Policy Briefing — UAE Personal Data Protection Law Commences

Executive briefing: On January 2, 2022, the UAE's Federal Decree-Law No. 45 of 2021 on Personal Data Protection entered into force. The statute introduces lawful basis requirements, data subject rights, and controller/processor obligations outside the financial free zones, with enforcement led by the UAE Data Office.

Immediate compliance priorities

• Governance uplift. Assign data protection officers where processing high-risk activities and develop registers of processing activities that cover UAE operations.
• Cross-border reviews. Assess international data transfers and document reliance on adequacy decisions, contractual clauses, or other permitted mechanisms.
• Individual rights response. Configure intake and fulfillment processes for access, correction, erasure, and portability requests within the statutory timelines.

Control alignment

• Policy harmonization. Align privacy notices and consent capture with the law's transparency, sensitive data, and children's data requirements.
• Security safeguards. Embed technical and organizational measures proportionate to the risk, including encryption, segregation, and breach detection.
• Processor oversight. Refresh vendor contracts to include purpose limitation, confidentiality, and incident reporting clauses mandated by the law.

Enablement moves

• Monitor forthcoming executive regulations and guidance from the UAE Data Office clarifying implementation obligations.
• Deliver localized privacy training to UAE-based teams and third parties handling personal data.
• Plan remediation timelines that respect the law's compliance grace periods culminating in 2023 enforcement.

Sources

• UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection
• UAE Government: Overview of the Personal Data Protection Law

Zeph Tech supports Gulf-based enterprises with PDPL controls spanning lawful basis analysis, cross-border governance, and executive regulation readiness.