DIFC Data Protection Regulation 10: AI Systems and Compliance

The Riffle

Artificial Intelligence is rapidly reshaping the way organizations operate but with innovation comes responsibility. The Dubai International Financial Centre (DIFC) has introduced Data Protection Regulation 10, a landmark framework designed to ensure that AI systems handling personal data are built on the principles of ethics, fairness, transparency, and accountability. This regulation doesn’t just set compliance rules; it redefines how businesses must approach AI governance — from system certification and clear accountability structures to the appointment of specialized officers overseeing high-risk AI use. In this article, we break down what Regulation 10 is, why it matters, and how companies can align their AI systems with DIFC’s forward-looking standards.

A Step Toward Privacy by Design

Regulation 10 reflects DIFC’s commitment to embedding “privacy by design and default” into advanced technologies. Aligned with global benchmarks like the OECD guidelines, the regulation applies to any AI system that processes personal data for human-defined or human-approved purposes.

At its core, the regulation mandates that AI systems must:

• Be designed around ethics, fairness, transparency, security, and accountability.

• Provide clear notices to individuals about how their data is being used and the potential impacts on their rights.

• Maintain an AI register documenting use cases.

• Offer evidence of protective measures to regulators or affected parties when required.

This foundation ensures that privacy considerations are no longer an afterthought but part of AI systems from day one

High-Risk Processing: The Key Obligations

When AI systems are used for commercial purposes and involve high-risk data processing, Regulation 10 imposes two critical requirements:

1. System Certification

   • AI systems must be certified under a scheme established by the DIFC Commissioner.

   • Certification is system-specific, not entity-specific, and is overseen by accredited certification bodies.

   • Entities cannot deploy or operate uncertified AI systems for commercial purposes.

2. Appointment of an Autonomous Systems Officer (ASO)

   • Both Deployers and Operators engaging in high-risk processing must appoint an ASO.

   • The ASO’s role mirrors that of a Data Protection Officer (DPO), ensuring compliance and oversight.

   • An organization can appoint the same individual as both DPO and ASO if competencies align .

Accountability Through Defined Roles

Regulation 10 brings clarity by introducing three distinct roles in the AI lifecycle:

• Deployer: Directs or benefits from the operation of a system (akin to a Data Controller).

• Operator: Runs or supervises the system on behalf of the Deployer (akin to a Data Processor).

• Provider: Develops or commissions the AI system for sale.

This framework ensures that accountability doesn’t get blurred in multi-party arrangements, holding both Deployers and Operators responsible for certification and compliance .

Support for Organizations

Recognizing the complexity of AI governance, the DIFC Commissioner’s Office has introduced resources to guide entities through compliance:

• Training & Workshops on privacy by design, certification processes, and regulatory updates.

• Guidance Documents, including FAQs, general guidance, and the accreditation framework for certification.

• Ongoing Engagement, with opportunities for organizations to clarify requirements and align with global best practices .

Why This Matters

In an era where AI adoption is accelerating, trust is currency. Regulation 10 ensures that organizations using AI in the DIFC build that trust by prioritizing transparency, accountability, and ethics in how personal data is processed. For businesses, compliance isn’t just about avoiding penalties — it’s about demonstrating responsibility, attracting investors, and maintaining customer confidence.

Key Takeaway

DIFC’s Regulation 10 is not just a compliance requirement; it’s a roadmap for responsible AI. Organizations that integrate these principles early will be better positioned to innovate with confidence, safeguard trust, and thrive in a data-driven future.

Read the full detailed document presented by 10 Leaves here -