The ADGM Data Protection Regulations 2021 (“DPR 2021") introduces the obligation to notify the Office of Data Protection (“ODP”) in some cases where there has been a Personal Data Breach. A Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. This includes breaches that are the result of both accidental and deliberate causes. It is also important to note that a personal data breach is more than just about losing personal data.
Personal data breaches can include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- unencrypted computing devices containing personal data being lost or stolen;
- paper records lost or stolen;
- alteration of personal data without permission; and loss of availability of personal data; and
- unavailability of personal data due to a cyber incident (i.e. ransomware).
Article 32(1) of the DPR states that: In the case of a Personal Data Breach, the Controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal Data Breach to the Commissioner of Data Protection, unless the Personal Data Breach is unlikely to result in a risk to the rights of natural persons. Where the notification to the Commissioner of Data Protection is not made within 72 hours, it must be accompanied by reasons for the delay.
The assessment has been developed to support you in identifying requirements to notify the Office of Data Protection and individuals in the event of a Personal Data Breach. Please note, the assessment assumes that you are an ADGM entity or are caught within the Territorial Scope of the DPR 2021. For more information on the material and territorial scope, refer to Articles 2-3 of the DPR 2021.