The UAE Personal Data Protection Law (PDPL) is Federal Decree-Law No. 45 of 2021 — the country's first federal, GDPR-style data protection law. It sets out how organisations may collect, process, store, and share the personal data of individuals in the UAE, and gives those individuals defined rights over their data. This guide explains what UAE businesses must know.
The PDPL was issued on 20 September 2021 and took effect on 2 January 2022. It is overseen by the UAE Data Office. As of early 2025, the law's executive (implementing) regulations had not yet been published; once they are issued, organisations are expected to get a further grace period (reported as six months) to align. Because details may change, always confirm the current position before finalising your compliance programme.
Who the PDPL applies to
The PDPL applies broadly to the processing of personal data of data subjects inside the UAE, including by businesses based in the UAE and, in defined cases, those outside it. Note that the DIFC and ADGM financial free zones have their own separate data protection laws (DIFC Data Protection Law and ADGM Data Protection Regulations), so businesses there follow those regimes instead.
Core principles every business should apply
- Lawful basis & consent — process personal data fairly, transparently, and for a clear purpose; obtain consent where required.
- Data minimisation — collect only what you need, and keep it only as long as necessary.
- Security — apply appropriate technical and organisational safeguards to protect personal data.
- Individual rights — be able to honour requests to access, correct, delete, or restrict use of personal data, and to data portability.
- Breach handling — detect, document, and notify the Data Office and affected individuals of breaches as required.
- Cross-border transfers — transfer personal data abroad only where adequate protection or an approved safeguard exists.
A practical PDPL readiness checklist
| Step | What to do |
|---|---|
| 1. Map your data | Build a record of what personal data you hold, where it lives, and why. |
| 2. Review consent & notices | Update privacy notices and consent capture to be clear and specific. |
| 3. Lock down security | Apply access controls, encryption, MFA, and logging to systems holding personal data. |
| 4. Enable rights requests | Create a process to respond to access, correction, and deletion requests. |
| 5. Prepare for breaches | Have an incident response and notification plan ready before you need it. |
| 6. Govern transfers & vendors | Check where data goes and ensure processors are contractually bound. |
PDPL compliance is as much a security exercise as a legal one. Isstah's cybersecurity services help UAE businesses put the technical safeguards in place — access control, encryption, monitoring, and breach readiness — that the PDPL expects. Get in touch for a readiness review.
This article is general information, not legal advice. Consult a qualified UAE data protection lawyer for advice on your specific obligations.
Frequently asked questions
What is the UAE PDPL?
The UAE PDPL is Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data — the UAE's first federal, GDPR-style data protection law. It governs how organisations collect, use, store, and share personal data of individuals in the UAE and is overseen by the UAE Data Office. It took effect on 2 January 2022.
Have the UAE PDPL executive regulations been published?
As of early 2025, the executive (implementing) regulations to the PDPL had not yet been published. Once issued, organisations are expected to receive a further grace period to comply. Businesses should monitor official UAE Data Office announcements for the current status.
Does the PDPL apply to DIFC and ADGM companies?
No. Companies in the DIFC and ADGM financial free zones are governed by their own data protection laws — the DIFC Data Protection Law and the ADGM Data Protection Regulations respectively — rather than the federal PDPL.
How can a business start preparing for PDPL compliance?
Begin by mapping the personal data you hold, updating privacy notices and consent, tightening security controls such as access management and encryption, and preparing a breach-response and data-subject-request process. A cybersecurity partner can help implement the technical safeguards.
About the author — Written by the Isstah Technologies team. Isstah Technologies is a Dubai-based IT and cybersecurity system integrator serving businesses across the GCC, delivering cybersecurity, cloud integration, network & infrastructure, and digital transformation. Need help putting this into practice? Talk to our Dubai team for a free consultation.