same terms, but you kind of, you know, that's your best source to go off.

SPEAKER_02 19:18

Absolutely, yeah. And if you look at the previous cases, um, and we'll get into that in more detail in the next few questions, but they take it quite seriously, they take data protection quite seriously.

SPEAKER_00 19:38

I'll move on to question six now for yourself, Maria. So, do the DIFC and ADGM take a more GDPR-like approach to lawful basis compared to the PDPL? And what is that going to mean for day-to-day compliance?

SPEAKER_02 19:59

Well, I would definitely say that those two free zones, the DIFC and the ADGM, are very much more of a GDPR type approach in terms of lawful basis, because they they both have the same six lawful bases as the GDPR. And this is a great kind of boost for international companies because it means that if the if the companies have been working in Europe before that and they have a kind of a data protection framework already in place, then it's going to be very easy for them to set up their data protection frameworks in these two free zones as well, with just minimal adjustments. You know, they should be able to uh kind of port that framework, uh, that legal basis framework from Europe into these three zones. And that's like massive for organizations. Um, and and you know, it can be quite costly if they're if they don't have the same kind of compliance or governance structure. And as well, we see that like the the the federal PDPL in terms of lawful basis is very kind of consent focused, whereas these free zones they have the familiar lawful basis, the six um lawful basis that we are used to with the GDPR in Article Six. Um, so in practice, uh GDPR compliant organizations can often just reuse their lawful basis framework um wholesale when they're setting up in these free zones. If you're processing data to provide a service to a client, you can use the lawful basis of contract uh like you can with the GDPR. And if you're doing something like internal broad monitoring, then you can actually use legitimate interests. Um, and as well, it's it's it's so similar to the GDPR in that they would expect you to carry out a legit legitimate interest assessment as well and have that available for. An audit. So you know it's very, very similar to the GDPR. And I think as well, another benefit of this is that when you have um kind of a high-level uh framework like the federal PDPL, organizations have to go back and get consent all the time from their customers, which can create kind of what they call consent fatigue. And people just get bored and they get tired of having to give consent the whole time. So you avoid that when you have a more complex framework like that's that that's in the free zones of DIFC and the ATGM. As well, another thing is that it's they're quite similar when it comes to special category data. So in the GDPR, we have Article 6 and then we have Article 9 as well, and we have to find a lawful basis for those two articles. So in the DIFC, you have similar a similar approach that you have to not only have a lawful basis to process uh special category data, but you also have to have an additional condition. And the conditions would be either explicit consent, employment or social protection reasons, vital interests, non-profit or membership bodies, and uh or data that's been made public by the data subject, and so on. So there's so that it's similar in approach to the GDPR as well. So you'd have to have two conditions in order to be able to process uh special category data, and it's similar in the ADGM as well. So you have to have the first one of you have to meet one of the six lawful bases, you have to meet a condition, a secondary condition to be able to process uh special category data. So it's similar to the to the GDPR in terms of um processing you know uh special category data as well. Moving on then, uh Katie, to question seven. What are the key governance and accountability requirements under the DIFC and the ADGM?

SPEAKER_00 24:14

Thanks, Maria. They are quite similar to GDPR accountability. I mean, for the ADGM, they need to implement the appropriate technical and organizational measures to demonstrate that the processing is performed in compliance with their law. They need to review and update those measures where necessary, so they're going to need to, you know, keep up with technological developments and um regulatory developments. They have a requirement for data protection by design and by default, which we're familiar with. They have to pay a data protection uh fee to the Commissioner of Data Protection, which is, if I understand, that's in practice in the UK. They also have their controller processor obligations, and their data subjects' rights obligations and everything, but I suppose those are the ones that stick out to me, especially a whole article for data protection by default and design, which I quite like because you I don't know, we haven't seen that in every law so far, even if it's you know an underlying principle or a nice to have, but this is you know a must-have for the ADGM. For the DIFC, they have accountability and notification requirements. You need to have your ROPA, you need to have your record of processing activities, all the same information, really. You can have it's not a requirement, but they do make a provision for having uh a DPO, and they have to be run through a DF DIFC body other than the court, so they kind of have to be vetted. A few of a few of the Gulf regions have that, have uh requirements like that for their DPO, actually. They've got to do their DPIAs again with the ADGM. We've seen that also. Yeah, they need to get in contact with the with the commissioner, where assessments are gonna be are gonna pose a high risk. So, I mean, we have that as well. Like it's it's it's very it's very similar. The main difference again is what their independent regulators are gonna be looking out for. Because they have they have the joint controllers, they have the processors, and so like they have nearly everything. I suppose it's just whatever the regulator, you know, whatever their decision development is gonna be. That yeah, it's gonna be their stickler points.

SPEAKER_02 26:55

Yeah. So it's gonna it's probably going to be different, like you say, because we've seen this in other in previous uh podcasts where um the culture kind of comes into the data protection regulations. So the interpretation of the regulations may be different based on you know the commissioner's interpretation um, you know, in terms of what's appropriate in their specific country, which you know will probably be different to Europe based on differences in the country.

SPEAKER_00 27:26

So move on to question eight here, which is about the data subjects' rights. So would you say the data subjects' rights are stronger or more operationalized in the free zones compared to the federal law? And I suppose also compared to what we're more comfortable with, the GDPR?

SPEAKER_02 27:50

Well, I would say definitely. They're broader, they're more detailed, and as a result of that, then they're more enforceable. They are significantly more operationalized in the federal law because the DIFC and the ADGM regulators are more mature. The organizations actually do see access requests, erasure requests, and complaints. A good example of this is in the 2024 ADGM ruling against OKDOC technologies. Uh they were issued a variable penalty notice specifically for failing to properly handle a data subject access request. So in the EU, a DSAR failure might be part of a larger investigation, but this case showed that in the ADGM, uh we see the commissioner issue specific penalties for procedural failure in rights handling. The if you read the case, you'll see that the individual rights isn't just a checkbox. They kind of made sure that even though at the end of the case, the data subject, she she kind of settled an employment issue she had with the organization, so she was happy not to receive her data. But the the you know, Ocadoc technologies were fined anyway because the ADGM regulator investigated whether they had procedures in place to be able to carry out these, and they didn't. And as a result of that failure, they were you know they were fined. So that's an interesting case. So we're seeing that the ADGM takes these uh data subject rights quite seriously, and fines and directions on how to become compliant can come from these complaints. Question nine, Katie, is how do the DAFC and the ADGM handle international transfers then?

SPEAKER_00 29:58

Um again, they're similar but different to uh the DG the GDPR. So I'll start with the ADGM. The commissioner of data protection within the ADGM is gonna have to have made the decision that whatever jurisdiction they're sending the data to, or international organization uh has an adequate level of protection. So again, the adequacy that's the adequacy decisions we're familiar with. Things they're going to take into consideration when deciding on adequacy decisions is rule of law, respect for rights, and the relevant legislation, including uh general legislation and specific sectoral uh legislation, data protection rules, and how enforceable the data subjects' rights are. A few other things there too. That's the main ones. Another thing they take into consideration is international commitments uh that the jurisdiction has entered into, so conventions and things like that. So I suppose you know, a council of Europe country, like that might be. That's interesting. Yeah. So yeah, they'll have a list of their adequacy decisions, and then otherwise they have appropriate safeguards where there's no adequacy, and again, it's a legally binding contract, binding corporate rules, standard data protection clauses, and codes of conduct and certification. So that's the ADGM, it's very, very similar. The DIFC again operates on the basis of an adequate level of protection. Again, it considers the rule of law, respect for individuals' rights. They consider the access, how much access the public authority has to personal data, which is interesting. Yeah, it's an interesting one to note. The existence of effective data protection laws, whether they have a competent data protection authority, and again, they also consider international commitments and conventions that they've entered into. So the ADGM was give a lot more guidance there. The DIFC was more succinct, but uh a lot of it was the same. But in the absence of adequate protections, they again they need to rely on appropriate safeguards, which is legally binding instruments, binding corporate rules, standard data protection clauses, codes of conduct, and certifications. So unless, again, the derogations, such as like where it's necessary for public interest, for um the actions of public bodies where the data subject has manifestly made something public or has explicitly consented. I mean, they're they're basically mirroring the international transfer mechanisms of the GDPR, in my opinion.

SPEAKER_02 33:15

Okay, that's good, yeah, because it makes it easy for people or for organizations, yeah.

SPEAKER_00 33:19

Yeah, we'll go into yourself now, Maria, um, and we'll talk about breach notifications. So, what are the breach notification expectations in the DIFC and the ADGM?

SPEAKER_02 33:34

Thanks, Katie. So they're much clearer than what we saw with the federal PDPL last week. You have defined reporting obligations, you have regular expectations around timelines, sorry, you have regulator expectations around timelines, and you have much more established supervisory posture in both the DIFC and the AGGM. Breach notification is a high-stakes legal requirement, but the two zones use different schedules, we'll say, time schedules. While they both align with the GDPR's philosophy that the regulator must know about a breach before the public does, the specific expectations for when and how are quite distinct. You don't have to report every single breach. It's only you only have to report the breach when it meets a specific harm threshold. So for the ADGM, you report any breach unless it is unlikely to result in a risk to the rights of the individual. With the DIFC, the report you report the breach if it compromises a data subject's confidentiality, security, or privacy. So if a breach involves special category data like health data or biometrics, the regulators in both zones effectively assume that it's high risk by default, and they would expect immediate notification. So the DIFC will say when in terms of notifying the regulator, they kind of say you have to notify them as soon as is practicable. With the ADGM, the terminology is without undue delay and where feasible within 72 hours. Then, if you in terms of notifying the data subject, under the DIFC, it's as soon as practicable again, if there is a high risk to the security or the rights of the data subject. And then with the ADGM, again they use that terminology without undue delay, if there's high risk to the rights of the data subject. So again, we're we're seeing here very similar to the GDPR, with the DIFC, they don't mention the 72-hour um time schedule, but with the ADGM, they do actually say, if possible, try and get try and report the breach within the first 72 hours. So yeah, very similar again. So moving on to the pen ultimate question, Katie. Are the DIFC and the ADGM regulators more active than we'll say the you know the federal PDPL? Thank you, Maria.

SPEAKER_00 36:31

Um I I don't know. Well, I would say compared to the federal PDPL, it seems to be that they are a bit more active in the sense that they have a lot more guidance out there and they have a lot more kind of literature out there to help understand the application of the legislation and a lot more additional resources. Um and they are engaged for sure. Like I might piggyb on your previous question a little bit and talk about um a decision from the ADGM Office of Data Protection. Um that's their regulator, the Office of Data Protection. Um and I'll talk about this decision from June 2023 regarding a breach reporting incident, um, which you were talking about previously. So they had a security incident and they had to report the breach. Um but the breach reporting procedure was not adequately followed by the organization from the perspective of the Office of Data Protection because they didn't give enough detail on what they had in place to potentially prevent the breach and what they had introduced as mid to mitigate the risk. So the authority kind of perked up its ears and you know delved more into this organization, and they discovered through investigation of that incident that the organization did not have policies or procedures in place for handling security incidents or mitigating any consequences. The only technical security measure they had in place was a free antivirus tool.

SPEAKER_01 38:30

That's crazy.

SPEAKER_00 38:32

Yeah. They also lacked, they also got a bit of guff, I suppose, from the fact that the authority considered them to lack any proper training or awareness within their organization, which was a key factor that led to the breach. So they were found to be in contravention of section 29 of the regulation, which requires meaningful cooperation with the authority in the performance of its duties. So although, yes, they reported the breach, but the breach exposed the fact that they didn't have uh they basically weren't compliant with the regulation at all, and that stopped them from meaningfully engaging with the authority. So yeah, they they basically they didn't let that fly past them.

SPEAKER_02 39:24

So that's interesting, isn't it?

SPEAKER_00 39:27

So they find them for not actually meaningfully engaging, yeah, and they couldn't they couldn't because they didn't have the framework, the framework or the training and awareness in place to understand their obligations. So, you know, you can I suppose you know they might have thought they were doing well reporting the breach, but it kind of exposed other deficiencies within that organization. Yeah, um, and the the DIFC is active too, they have a lot a lot more information online, and they also rely on ICO guidance where they might have gaps, but in 2023 they gave out 173 administrative fines, and in 2024 they give 64. So, I mean, that kind of shows people people are people are complying more active.

SPEAKER_02 40:32

Yeah, yeah. We know another thing as well that I came across is the DIFC's July 2025 amendments. Have you heard of that one? Um, they changed every which kind of changed everything under the new article, which is 64A. Individuals in the DIFC now can sue companies directly for any kind of damages or distress caused by a breach, personally. So that's similar to the GDPR.

SPEAKER_03 40:59

Yeah.

SPEAKER_02 41:00

Um so they can bring a class action against the organization. Uh that mirrors kind of article 82 of the GDPR. Uh so before 2025, the DIFC, you could with the DIFC, you could only, you know, the organizations only needed to be worried about the commissioner, you know, in terms of breach. But now, um, if there's a data breach in an organization in within the DIFC, you have that risk of a class action happening as well, just like in Europe. Yeah, so that yeah, I just came across that today, so it was interesting. I thought it might be worth bringing it up.

SPEAKER_00 41:40

Yeah, a lot of the Gulf regions have a private right of action in their legislation, so I'm actually surprised that that was an amendment that came out so soon.

SPEAKER_02 41:57

Actually, yeah, just the 20th of July last year.

SPEAKER_00 42:01

Yeah. That is that is very recent. We'll move on to our last question here for yourself, Maria. What are the top three things organizations should prioritize?

SPEAKER_02 42:14

Thanks, Katie. So if you're thinking about working or setting up, you know, processing data basically in these free zones, I think the first thing you need to do is you need to map which regime applies to which processing, especially if you're more if you're processing in more than one jurisdiction. And then another good thing that you could do is implement, you know, if you have already kind of GDPR grade governance, then you can roll that out if you're you know if you're processing data in the DIFC and the ADGM, because like like we've shown in this podcast, they're very similar frameworks. So if you start rolling out your GDPR, you'll probably come across a few differences, like we've highlighted in the podcast, but they're very similar to the GDPR. So you know that's a good action to take. And then the third action would be with the 2025 right, private right of action that we just mentioned with the DIC, it I think it's important to start looking at your contracts. So you have to understand where the liability will will lie if there is a data breach. So make sure that those data protection agreements with your processors and so on are ironclad, that you're protected. And as well, in terms of your cyber insurance, you know, get cyber insurance, make sure you're covered in terms of cybersecurity. You know, the example that you gave there, Katie, they had no cybersecurity more or less in place, you know, protections in place. So, again, very important now, after that um that private right of action that came in in 2020. So an interesting thing that I came across as well is the diff there is a difference in terms of GDPR compliance. So if you're in the DIFC, and you have a data protection officer, then they have to have they have to submit an annual uh assessment report, which is interesting. And then in the ADGM, there are other certain notification filings that you have to do on an annual basis as well. So you'll have to be in communication with the authorities in both free zones. So I thought that was interesting. So, you know, you have to submit the your assessment report in the DAFC, and then you have to be aware of certain notification filings. Like, for example, you have to annually renew your data protection um registration with the authority in the ADGM. If you're appointing or if you're changing your data protection officer, you have to let them know as well. Or if you're if you're taking on new data processors, that has to be notified to the or to the authority as well. So there's a few things that are different there that you you know must keep in mind if you're if you're thinking about uh processing data in these free zones.

SPEAKER_00 45:22

Thanks for that, Maria. So uh I think that brings us to the end of our second part of our two-part focus on the United Arab Emirates. Across the two episodes, we've tried to show how the UAE doesn't have a single uniform data protection regime in the way many European listeners might have instinctively expected. Um instead, it operates a Laird system with a federal framework, sector-specific rules, and then distinct GDPR-inspired regimes within the DIFC and ADGM, which again is just two out of, I think there's about 40 free zones in the UAE. So, you know, we we kind of just touch the surface there, but what should now be clear is that compliance in the UAE is not about memorizing one statute, it's about understanding where you're established, where your processing happens, what your sectoral specific regulations are, and what legal regime that combination triggers. For any organizations who are still operating under the GDPR, a lot of the concepts are going to be the same, like the RUPA, the DPIA, the processor uh requirements, the data subjects' rights, but you have to still be careful about the details and about the particular enforcement posture. The lawful basis frameworks, another one to look out for. The transfer mechanisms can differ, they're quite similar, but the the devil's in the details, really, when it comes to not being uh not being too comfortable with the fact that the structure feels familiar. So I would say the real takeaway from the two-part series is that you're going to need a jurisdiction-specific compliance strategy if you're operating in or targeting business in the UAE. And you're going to need to move away from having everything in the GDPR wording and the GDPR structure. So thank you, Maria, for working through this with me today. And thank you, everyone, for listening.

SPEAKER_01 47:54

Thank you. Thanks to all our listeners. We'll see you again in the next podcast.