In Brief:
The Dubai International Financial Centre (DIFC) has released a consultation paper outlining proposed amendments to the DIFC Data Protection Regulations. The proposed changes focus principally on Regulation 10, which addresses Personal Data processed by autonomous and semi-autonomous systems, and introduce a new Regulation 11 on accreditation and certification. The consultation closes on the 18th of July 2026. Businesses wishing to submit comments may use Annex B to the consultation available for download here.
Comments must be sent to:
Jacques Visser
Chief Legal Officer
DIFC Authority
Level 14, The Gate
P. O. Box 74777
Dubai, United Arab Emirates
or by email to consultation@difc.ae.
The DIFC reserves the right to publish submitted comments.
In this article, we summarise the proposed changes and the practical points that DIFC businesses should now consider.
Regulation 10: Terminology, Safety and Governance
A key drafting amendment appears in Regulation 10.2.2(b), where references to “principles” are being broadened to “policy frameworks”. This allows organisations to refer to a wider set of recognised governance instruments when describing how a system has been designed or developed.
A further amendment appears in Regulation 10.2.2(b)(vi). This sits within the list of matters to be included in the notice given to users where an application or website service employs Systems to process Personal Data. Where relevant codes, certifications, or policy frameworks are still in development or do not yet exist for the type or use of the System, the notice must include the privacy-by-design and default measures implemented to comply with Article 14(3) of the DIFC Data Protection Law. In those cases, the Commissioner and any relevant advisory body may also request an impact assessment or convene a review and audit body to provide technical and governance recommendations.
The added guidance to Regulation 10.2.2(a) is also notable in the context of the user notices. It states that where a System has a physical application by way of a device or otherwise, the required notice must be accessible through a common means of interaction, such as a voice-controlled virtual assistant or an intelligent agent. Read together with the addition of the word “physical” in Regulation 10.3.1(d), the drafting suggests an acceptance that the regulatory framework will increasingly need to accommodate AI systems with a physical interface or embodiment, rather than only software-based tools.
“Safety” is introduced as an additional concept in Regulation 10.3.1. This sits alongside the existing requirements that systems be ethical, fair, transparent, secure and accountable, and reflects an expectation that systems processing Personal Data should be designed and operated with safeguards aimed at identifying data use, assessing risks of harm, including physical harm, and reducing the potential for discriminatory or biased outcomes.
Autonomous Systems Officer
The proposed amendments refine the treatment of the Autonomous Systems Officer, or ASO, in Regulation 10.3.3. Where a system is used for High Risk Processing Activities, the ASO is expected to have competencies and organisational authority broadly comparable to those of a DPO, but with additional regulatory, technical and organisational expertise relevant to system governance and certification.
For organisations that must appoint an ASO, the immediate practical question will be whether the existing DPO can properly perform that role. That assessment should not be treated as automatic, and businesses that require an ASO will need to consider whether their DPO has the additional technical and governance background required by the Regulations.
The related change to Regulation 10.3.4 is also relevant. Even where an entity is not required to appoint an ASO, it must still allocate responsibility internally for oversight and compliance in relation to these obligations. The DIFC is therefore maintaining a clear accountability expectation even where the formal ASO appointment threshold is not met.
New Regulation 11
The proposed amendments introduce a new Regulation 11, giving the Commissioner power to recognise accreditation and certification frameworks.
This may allow the DIFC to recognise external certification regimes and accreditation structures as equivalent, at least in appropriate cases. In practice, that may reduce the need for systems which have already been robustly certified under recognised frameworks to undergo a fully separate DIFC certification process from the beginning.
That will relieve the compliance burden for firms deploying systems across multiple jurisdictions and already working within established assurance frameworks.
Conclusion
The proposed amendments do not amount to a substantial restructuring of the Data Protection Regulations. They do not rewrite the underlying allocation of responsibility between deployers and operators, nor do they introduce a wholly new compliance architecture. Rather, they refine the language of Regulation 10, add safety as an express design concept, acknowledge the move to physical AIs, develop the ASO framework and introduce an express mechanism for recognition of accreditation and certification frameworks.
For further information related to this article, please contact Diana Froyland, Senior Counsel, Commercial at d.froyland@hadefpartners.com.