Skip to main content

6.1.2 Data Management of Data Protection

C 8/2020 STA Effective from 25/12/2020
  1. 6.1.2.1The Board must designate responsibility and accountability for the Data Management and Protection function to a senior position in management who reports directly to Senior Management. The function is responsible for ensuring oversight of and compliance with the Data Management Control Framework and any related requirements for Data protection and privacy laws of the UAE and the Central Bank.
  2. 6.1.2.2The Data Management and Protection function must ensure that:
    1. a.Adequate monitoring and preventive controls are in place to detect any unauthorized or accidental loss, misuse, modification, access, disclosure or destruction of Personal Data;
    2. b.Verifications are regularly carried out on the legitimacy of Data collection, access to Data, Data integrity and the electronic procedures and address any issues identified;
    3. c.Controls are commensurate with the criticality and sensitivity of the relevant systems and Data handled; and
    4. d.Detailed monitoring of records and the actions taken are maintained for 5 years.
  3. 6.1.2.3The Data Management and Protection Function must:
    1. a.Annually review and improve the adequacy of the Data Management Control Framework for the collection, classification, storage, usage, transfer, protection, correction and destruction of Personal Data;
    2. b.Monitor, investigate and report to Senior Management any material incidents of accidental or unauthorized access, loss, alteration, transfer, destruction, use, modification or disclosure of Data; and
    3. c.Participate in the handling and investigation of privacy related Consumer Complaints and must report the conclusion of the investigation to the head of the Complaint Management function, who will then correspond with the Consumer and provide the Institution’s findings in Writing.
  4. 6.1.2.4The Data Management and Protection function must issue reports to the Senior Management and the Board on significant Data management violations and breaches immediately. Senior Management must ensure proactive measures are taken to address the violation / breach and to improve Data management systems and safeguard the confidentiality and privacy of Consumers’ Personal Data.
  5. 6.1.2.5Licensed Financial Institutions must, without delay, inform their Consumers of unauthorized access to, and/or loss, destruction or alteration of Consumers’ Personal Data where it may reasonably pose a risk to the Consumer’s financial and personal security and/or where it may pose reputational harm to a Consumer.
  6. 6.1.2.6Licensed Financial Institutions must notify the Central Bank immediately of all significant breaches of Personal Data.