Get your business compliant with the UAE Personal Data Protection Law (Federal Decree-Law 45 of 2021).
The UAE PDPL imposes binding obligations on every business that processes the personal data of UAE residents. We deliver readiness audits, gap remediation, and ongoing operations against the PDPL, using Microsoft Purview and Priva where they fit, manual policy work where they do not.
- 45/2021Federal Decree-Law
- 72hrsBreach notification
- Article 6Sensitive data scope
- UAE Data OfficeRegulator
Nine PDPL obligations and how we operationalise each.
Records of Processing Activities (RoPA)
A current, accurate inventory of every processing activity: purpose, categories of data subjects and data, recipients, retention, cross-border transfers. We build the RoPA in a tracked register, not a stale spreadsheet.
Lawful basis assessment
Per-activity assessment: consent, contract performance, legal obligation, vital interest, public task, or legitimate interest. Documented in the RoPA, refreshed when activities change.
Data Subject Rights (DSR) workflow
Operational process for access, rectification, erasure, restriction, portability, and objection requests. Microsoft Priva DSR module or a Power Automate workflow against your data sources, with deadline tracking.
Breach detection and notification
Microsoft Defender + Sentinel for detection, a written incident-response runbook for triage, a notification template aligned to the UAE Data Office 72-hour requirement. Quarterly tabletop exercise to keep the team practised.
Article 6 sensitive-data controls
Health, biometric, genetic, religious, political, and similar special-category data treated with stricter controls: encryption at rest, narrower access, explicit consent, longer audit retention.
Cross-border transfer governance
Whitelist of jurisdictions with adequate protection, contractual safeguards (SCC-equivalent clauses) for the rest, transfer impact assessments where relevant. Tracked per data flow, not assumed.
Privacy notices and consent management
Plain-language privacy notices that match the actual processing, not a generic template. Consent capture, withdrawal, and audit trail across customer-facing systems (website, CRM, mobile app, in-person sign-up).
Controller-processor contracts
Article 27 obligations on processors. We draft or review the data-processing addendum (DPA) language with your vendors (HR system, payroll, cloud provider, marketing tools) to make it audit-defensible.
Data Protection Impact Assessment (DPIA)
DPIA template aligned to PDPL Article 21, triggered for high-risk processing (new system go-live, large-scale monitoring, special-category data). Output filed in the compliance register and refreshed annually.
Four reasons compliance officers move PDPL operations to GR.
Tooling-aware, not tooling-only
Microsoft Purview, Priva, Defender, and Sentinel are great where they fit. We use them. But the PDPL also requires policy, contract, and human-process work that no tool can do. Our engagements deliver both.
Operationalised, not just documented
A PDPL policy that sits in a folder is not compliance. We embed DSR handling into your helpdesk, breach response into your SOC, RoPA updates into your change-management. The compliance lives in day-to-day operations.
Quarterly evidence packs
Audit-ready evidence delivered every quarter: DSR fulfilment log, breach register (even if empty), DPIA log, RoPA changes, training completion. If the UAE Data Office knocks, you hand them a folder.
Staff training as part of the engagement
Role-based training: customer-service teams on DSR escalation, IT on breach detection, marketing on consent capture, HR on employee-data handling, leadership on accountability. Recorded sessions for new joiners.
Six business types where PDPL compliance is non-negotiable.
Financial services and fintech
KYC data, transaction history, biometric authentication. DFSA-licensed firms have parallel obligations. The PDPL adds an explicit personal-data layer.
Healthcare providers
Patient records are special-category data under PDPL Article 6. Parallel DHA Health Information Privacy regulation applies. Layered compliance.
Retail and e-commerce
Customer marketing databases, loyalty programs, e-commerce checkout. Consent capture, marketing opt-out, profile-export DSR requests.
Real estate and property
Tenant identity records, financial qualification data, CCTV at common areas. Often under-controlled relative to data sensitivity.
Education
Student records, parent contact, biometric attendance, special-category health/disability data. Minor-data has additional consent requirements.
HR-tech and recruitment
CVs, interview notes, biometric attendance, payroll, performance data. Both employer and recruiter sides are controllers or processors per case.
How UAE PDPL differs from EU GDPR.
| Feature | UAE PDPL | EU GDPR |
|---|---|---|
Effective date | 2 January 2022 | 25 May 2018 |
Regulator | UAE Data Office | Per-country DPA |
Breach notification window | Without undue delay | 72 hours |
DPO mandatory | Conditional | Conditional |
DSR response window | 30 days | 1 month, extendable |
Cross-border restriction | Whitelist + safeguards | Adequacy + SCCs |
Penalty cap | Set in executive regulations | 4% global turnover |
Free-zone application | DIFC and ADGM excluded (own laws) | N/A |
From gap audit to ongoing operations in 6-10 weeks.
- 1
PDPL gap audit
2-3 weeks
Workshop-led discovery: data flows, current policies, contracts, technical controls, training status. Output: a written gap report mapped to each PDPL article with a prioritised remediation roadmap.
- 2
Foundation build
3-4 weeks
RoPA register populated, lawful-basis assessment per activity, privacy notices rewritten, controller-processor contracts reviewed, DPIA template deployed, breach playbook written. Microsoft Priva and Purview configured if you are on M365.
- 3
Operational embedding
2-3 weeks
DSR workflow embedded in your service desk, breach detection wired into Defender/Sentinel, training rolled out role-by-role, quarterly evidence-pack cadence agreed. The compliance starts living in operations.
- 4
Quarterly maintenance
Ongoing
Quarterly RoPA refresh, DSR log review, breach drill, DPIA log update, training delivery to new joiners, evidence pack assembled. Annual full re-audit against the law as the executive regulations evolve.
“We engaged GR for a PDPL readiness audit and ended up restructuring how seven business systems handle personal data. The output was not a 200-page report; it was a working register, a DSR workflow in our helpdesk, and a breach drill we ran in week eight. Twelve months in, our quarterly evidence pack is the cleanest compliance asset we have.”
What compliance officers ask before engaging.
Adjacent capabilities for UAE compliance posture.
Book a PDPL gap audit and we will deliver a written readiness report.
A two-to-three week structured audit covering RoPA, lawful basis, DSR, breach response, transfer governance, contracts, and training. Output: a remediation roadmap prioritised by risk. No commitment to an ongoing engagement.
Related Services
Explore more solutions that work great with this service