The UAE Personal Data Protection Law: A Compliance Roadmap for Businesses Handling Personal Data

“

The PDPL establishes a consent-based framework for personal data processing, with six lawful bases for processing that broadly mirror the GDPR model: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. For most commercial data processing activities, consent or legitimate interests will be the operative basis — and both require careful documentation and implementation.

From this article

The PDPL establishes a consent-based framework for personal data processing, with six lawful bases for processing that broadly mirror the GDPR model: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. For most commercial data processing activities, consent or legitimate interests will be the operative basis — and both require careful documentation and implementation.

Data subject rights under the PDPL include: the right to access personal data, the right to correction, the right to erasure, the right to data portability, and the right to object to processing. Each of these rights requires a corresponding operational process: a mechanism for receiving and validating requests, a timeline for response (one month for most requests), and a procedure for escalation to the UAE Data Office when requests are disputed.

Cross-border data transfers are subject to adequacy requirements. Personal data may only be transferred outside the UAE to jurisdictions that the UAE Data Office has designated as providing adequate protection, or under approved safeguards including standard contractual clauses, binding corporate rules, or explicit consent. Many UAE businesses are currently in breach of these requirements without being aware of it.

Data breach notification obligations require businesses to notify the UAE Data Office within 72 hours of becoming aware of a breach that is likely to result in harm to data subjects. This requires: an incident response plan, a breach assessment process, and a clear escalation path to the designated person responsible for data protection compliance. Regulators in comparable jurisdictions have consistently imposed significant penalties on organisations that failed to notify within the prescribed period.

The intersection of the PDPL with sector-specific requirements — particularly those of the UAE Central Bank, the Health Data Law, and the ADGM and DIFC data protection regulations — creates complexity for regulated businesses. Where multiple frameworks apply, compliance planning needs to identify the more demanding standard on each issue and design a single programme that satisfies all applicable requirements.

Practical readiness requires five core elements: a data mapping exercise to identify what personal data is held, where, and why; an updated privacy notice and consent mechanism; a data subject rights fulfilment process; a data breach response plan; and a vendor management programme covering data processing agreements with all third-party processors. For most UAE businesses, the data processing agreement backlog is the most time-consuming compliance workstream.