Cyber Security

UAE PDPL Compliance Checklist (2026): What Federal Decree-Law No. 45 Means for Your Business

SKIMBOX Team

The UAE PDPL has been law since January 2022. Here is a plain-English compliance checklist, who it covers, the truth about fines and deadlines in 2026, and when you really need a Data Protection Officer.

UAE PDPL Compliance Checklist (2026): What Federal Decree-Law No. 45 Means for Your Business

Last updated: June 2026

The UAE PDPL, short for Personal Data Protection Law, has been in force since January 2022, and it covers almost every business that handles people's personal data in the country. It is set out in Federal Decree-Law No. 45 of 2021. If you collect customer details, run a website that captures leads, or keep staff records, this law applies to you. This guide gives you a plain-English checklist, explains who is covered, clears up the confusion about fines and deadlines in 2026, and tells you when you really need a Data Protection Officer.

We help UAE businesses build the security and processes that data rules expect, so we deal with PDPL questions every week. Here is the honest picture, written so you do not need a law degree to follow it.

What is the UAE PDPL, in plain English?

The PDPL is the UAE's first federal law on how businesses handle personal data. It sets the rules for collecting, using, storing, sharing, and deleting any information that can identify a person, from a name and phone number to a photo or an online ID. It became law on 2 January 2022, and it applies across the whole country, except for a few areas covered by their own rules.

The law borrows many ideas from Europe's well-known GDPR, but it is not a copy. The most important difference is that the PDPL is built around consent. Under some other laws, a business can rely on a general "legitimate interest" to process data. The PDPL does not offer that broad option, so getting and proving consent matters more here. If your plan was to reuse a GDPR policy and call it done, that plan has gaps.

Does the PDPL apply to your business?

It applies to almost every business that handles personal data in the UAE, and even to some companies based abroad. You are covered if you are a controller, meaning you decide why and how data is used, or a processor, meaning you handle data for someone else, and you are based in the UAE. You are also covered if you sit outside the UAE but process the data of people inside it. So a foreign online store selling to UAE shoppers is caught by the law.

A few areas sit outside the PDPL because they have their own rules:

  • Government data and the bodies that handle it.
  • Health data covered by the UAE's health data law.
  • Banking and credit data covered by financial rules.
  • DIFC and ADGM companies, which follow their own data laws.

Real talk: there is no free pass for small businesses. A two-person startup with a customer list is covered the same way a large company is. Size does not remove the duty; it only changes how much data you hold.

PDPL, DIFC, or ADGM: which law applies to you?

The law you follow depends on where your company is licensed, and getting this wrong is the most common mistake we see. Here is the simple decision guide.

  • Mainland UAE or a standard free zone (DMCC, JAFZA, IFZA, Dubai Internet City, and most others): you follow the federal PDPL.
  • DIFC: you follow the DIFC Data Protection Law No. 5 of 2020, with its own regulator.
  • ADGM: you follow the ADGM Data Protection Regulations 2021, with its own regulator.
  • Selling to EU customers as well: you may also need to follow Europe's GDPR on top of your UAE law.

One thing that surprises people: moving personal data between these zones can count as a cross-border transfer. So a mainland company sharing data with a DIFC partner cannot assume one policy covers both sides. Check which law each part of your group sits under before you build a single privacy policy for everyone.

The big 2026 question: are the rules and fines final yet?

No, and this is the part most articles get wrong. The PDPL is binding law, but its detailed rulebook, called the Executive Regulations, has not been published as of mid-2026. That rulebook is meant to fix the exact details, such as the precise breach reporting deadline, the thresholds for needing a Data Protection Officer, and the fine amounts. Until it is out, those specific details are not final.

This leads to two honest points you should know.

First, be careful with fine figures you see online. The PDPL does not set fine amounts itself. A separate Cabinet decision will list the penalties, and that decision is still pending. So any exact dirham fine you see quoted for the federal PDPL is unofficial guesswork. The fines that are official and real are in the free zones: DIFC fines run from USD 25,000 to USD 100,000 per breach, plus an uncapped fine for serious cases, and ADGM fines can reach USD 28 million.

Second, enforcement is coming, not absent. In June 2026, the UAE created the Federal Authority for Artificial Intelligence and Data, which brought the data regulator into a single, stronger body. This is the authority expected to publish the Executive Regulations and start real enforcement. When the rulebook lands, businesses get six months to get in line, with a possible six-month extension. That window sounds comfortable, but proper compliance work takes longer than people expect.

Pro tip: treat the current quiet period as a gift, not an excuse. The businesses that prepare now will simply confirm they are ready. The ones that wait will be rushing against a six-month clock while also trying to win deals from buyers who already ask how you handle data.

Your PDPL compliance checklist

Here is the practical, step-by-step checklist to get your business in line with the PDPL. Work through it in order, because each step builds on the one before.

  1. Map your data first. List what personal data you collect, where it is stored, why you have it, who can access it, how long you keep it, and where it goes, including any transfers abroad. You cannot protect what you have not mapped.
  2. Fix consent and privacy notices. Make sure you collect data with clear, specific consent where required, and that your privacy notice tells people what you do with their data in plain language. Remove pre-ticked boxes and vague terms.
  3. Write your record of processing. Both controllers and processors must keep a detailed record of their data activities. The regulator can ask to see it. Your data map from step one feeds straight into this.
  4. Tighten your security. The law requires appropriate technical and organisational measures, which can include encryption, controlled access, and the ability to recover data after an incident. This is where an ISO 27001 approach pays off.
  5. Set up a rights process. Give people a simple way to access, correct, delete, or object to the use of their data, and build an internal process to answer those requests properly.
  6. Plan for breaches. Have a written plan to spot a breach, report it to the regulator quickly, and tell affected people when their data is at risk.
  7. Run a DPIA for risky projects. Before any high-risk processing, run a Data Protection Impact Assessment to find and reduce the privacy risks.
  8. Check cross-border transfers. If you send data abroad, make sure you have a legal basis, usually a compliant contract or clear consent.
  9. Decide if you need a DPO. Work through the triggers in the next section.

Most businesses find that steps one and two reveal problems they did not know they had, like old data nobody owns or consent that was never properly collected.

When does your business actually need a DPO?

You need a Data Protection Officer if your data work is high risk, but the exact thresholds are still being defined. The PDPL says you must appoint a DPO in three cases: when your processing creates a high risk because of new technology or large data volumes, when you systematically assess sensitive data including profiling, or when you handle a large amount of sensitive data. Sensitive data means things like health, religion, race, and biometric records.

The honest catch is that the words "large amount" and "high risk" are not yet defined in numbers. The Executive Regulations will set those thresholds, and they are not published. So for now, whether a specific medium-sized business must appoint a DPO is a judgement call.

The practical answer: if you process sensitive data at any real scale, profile people, or run new high-risk technology, plan to have a DPO. The good news for smaller companies is that the PDPL lets the DPO be an outside person or firm, and that person can even be based outside the UAE. So you can get a qualified, fractional DPO and a named contact for the regulator without paying for a full-time senior hire.

What to do about a data breach

Under the federal PDPL, you must report a serious breach to the Data Office immediately once you become aware of it. The law uses the word "immediately" rather than a fixed number of hours, because the exact deadline is left to the Executive Regulations that are not yet published. So there is no fixed 72-hour rule in the federal PDPL, even though you may read that elsewhere. ADGM does use a 72-hour rule, and DIFC uses "as soon as practicable", so your exact duty depends on your zone.

Two things are clear no matter what. If you are a processor handling data for someone else, you must tell that client immediately when you spot a breach, so they can report it. And you must tell affected people when a breach puts their data at risk. The smart move is to assume a tight deadline is coming and build a breach plan that can move within a day, not a week.

Sending personal data outside the UAE

You can send UAE personal data abroad, but you need a proper legal basis. The PDPL allows transfers to countries the Data Office considers to have strong enough data protection, or otherwise through PDPL-compliant contract clauses or the clear consent of the person. The Data Office has not yet published a list of approved countries, so in practice most businesses today rely on contracts or consent.

For most companies, this comes up with cloud services. If you use a major cloud provider, you can often choose a UAE data region and sign standard contract terms that support a compliant transfer. Either way, write down your legal basis for each transfer. "We use a US cloud service" is not a plan; a documented contract or consent record is.

Common PDPL mistakes to avoid

A few mistakes come up again and again, and all of them are easy to fix once you know them.

  • Copying a GDPR policy word for word. The PDPL is consent-first and has no general legitimate interests basis, so a straight GDPR copy leaves gaps in how you justify processing.
  • Assuming the federal PDPL applies when you are in DIFC or ADGM. Check your licence zone first, because the wrong law means the wrong policy, the wrong regulator, and a missed registration.
  • Quoting scary fine figures as fact. The federal fine schedule is not published yet, so building your case for compliance on an invented dirham number can backfire when staff realise it is not official. Use the real reasons: legal duty, customer trust, and lost deals.
  • Treating consent as a one-time checkbox. People can withdraw consent at any time, so you need a way to record it, prove it, and let them change their mind.
  • Forgetting your own staff. Personal data is not just customer data. Employee records, CVs, and payroll all count, and they are often the least protected files in the business.

Real client stories

These are real situations from our compliance work. Names and a few details have been changed for privacy.

Aisha's e-commerce brand (mainland, Emirati founder). Aisha had been buying email lists to grow fast. We showed her that bought lists fail the PDPL consent test and that recipients can demand she stop. We helped her switch to a clean opt-in list. "I thought a bigger list was always better," she says. "Now I know an opt-in list of 2,000 is safer and sells more than 20,000 bought contacts."

Tom's SaaS startup (DIFC, British founder). Tom assumed the federal PDPL applied to him and built his policy around it. Because his company is in DIFC, he actually had to follow the DIFC law, register with the DIFC Commissioner, and pay the annual fee. "I was compliant with the wrong law," he says. "Check your zone before you write a single policy."

Priya's clinic group (mainland, Indian operations lead). Priya's team processed a large amount of health and patient data and had no DPO and no breach plan. We set them up with an outsourced DPO and a simple breach response process. "Hiring a full-time data officer felt impossible on our budget," she says. "A fractional DPO gave us the expertise without the salary."

How SKIMBOX helps with PDPL compliance

We help UAE businesses build the security and processes the PDPL expects, from data mapping and consent fixes to breach plans and an outsourced DPO. Because much of the law is about protecting data properly, an ISO 27001 approach gives you a strong, provable security foundation, and regular penetration testing shows your defences actually work. If you handle financial or health data, our CBUAE fintech compliance guide and healthcare and DHA compliance guide cover the extra sector rules.

If you want a straight assessment of where your business stands, see our cybersecurity services, or contact us.

References

[1] The UAE Government Portal - Data protection laws and Federal Decree-Law No. 45 of 2021 overview. u.ae [2] UAE Legislation Portal - Full text of Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. uaelegislation.gov.ae [3] UAE Data Office - Federal Decree-Law No. 44 of 2021 establishing the regulator, and PDPL guidance. The Office was consolidated into the Federal Authority for Artificial Intelligence and Data in June 2026. u.ae [4] U.S. Department of Commerce, International Trade Administration - UAE cross-border data flows and PDPL enforcement status. trade.gov [5] DIFC - Data Protection Law No. 5 of 2020, registration, fees, and breach rules. difc.com [6] ADGM Office of Data Protection - Data Protection Regulations 2021, fees, breach timeline, and penalties. adgm.com [7] SKIMBOX - Internal experience helping UAE businesses build PDPL-ready security, data mapping, breach response, and outsourced DPO support, 2026. skimbox.co

Frequently asked questions

  • What is the UAE PDPL?

    The UAE PDPL is the Personal Data Protection Law, set out in Federal Decree-Law No. 45 of 2021. It is the country's first federal law covering how businesses collect, use, store, and share people's personal data. It has been in force since 2 January 2022. It is heavily influenced by Europe's GDPR but has its own rules, so you cannot simply copy a GDPR policy and assume you are compliant.

  • Does the UAE PDPL apply to my business?

    Most likely yes. The PDPL applies to any business in the UAE that handles personal data, and even to companies outside the UAE if they process the data of people inside the country. The main exceptions are government bodies, health and banking data covered by their own laws, and companies inside DIFC or ADGM, which follow their own data laws. Mainland and most free-zone companies fall under the PDPL.

  • Does the PDPL apply to small businesses and startups?

    Yes. There is no general exemption for small businesses or startups. The law applies no matter your size if you handle personal data, such as customer details, staff records, or website leads. The Data Office may later set lighter rules for very small data users, but those details depend on the Executive Regulations, which are not published yet. For now, a small business should plan to comply like anyone else.

  • Does the PDPL apply to free zone companies?

    It depends on the free zone. Companies in DIFC and ADGM follow their own separate data protection laws, not the federal PDPL. Companies in all other free zones, such as DMCC, JAFZA, IFZA, and Dubai Internet City, fall under the federal PDPL, because those zones do not have their own data protection law. So the answer comes down to which specific zone your licence is in.

  • Does the PDPL apply to a foreign or overseas company?

    Yes, if you handle the data of people in the UAE. The PDPL reaches beyond UAE borders. A company based anywhere in the world is covered if it processes the personal data of people inside the UAE, for example by selling to UAE customers online. This is similar to how Europe's GDPR reaches foreign companies. Location does not let you escape the law if your users are in the UAE.

  • What is the difference between UAE PDPL and GDPR?

    The PDPL is based on GDPR ideas but is not the same. The biggest difference is that the PDPL is consent-first and has no general legitimate interests basis, so you lean more on consent. The PDPL also does not fix a breach deadline or a response deadline in the law itself, and its fine amounts are still pending, while GDPR sets a 72-hour breach rule and fines up to 4 percent of global turnover. If you serve EU users, you may need to follow both.

  • Do I have to comply with both PDPL and GDPR?

    Possibly yes. If your business handles the data of people in both the UAE and the European Union, you may need to meet the PDPL and GDPR at the same time. The practical move is to build your data programme to the stricter of the two rules so you cover both at once. The UAE does not have an EU adequacy decision, so sending data from the EU to the UAE also needs its own safeguards.

  • Which law applies to me: PDPL, DIFC, or ADGM?

    It comes down to where your company is licensed. If you are in DIFC, you follow the DIFC Data Protection Law No. 5 of 2020. If you are in ADGM, you follow the ADGM Data Protection Regulations 2021. If you are on the mainland or in any other free zone, you follow the federal PDPL. Moving personal data between these zones can count as a cross-border transfer, so check before you assume one policy covers everything.

  • Have the PDPL Executive Regulations been issued yet in 2026?

    No. As of mid-2026, the Executive Regulations, which are the detailed rulebook that sits under the PDPL, have not been issued. This means some exact details, such as the precise breach reporting deadline, the DPO thresholds, and the fine amounts, are still undefined. The law itself is still binding, so you must comply with it now. The new Federal Authority for Artificial Intelligence and Data, set up in June 2026, is expected to finalise these regulations.

  • What are the fines for breaching the UAE PDPL?

    The PDPL does not set fine amounts itself. A separate Cabinet decision, proposed by the regulator, will list the violations and the penalties, and as of mid-2026 that schedule is still pending. This means any specific dirham fine figure you see quoted online for the federal PDPL is unofficial. By contrast, the free-zone fines are official: DIFC fines run from USD 25,000 to USD 100,000 per breach plus an uncapped serious-breach fine, and ADGM fines can reach USD 28 million.

  • Is the UAE PDPL actually being enforced?

    Enforcement has been limited so far, but that is changing. The federal regulator is not yet fully operational, and the penalty schedule is still pending, so large federal fines have not been a feature yet. The law is in force, though, and the new Federal Authority for Artificial Intelligence and Data, created in June 2026, is expected to drive real enforcement. The safe assumption is that proper enforcement is coming, so compliance now is the smart move.

  • Who regulates the PDPL in the UAE?

    The UAE Data Office is the federal regulator for the PDPL, created by Federal Decree-Law No. 44 of 2021. In June 2026, it was brought into a new body called the Federal Authority for Artificial Intelligence and Data, which now oversees data protection, artificial intelligence, and digital government in one place. This is the authority that is expected to publish the Executive Regulations and handle enforcement going forward.

  • How long will I have to become compliant once the regulations are issued?

    Six months. Once the Executive Regulations are published, businesses get a six-month window to bring their data practices in line, and the Cabinet can extend that by another six months. That sounds generous, but real compliance work, like mapping your data, fixing consent, and writing policies, takes time. The businesses that start now will simply confirm they are ready, while latecomers will be scrambling against the clock.

  • Do I need consent to collect personal data in the UAE?

    Usually yes. Under the PDPL, processing personal data without the person's consent is not allowed unless a specific exception applies, such as performing a contract, meeting a legal duty, protecting public health, or handling employment matters. Because the PDPL has no general legitimate interests basis, consent matters more here than under some other laws. When in doubt, get clear consent and keep a record that proves you have it.

  • What makes consent valid under the PDPL?

    Valid consent must be specific, informed, and unambiguous, given by a clear positive action, not a pre-ticked box. It must be easy to access and easy to withdraw, and you, as the business, must be able to prove you have it. A vague line buried in your terms is not enough. The cleanest approach is a clear consent request at the point of collection, with a simple way for the person to say no or change their mind later.

  • Can I send marketing messages to a purchased contact list in the UAE?

    No, that is not safe under the PDPL. The law does not accept implied consent, so a bought or scraped contact list almost certainly fails the consent test. People also have the right to stop you using their data for direct marketing at any time. Building your own opt-in list is the compliant path. Buying a list may feel faster, but it puts you on the wrong side of the law from the first message.

  • What rights do individuals have under the PDPL?

    People have strong rights over their data. These include the right to be told what you are doing with their data and to access it, the right to get a copy in a usable format, the right to correct or delete it, the right to restrict or stop certain processing, and the right to object to decisions made purely by automated systems. Your business needs a simple way for people to make these requests and a process to handle them.

  • Can someone force a UAE company to delete their data?

    Often yes, but not always. People have a right to erasure when the data is no longer needed, when they withdraw consent, or when the processing was unlawful. This right is not absolute, though. You can keep data when another law requires it, when it is needed for legal claims, or in certain public-health cases. So you must handle each deletion request properly rather than refusing or accepting it automatically.

  • When does a UAE business need a Data Protection Officer (DPO)?

    You need a DPO if your data work is high risk. The PDPL requires a DPO when processing creates a high risk from new technology or large data volumes, when you systematically assess sensitive data including profiling, or when you handle a large amount of sensitive data. The exact thresholds for large and high risk are still being defined in the Executive Regulations. The good news is a DPO can be outsourced and can even be based outside the UAE.

  • Can I outsource my Data Protection Officer?

    Yes. The PDPL allows the DPO to be an external person or company rather than a full-time employee, and the DPO can even be based outside the UAE. This matters for small and medium businesses, because hiring a full-time data protection expert is expensive. A fractional or outsourced DPO gives you the required expertise and a named contact for the regulator without the cost of a senior full-time hire.

  • Do I need to keep a record of processing activities?

    Yes. Both controllers and processors must keep a detailed record of their data processing. This record should cover what data you hold, why you process it, who can access it, how long you keep it, where it moves including across borders, and the security measures you use. The regulator can ask to see this record at any time. Building it is also the best first step in any compliance project, because it shows you exactly what you hold.

  • What is a DPIA and when do I need one?

    A DPIA, or Data Protection Impact Assessment, is a check you run before risky processing to find and reduce privacy risks. The PDPL requires one before you use high-risk new technology, before systematic profiling that has serious effects on people, or before processing a large amount of sensitive data. It does not need to be complicated. It describes the processing, weighs whether it is necessary, lists the risks, and sets out how you will reduce them.

  • What is the data breach notification rule in the UAE?

    Under the federal PDPL, you must report a serious data breach to the Data Office immediately once you become aware of it. The exact deadline in hours is left to the Executive Regulations, which are not published yet, so there is no fixed 72-hour rule in the federal law. You must also tell affected people when the breach puts their data at risk. ADGM uses a 72-hour rule, and DIFC uses as soon as practicable, so the rule depends on your zone.

  • Can I store UAE personal data on US cloud services like AWS or Azure?

    Yes, with the right safeguards. The PDPL allows you to send personal data outside the UAE to countries the Data Office considers adequate, or otherwise through PDPL-compliant contract clauses or the person's clear consent. There is no published list of approved countries yet, so most transfers today rely on contracts or consent. Major cloud providers offer UAE data regions and standard contract terms that help, but you still need to document your legal basis.

  • How does ISO 27001 help with PDPL compliance?

    ISO 27001 covers much of the security side of the PDPL. The PDPL requires appropriate technical and organisational measures to protect personal data, and an ISO 27001 information security management system gives you exactly that, with documented controls, risk assessment, and evidence. ISO 27001 does not replace the PDPL, because the PDPL also has legal duties around consent and rights, but it is a strong foundation that makes the security parts of compliance much easier to prove.

  • What happens if I ignore the PDPL?

    You take on rising legal and business risk. While the federal fine schedule is still pending, the law is in force, people can complain to the regulator, and a new enforcement authority took shape in June 2026. Beyond fines, a data breach or a public complaint can cost you customer trust and enterprise deals, since UAE buyers increasingly check how vendors handle data. Waiting until enforcement is fully active leaves you exposed and rushed later.

  • How do I start a PDPL compliance project?

    Start by mapping your data. List what personal data you collect, where it lives, why you have it, who can see it, and where it goes, including any transfers abroad. From that map, fix your consent and privacy notices, write your record of processing, tighten security, set up a way to handle people's requests and breaches, and decide whether you need a DPO. Mapping first means every later step is based on what you actually hold, not guesswork.

  • Can I appeal a UAE Data Office decision or penalty?

    Yes. If the regulator issues a decision or penalty against you, you can file a written grievance to the Office's General Manager within 30 days of being notified. The grievance is then decided within 30 days. You cannot take the matter further without first filing this grievance. So if you disagree with a decision, act quickly and keep records, because the 30-day window is short and missing it limits your options.

SKIMBOX Team

Tech Consultancy

Get fresh writing in your inbox

One email a fortnight. No filler.

By subscribing, you agree to our privacy policy.

Want us to build something?

We work with teams across MENA, UK, USA, and India to build products, run programs, and grow.

Get in touch

Continue reading

ISO 27001 Certification in the UAE (2026): The Real Cost, the Process, and the Accreditation Trap

ISO 27001 Certification in the UAE (2026): The Real Cost, the Process, and the Accreditation Trap

Blogs
Penetration Testing and VAPT in Dubai (2026): Cost, Compliance, and How to Avoid a Scan Sold as a Pentest

Penetration Testing and VAPT in Dubai (2026): Cost, Compliance, and How to Avoid a Scan Sold as a Pentest

Blogs
How to Build a VAT-Compliant E-commerce Site in the UAE

How to Build a VAT-Compliant E-commerce Site in the UAE

Blogs