Amendments to the Data Protection Law and Data Protection Regulations, introduced by the Dubai International Financial Centre (DIFC), came into force in December 2012. DIFC Law No. 5 of 2012 (the Law) seeks to provide greater legal certainty by addressing a number of deficiencies and practicalities, which have been identified since the establishment of the DIFC in 2004. The Law applies to all companies operating within the DIFC Free Zone. There are a number of significant changes that bring the DIFC’s Data Protection Law in line with international best practices including: the introduction of administrative fines which were absent under the 2007 law and the introduction of a ‘duty to notify change’. A Data Controller must notify the Commissioner of Data Protection of any changes to the particulars of the Data Controller’s notification to the Commissioner and failure to do so is a contravention of the law. The Law is designed to balance the legitimate needs of businesses and organizations to process personal information with the importance of upholding an individual’s right to privacy, and it is still unclear whether the Commissioner of Data Protection plans to increase data protection compliance.