Most firms not yet ready to abide by new DIFC data law

The UAE businesses surveyed also shared concerns about new compliance challenges stemming from a growth in employee shadow IT software

New findings from a research revealed that 75 per cent of the data stored by the surveyed organisations in the UAE is dark and ROT — redundant, out-dated and trivial — information.

The study unveiled by Veritas Technologies said the data stored by those firms currently comprises 33 per cent dark and 42 per cent ROT information. “Although a significant drop from last year’s 88 per cent, ROT data still increased by 1.0 per cent, rising to 42 per cent of an organisation’s stored data.”

To fully comply with the new Dubai International Financial Centre Data Protection Law (DPL) that has come into effect recently, businesses must get their data in order, Veritas said in its ‘Middle East Databerg Report’.

With the DIFC Data Protection Law, DPL 2020 having come into force on July 1, 2020, and the three-month grace period for businesses to comply with the law now having come to an end, companies that operate in the DIFC and, more importantly beyond, must address the requirements of DPL 2020 or risk fines for non-compliance that range from $10,000 to $100,000.

Johnny Karam, regional vice-president, Veritas, Emerging Region, said the first step on the road to compliance with data regulations is to know what data you have and where it is.

“Without that insight, it is practically impossible to be able to ensure that data is being stored, processed and deleted in line with the law. Our survey shows that, whilst businesses have started on the journey understanding their data, they still have a long way to go,” said Karam.

The survey results suggest that businesses still do not even know what one third of the data they are storing is, and 42 per cent of it should probably have been deleted. “UAE businesses need to get ahead of this challenge if they are to avoid the fines that come with failing to comply with the DIFC regulation.”

He said one of the main reasons for the limited progress of companies in the UAE towards understanding their data may be the seismic shift towards working from home. “With organisations focused on ensuring employees are connected remotely, much of the efforts of IT departments went towards dealing with the shift.”

The UAE businesses surveyed also shared concerns about new compliance challenges stemming from a growth in employee shadow IT software. Some 47 per cent of respondents said that they believe employees working from home might have started using at least two new cloud-based software on their devices.

Since the survey suggests that most companies in the UAE are prone to data-hoarding with minimal visibility, they will need to encourage data responsibility and implement the latest data management tools in order to achieve compliance with the DIFC.

The DIFC law is not limited to those businesses operating within DIFC. A key feature of the new law is its extraterritorial reach, applying to the processing of data by a controller or processor incorporated in the DIFC, regardless of whether the processing takes place in the DIFC.

Although not as expansive as the GDPR, the DPL 2020’s international reach means that businesses operating across Dubai will now have more reason to focus on having a data management strategy in order to ensure data compliance is taking place within an organisation – both from an operational and cultural perspective.

Veritas report suggests that businesses establish and implement data maps and policies, increase data visibility throughout the organisation, establish proper protection and breach protocols and minimise their data load as much as possible, for a cleaner slate.

— issacjohn@khaleejtimes.com