Get your DIFC-licensed entity compliant with DIFC Data Protection Law 5 of 2020.
DIFC Data Protection Law 5 of 2020 applies to all DIFC-licensed entities and is the DIFC-specific personal data protection regime. It exists alongside (and supersedes for DIFC entities) the federal UAE PDPL. Compliance requires its own RoPA, DSR workflow, breach notification, and Commissioner-of-Data-Protection (CDP) engagement. We deliver readiness audit and operational compliance.
- 5/2020Law
- 72hrBreach notification
- CDPDIFC regulator
- GDPR-alignedSubstantive design
Nine DIFC DPL obligations and how we operationalise each.
Records of Processing Activities
Inventory of processing activities: purpose, categories, recipients, retention, cross-border transfers. Maintained as a tracked register.
Lawful basis assessment
Per-activity assessment of lawful basis: consent, contract, legal obligation, vital interest, public task, or legitimate interest.
Data Subject Rights workflow
Operational process for access, rectification, erasure, restriction, portability, objection. 30-day response window.
Breach detection and 72-hour notification
Detection via Sentinel monitoring, IR playbook for triage, CDP notification template aligned to 72-hour requirement.
Special-category data controls
Health, biometric, genetic, religious, political data treated with stricter controls: explicit consent, narrower access, encryption.
Cross-border transfer governance
Whitelist of adequate jurisdictions, contractual safeguards for the rest, transfer impact assessments.
Privacy notices and consent
Plain-language privacy notices matching actual processing, consent capture/withdrawal/audit trail.
Controller-processor contracts
Article 28-equivalent obligations on processors. DPA review and drafting for your vendor agreements.
Data Protection Impact Assessment
DPIA template aligned to DIFC DPL Article 26, triggered for high-risk processing.
Four reasons DIFC compliance teams move DIFC DPL operations to GR.
DIFC DPL fluent, not GDPR substitute
DIFC DPL is heavily inspired by GDPR but has its own distinctive features. We deliver to DIFC DPL specifics including CDP-specific notification, DIFC-court engagement, and DIFC-specific lawful-basis interpretation.
Tooling-aware, policy-thorough
Microsoft Purview, Priva, Defender used where they fit. Policy, contract, training, and CDP-engagement work where tools cannot reach.
Quarterly evidence packs
Audit-ready evidence delivered quarterly: DSR log, breach register, DPIA log, training completion, vendor contract status.
Coordinated with DFSA where applicable
Most DIFC-licensed entities are DFSA-licensed financial firms. DIFC DPL compliance coordinated with DFSA cyber compliance for unified posture.
Six DIFC entity types where DIFC DPL is non-negotiable.
DFSA-licensed financial firms
Asset managers, advisors, brokers, banks. DIFC DPL on top of DFSA cyber expectations.
Law firms (DIFC-licensed)
DIFC-registered legal practices. Privilege discipline plus DIFC DPL compliance.
Professional services firms
Accounting, audit, consulting firms registered in DIFC.
Family offices
Single-family and multi-family offices licensed in DIFC.
Insurance and reinsurance
DIFC-licensed insurance entities with health, financial, and personal data.
Fintech and innovation testing
DIFC Innovation Testing Licence firms, fintech operating in DIFC.
How DIFC DPL relates to adjacent frameworks.
| Feature | DIFC DPL 5/2020 | UAE PDPL 45/2021 | EU GDPR |
|---|---|---|---|
Applies to | DIFC-licensed entities | UAE-mainland entities | EU-resident data |
Regulator | DIFC Commissioner of Data Protection | UAE Data Office | Per-country DPA |
Effective date | 1 July 2020 | 2 January 2022 | 25 May 2018 |
Breach notification window | 72 hours | Without undue delay | 72 hours |
DSR response window | 30 days | 30 days | 1 month, extendable |
Penalty cap | USD 100k per breach | Set in executive regs | 4% global turnover |
Substantive design source | GDPR-inspired | GDPR-inspired | Original |
From gap audit to ongoing operations.
- 1
DIFC DPL gap audit
2-3 weeks
Workshop-led discovery: data flows, policies, contracts, technical controls. Output: written gap report mapped to DIFC DPL articles.
- 2
Foundation build
3-4 weeks
RoPA populated, privacy notices rewritten, controller-processor contracts reviewed, DPIA template deployed, breach playbook written.
- 3
Operational embedding
2-3 weeks
DSR workflow embedded in service desk, breach detection wired into Defender/Sentinel, training rolled out.
- 4
Quarterly maintenance
Continuous
Quarterly RoPA refresh, DSR log review, breach drill, DPIA log update, training delivery.
“We are a DIFC-licensed family office with extensive cross-border data flows. DIFC DPL compliance had been a paper exercise for three years. GR rebuilt it as an operational programme: RoPA register, DSR workflow in our help desk, breach playbook with quarterly drills, transfer-impact assessments for each cross-border flow. The CDP review last year closed without findings, the first time we managed that.”
What DIFC entities ask before engaging.
Book a DIFC DPL gap audit and we will deliver a written readiness report.
A 2-3 week structured audit covering RoPA, lawful basis, DSR, breach response, transfer governance, contracts, training. Output: prioritised remediation roadmap.
Related Services
Explore more solutions that work great with this service