Federal Decree-Law No. 45 of 2021, the UAE Personal Data Protection Law, represents the most significant development in UAE data privacy law in a generation. The law applies to the processing of personal data of individuals located in the UAE, with extraterritorial reach for data processed abroad where that processing relates to UAE residents. For most businesses operating in the UAE, compliance is not optional and is not limited to digital businesses. Any organisation that collects, stores, or uses personal data about UAE-based individuals is subject to its provisions.
The PDPL establishes a consent-based processing framework with a set of lawful bases for processing that map broadly onto the GDPR structure familiar to multinational businesses. However, the UAE implementation has meaningful local characteristics. The law grants the UAE Data Office broad supervisory and enforcement powers, and the penalty regime (up to AED 20 million for certain violations) creates a material compliance imperative for organisations operating at scale.
A practical compliance programme for PDPL purposes should proceed in four phases. The first is a data mapping and gap analysis exercise: identifying what personal data the organisation holds, where it is stored, how it flows across business units and jurisdictions, and what processing activities are currently conducted without an adequate lawful basis. Many organisations find this exercise reveals processing activities that were never formally documented and consent practices that were inherited from older operational systems.
The second phase involves updating the organisation's legal framework: privacy notices, consent mechanisms, data processing agreements with vendors and sub-processors, and internal policies covering retention, access, and security. The PDPL's cross-border transfer provisions are particularly important for multinational organisations.
The third and fourth phases, implementation and ongoing governance, are where many compliance programmes stall. Deploying a data subject rights response process, training staff on the new obligations, and building a culture of privacy-by-design requires sustained management attention.