TW Infosec

UAE PDPL compliance

Turn the UAE's data-protection law into controls you can evidence.

The UAE Personal Data Protection Law places real obligations on any organisation that processes the personal data of individuals in the UAE — around consent, purpose, security, breach notification and cross-border transfer. We help you understand what you hold, put the right controls and processes in place, and be able to demonstrate compliance rather than assert it.

What UAE PDPL is

The UAE PDPL (Federal Decree-Law No. 45 of 2021) is the country's comprehensive data-protection framework. It sets principles for lawful processing, individual rights, data-security requirements, breach handling and rules on transferring personal data outside the UAE, overseen by the UAE Data Office.

Who needs it

Any organisation that collects or processes the personal data of people in the UAE — which is to say almost every business. Sectors handling large volumes of personal data (finance, healthcare, retail, telecoms, technology) face the most scrutiny.

How we help

  • Data mapping — what personal data you hold, where, and why
  • Gap assessment against PDPL obligations
  • Privacy governance, policies and notices
  • Consent, individual-rights and retention processes
  • Data-security controls aligned to the law
  • Breach-response and cross-border-transfer procedures
  • Shadow-AI review — where personal data leaks into AI tools

FAQ

UAE PDPL — FAQs

Does the UAE PDPL apply to my business?

If you process the personal data of individuals in the UAE, almost certainly yes. The law applies broadly, with specific rules for sensitive data and for transferring data outside the country.

What's the link between PDPL and AI tools?

A major, often-missed one. Staff pasting personal data into consumer AI tools is, in effect, an uncontrolled cross-border transfer to a third party — a real PDPL exposure. We include Shadow-AI discovery in PDPL work for exactly this reason.

How do we handle cross-border data transfers?

The PDPL restricts transferring personal data outside the UAE unless certain conditions are met. We help you map your transfers and put the right legal and technical safeguards in place.

Start with a paid, tightly scoped pilot

Prove whether your controls actually work.

Book a diagnostic assessment or an executive AI-risk tabletop. We'll show you the exploitable attack paths that matter — and how to close them.

Emergency response

Facing an active incident or suspected AI compromise? Reach our response coordination line directly.

Report an Incident

[email protected]