Data Strategy Briefing — November 28, 2021

Executive briefing: The United Arab Emirates issued Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data on 28 November 2021. The law establishes legal bases for processing, data subject rights, controller and processor obligations, breach notification duties, and cross-border transfer mechanisms under the supervision of the UAE Data Office.

Key governance checkpoints

Consent and legal bases. Document lawful bases for processing, ensuring explicit consent for sensitive data categories and compliance with purpose limitation.
Data subject rights. Implement procedures for access, correction, erasure, and portability requests, with response timelines not exceeding 30 days unless extended.
Cross-border transfers. Evaluate adequacy determinations, contractual safeguards, and explicit consent pathways required for exporting personal data.

Operational priorities

Governance model. Assign a data protection officer where large-scale or high-risk processing occurs, and register controllers with the UAE Data Office once regulations issue.
Breach response. Prepare to notify the UAE Data Office and affected individuals without undue delay following discovery of an incident that compromises data security.
Vendor assurance. Update processor agreements with confidentiality, sub-processing, localisation, and audit provisions mandated by the law.

Enablement moves

Monitor forthcoming executive regulations that will clarify timelines, fines, and registration processes.
Coordinate privacy controls with free-zone regulators (e.g., DIFC, ADGM) to reconcile overlapping regimes.

Sources

Zeph Tech helps UAE-based organisations stand up PDPL compliance frameworks, cross-border transfer assessments, and UAE Data Office engagement plans.