What Is the UAE PDPL?

The Personal Data Protection Law is the UAE's comprehensive data privacy regulation, established under Federal Decree-Law No. 45 of 2021. Think of it as the UAE's answer to Europe's GDPR.

In simple terms, the PDPL sets rules for how businesses collect, store, use, share, and delete personal data belonging to individuals in the UAE.

Personal data means any information that can identify a person — directly or indirectly. This includes:

  • Names, phone numbers, email addresses
  • Emirates ID numbers, passport numbers
  • Financial information (bank accounts, salary)
  • Health and medical records
  • Location data, IP addresses
  • Biometric data (fingerprints, facial recognition)

If your business handles any of this data — and almost every business does — the PDPL applies to you.

Who Needs to Comply?

The PDPL applies to:

  • Any business operating in the UAE that processes personal data
  • Any business outside the UAE that processes personal data of UAE residents
  • Both private and public sector entities
  • All company sizes — there is no exemption for small businesses

Free zone companies — including those in DIFC and ADGM — may be subject to their own data protection regulations (DIFC Data Protection Law, ADGM Data Protection Regulations), but the PDPL provides the federal baseline.

Your PDPL Compliance Checklist

Here is a practical, step-by-step checklist to get your business compliant:

1. Appoint a Data Protection Officer (DPO)

If your business processes personal data on a large scale or handles sensitive categories (health, biometric, financial), you should appoint a Data Protection Officer. This person is responsible for:

  • Overseeing your data protection strategy
  • Ensuring compliance with the PDPL
  • Serving as the contact point for data subjects and regulators
  • Conducting or coordinating data protection impact assessments

For smaller businesses: Even if a full-time DPO is not required, someone in your organization should be clearly responsible for data protection.

2. Create a Data Inventory

You cannot protect what you do not know about. Map out:

  • What personal data you collect (customer names, employee records, website analytics, etc.)
  • Where it is stored (local servers, cloud services, third-party platforms, paper files)
  • How it flows through your organization (who collects it, who accesses it, who it is shared with)
  • How long you keep it and when/how it is deleted

This data map is the foundation of everything else in your compliance program.

3. Establish a Legal Basis for Processing

Under the PDPL, you need a legitimate reason to process personal data. The law provides several legal bases:

  • Consent — the individual has given clear, informed consent
  • Contractual necessity — you need the data to fulfil a contract with the individual
  • Legal obligation — you are required by law to process the data
  • Vital interests — processing is necessary to protect someone's life
  • Legitimate interests — you have a valid business reason, balanced against the individual's rights

Key rule: If you rely on consent, it must be freely given, specific, informed, and unambiguous. Pre-ticked checkboxes do not count. The individual must be able to withdraw consent as easily as they gave it.

4. Update Your Privacy Notices

Your customers, employees, and website visitors need to know:

  • Who is collecting their data (your company name and contact details)
  • What data is being collected
  • Why it is being collected (the purpose)
  • How long it will be kept
  • Who it will be shared with (third parties, overseas transfers)
  • What rights they have (access, correction, deletion, etc.)

This information should be:

  • Written in clear, simple language (not legal jargon)
  • Easily accessible — on your website, in your app, in employment contracts
  • Available in Arabic and English to cover the UAE's diverse population

5. Implement Data Subject Rights

The PDPL gives individuals specific rights over their personal data. Your business must be able to handle:

  • Right of access — individuals can ask what data you hold about them
  • Right to correction — they can ask you to fix inaccurate data
  • Right to deletion — they can ask you to delete their data (with some exceptions)
  • Right to restrict processing — they can ask you to stop using their data in certain ways
  • Right to data portability — they can ask for their data in a machine-readable format
  • Right to object — they can object to processing based on legitimate interests

Practical step: Create a clear process for handling these requests. Who receives them? How quickly must you respond? How do you verify the requester's identity?

6. Secure Your Data

The PDPL requires you to implement appropriate technical and organizational measures to protect personal data. This includes:

Technical measures:

  • Encryption of data at rest and in transit
  • Access controls and authentication (MFA)
  • Regular security updates and patching
  • Firewalls and intrusion detection systems
  • Regular backups
  • Secure data deletion when no longer needed

Organizational measures:

  • Security policies and procedures
  • Employee training on data handling
  • Background checks for staff with access to sensitive data
  • Vendor security assessments
  • Incident response procedures

7. Manage Cross-Border Data Transfers

If you transfer personal data outside the UAE — for example, using cloud services hosted in another country or sharing data with an overseas parent company — you need to ensure adequate protection:

  • The receiving country must have adequate data protection laws, OR
  • You must put appropriate safeguards in place (contractual clauses, binding corporate rules)
  • In some cases, you may need explicit consent from the data subject

Common scenario: If you use AWS, Google Cloud, or Microsoft Azure, your data may be stored in data centres outside the UAE. Check where your data is hosted and whether your provider offers UAE region options.

8. Prepare for Data Breaches

The PDPL requires you to notify the relevant authority in case of a data breach that poses a risk to individuals. You need:

  • A breach detection system — how will you know when a breach has occurred?
  • A response plan — who does what in the first hour, first day, first week?
  • Notification procedures — how and when will you notify the authorities and affected individuals?
  • Documentation — keep records of all breaches, even minor ones

9. Conduct Data Protection Impact Assessments (DPIAs)

Before starting any new project or process that involves significant personal data processing, conduct a DPIA to identify and mitigate privacy risks. This is especially important for:

  • Launching a new app or website that collects user data
  • Implementing employee monitoring systems
  • Using automated decision-making or profiling
  • Processing sensitive data (health, biometric, financial)

10. Train Your Team

Your employees are your first line of defence — and your biggest risk if they are not trained. Ensure:

  • All staff receive basic data protection training
  • Staff who handle personal data regularly receive more detailed training
  • Training is repeated annually and updated when laws or processes change
  • Training covers real scenarios relevant to your business, not generic slideshows

Penalties for Non-Compliance

The PDPL includes financial penalties for violations. While the exact fine structure is set by the UAE Data Office, penalties can be substantial — and the reputational damage from a publicized data protection failure can be even more costly.

Beyond fines, non-compliance can lead to:

  • Loss of government contracts — public sector entities increasingly require vendors to demonstrate data protection compliance
  • Loss of customer trust — consumers in the UAE are becoming more aware of their privacy rights
  • Legal action from individuals whose data rights have been violated

How Underwings Can Help

Navigating the PDPL does not have to be overwhelming. At Underwings, we help UAE businesses:

  • Assess your current compliance level with a thorough gap analysis
  • Build your data inventory and map data flows
  • Write your privacy policies in clear, compliant language
  • Implement technical security controls that meet PDPL requirements
  • Train your staff with practical, engaging training sessions
  • Prepare for and respond to data breaches with incident response planning

We understand the UAE business environment, the regulatory landscape, and the practical challenges of compliance for companies of all sizes.

Not sure where you stand? Contact us for a free PDPL readiness assessment.