Introduction
The data protection landscape has been evolving quickly across the Middle East and Africa to keep abreast of global developments and international standards. Perhaps surprisingly for a country with a genuine history of digital innovation and ambition in relation to becoming a truly data driven society, the UAE lags behind many of its neighbours and global “knowledge economy” competitors when it comes to the subject of privacy legislation.
There is no comprehensive data protection law in the UAE at a federal level, and the much talked about draft law has not been shared publicly or enacted, although the release may have been delayed by the global pandemic. That said, we have seen a number of positive developments in the past year in the UAE, most notably the Dubai International Financial Centre’s (DIFC’s) updated Data Protection Law 2020 and the Abu Dhabi Global Market’s (ADGM’s) new Data Protection Regulations 2021. Both are forward leaning, innovative and pragmatic updates which align closely with global data protection best practices, including GDPR.
Consumer Protection Regulation for Banks
The Central Bank of the UAE (CBUAE) has recently continued this positive trend for the financial services sector and issued its Consumer Protection Regulation (CPR) and supporting Consumer Protection Standards (CPS) as part of a Financial Consumer Protection Regulatory Framework established in accordance with Article 121 of Federal Law No. 14 of 2018.
The primary aim of the CPR is to protect consumers and promote the stability of the financial services industry in the UAE. The CPR and CPS apply to all Licensed Financial Institutions (LSI’s) licensed by the CBUAE, and the CPR contains articles which cover several areas focused on delivering enhanced levels of consumer protection for UAE financial services customers. These include disclosure and transparency, institutional oversight, market and business conduct, responsible financing practice, consumer education and awareness and – importantly for this audience – Article 6, the protection of consumer data and assets, and more specifically, consumer data protection.
Useful CPR Definitions
Consumer: The CPR defines a Consumer as a customer who is a natural person or sole proprietor who obtains (or may prospectively obtain) financial services and/or products, with or without charge.
Personal Data: Personal data is broadly defined as any information relating to an identified natural person or identifiable natural person. An “Identifiable natural person” is defined as a natural person who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to their biological, physical, biometric, physiological, mental, economic, cultural, or social identity.
Licensed Financial Institutions: These are banks and other financial institutions licensed in accordance with the provisions of the Decretal Federal Law No. (14) of 2018, to carry on a licensed financial activity. This includes LSI’s which are either incorporated inside the UAE, or in other jurisdictions, and have branches, subsidiaries, or representative offices inside the UAE.
Consumer Protection Regulation
The Consumer Protection Regulation (CPR) includes the following Consumer Data Protection obligations:
| CPR Article 6 Requirements | Mapping to GDPR Principles |
| 6.1.1 LSI’s are required to collect the minimal amount of consumer data and information needed in respect of their licensed activities. | Data minimisation |
| 6.1.2.1 LSI’s must establish a function in their organization that is responsible for data management and protection including responsibility for maintaining policies, procedures, systems and controls to protect consumers’ personal data and information against misuse, unauthorized access and undue processing and analysis. | Accountability and governance Lawfulness, fairness, and transparency |
| 6.1.2.2 LSI’s must have policies that specify duration of record keeping and data retention in accordance with the applicable laws, regulations and business. | Storage limitation |
| 6.1.2.3 LSI’s must have appropriate security and monitoring measures in place to detect and track unauthorized internal access or use of Consumer information. Any breach of access, misuse or unauthorized release must be recorded including any harm done by such breach for future reporting to and review by the Central Bank. | Integrity and confidentiality (security) Accountability |
| 6.1.2.4 LSA’s must notify the Central Bank of all significant breaches of Consumer data and information and notify any Personal data breach to Consumers where a breach may pose a risk to the financial and personal security of the Consumer without undue delay. LSI’s are liable for reimbursing any direct costs incurred by the consumer for actual harm done as a result of the breach. | Transparency – Data Breach Notifications Accountability |
| 6.1.2.5 LSI’s must ensure that Consumers are able to make informed choices with respect to providing expressed consent as to their data being collected, used and shared with third parties and within the LSI. | Transparency Lawfulness, fairness and transparency |
| 6.1.2.6 LSA’s must prevent the misuse of Consumer information and data. | Lawfulness, fairness and transparency Purpose limitation Integrity and confidentiality (security) |
Consumer Protection Standards
The Consumer Protection Standards (CPS) touch upon the following noteworthy Consumer data protection topics:
Data Management Control Framework
The LFI’s need to implement a Data Management Control Framework which will need to have policies, procedures, and system controls to protect Consumer data and identify and resolve any security breaches.
The CPS includes requirements for banks like online identity verification and secure digital transaction processing controls, the provision of employee training and awareness programs, and limitations around access to the personal data of Consumers, including a requirement to maintain logs for audit and supervisory purposes which record the names of staff who have accessed Consumer databases and the timing. The CBUAE may request access to those records.
Management of Data Protection
The CPS expands on the CPR obligation mentioned above and sets how the Board should designate responsibility and accountability for the data protection function to a senior position in management who reports directly to senior management. This brings the designation and responsibility of the data protection domain close to the requirements many readers will be familiar with in the GDPR.
The data protection function is tasked with reviewing and improving the Data Management Control Framework – which incorporates 1) the collection, classification, storage, usage, transfer, protection, correction, and destruction of personal data; 2) the monitoring, investigation, and reporting of any material incidents of accidental or unauthorized access or disclosure of data and should 3) participate in the handling and investigation of privacy related Consumer complaints.
We will soon publish a whitepaper on the Role of the Data Protection Officer (DPO). In this white paper we explain the role of the DPO to executive-level decisionmakers and legal and compliance stakeholders who may not be overly familiar with privacy as a subject, but who are increasingly faced with questions about privacy and tasked with ensuring compliance with new or evolving regulations. One key decision revolves around whether the organisation should appoint a GDPR-inspired DPO, and if so, who that should be.
The data protection function envisaged for banks by the CPR and CPS has many similarities in terms of the role and the intended responsibilities, such as the monitoring of the privacy program (including records and actions taken), performance of risk assessments and decision-making, involvement in breach responses, managing consumer complaints, annual reviews and regular reporting to senior management.
Consent by Consumers and Consumer rights
The Consumer must provide express consent for the use or sharing of personal data by a bank or other financial institution. This consent must be freely given, with the request for consent expressed in clear and plain language while also informing the Consumer of the right to refuse to provide consent. The Consumer also has the right to withdraw consent and the LFI has 30 days to implement the withdrawal. In addition, the Consumer should be informed about the right to request access to their data and the right to correct any inaccuracies in their personal data.
Retention of Personal Data
The CPS requires that all personal data and records be securely retained for a minimum of 5 years, which is typically from the termination of the business relationship, or the closing of a Consumer’s account. After that period, the personal data must be destroyed or permanently deleted if it is no longer required for the purpose for which it was collected and processed, or no longer required by law.
Breach Notification
Banks and other financial institutions (LSI’s) are mandated to notify the CBUAE of any material data breaches, losses, or alterations when they occur. When unauthorized access to a Consumer’s personal data occurs, the LSI is also required to record any disciplinary actions taken against staff, agents, or contractors responsible for the breach.
Finally, the LSI will need to keep records for 5 years after any breach event and the CBUAE may request access to these records.
Data Protection Next Steps and Deadline
Banks and financial institutions have until 31 December 2021 to update their consumer data protection practices.
White Label Consultancy recommends you consider the following next steps:
- Assess your current Consumer personal data protection and privacy practices against the new CBUAE CPR and CPS requirements.
- Review and update (as required) your current governance framework, policies, processes, and controls.
- Appoint someone with appropriate professional qualities, experience, and expert knowledge to the required data protection function position.
- Implement your internal code of conduct for your staff, provide foundational training (which will become ongoing), and begin monitoring compliance with your privacy program (consumer protection) and CPR obligations, and the Consumer complaints you receive.
In closing, I think it is worth making the general observation that the CPR and CPS contain a number of familiar data protection best practice principles and provide LSI’s with useful information on “what” requirements LSI’s need to abide by, but at this point there is less detailed information on the “how” LSI’s should go about bringing those principles and requirements to life. This is where White Label Consultancy could assist LSI’s to find inspiration and guidance in other data protection regulations and domains, leveraging our team’s vast global experience implementing privacy management programs
Please reach out to us at White Label Consultancy here with any questions.
