The State of UAE Data Protection

Hanna Mathai

By Talal Wazani, Head of Cybersecurity Consulting

3 min to read
The State of UAE Data Protection

I would like to shed some light on the current state of the UAE data protection law, the obligations of organizations collecting and processing personal information and how we can help you achieve a greater level of compliance with the law.

UAE Federal decrees 44-45/2021 were published in late 2021 to establish the UAE Data Office and announce the new UAE Data Protection Law (DP Law). The DP Law came into force in January 2022 and is expected to be supplemented by executive regulations to provide additional details that would enable the implementation and enforcement of this law.

Personal Data

Personal data is any information that can identify a natural person
directly or indirectly.

Example of personal data:

Directly – Name, ID number, email address, IP address, CCTV footage.

Indirectly – Gender, birth date, license plate number, phone number.

The UAE Data Office, which is affiliated with the UAE cabinet and will be supported logistically and administratively by the Telecommunication and Digital Government Regulatory Authority (TDRA), will act as the federal data regulator of the UAE and will be responsible for:

  • Preparing policies and legislation related to data protection
  • Proposing and approving the standards for monitoring Personal Data Protection Law
  • Preparing systems for complaints and grievances related to data
  • Issuing guidelines and instructions for the implementation of the law

The UAE Data Protection Law is committed to protection of personal information by establishing the following key privacy principles when processing data:

The UAE DP Law aims to empower individuals (referred to as ‘Data Subjects’) and give them control over their personal data by granting them the following rights. The Data Subject Rights can however be superseded if there are other laws in place that stipulate keeping data available for a certain period of time (for example, personal details related to bank records).

  • Right to delete personal data
  • Right to object to automated decision making
  • Right to correct personal data if inaccurate or incomplete
  • Right of access to information related to their personal data processing
  • Right to restrict or stop processing of their personal data

As of now, and since the executive regulation is not published yet, there are no timelines stipulated concerning the response and action of data subject rights requests.

How To Effectively Establish A Data Privacy Protection Program?
  • Appoint a Data Protection Officer
  • Inventory your personal data
  • Notify and seek consent from your data subjects
  • Protect personal data
  • Respond to your data subject requests
  • Notify authorities and data subject in case of breaches
  • Communicate your data protection policies and processes
How Can We Help?
  • Conduct a Gap Assessment
  • Establish a Data Protection Governance Framework
  • Establish Data Subject Rights and Consent Management Process
  • Conduct Data Privacy Impact Assessment
  • Establish Data Breach Management Process
  • Conduct Data Protection Awareness

Follow these simple tips to keep your data private and safeز

Understand what is considered personal information and ensure that access to such data is on a need-to-know basis. Transfer data internally for different purposes or externally without lawful justification.
Check privacy settings in your accounts and apply MFA wherever possible. Share passwords or leave information and data unattended.
Report any actual or suspected breaches of confidentiality or privacy. Ignore software security updates.
Participate in induction, training and awareness raising sessions on privacy issues. Use business computers for personal reasons.
Encrypt all confidential data and files. Plug in portable devices without appropriate verifications and checks.
Arrange certified confidential waste disposal for large amounts of personal data. Dispose of personal data in bins without shredding it.
Lock your computer screen if you leave your desk for any amount of time. Talk about confidential matters in public or where others can hear you.
Verify an individual, organization and account before handing over personal information. Respond to phone calls or emails requesting confidential data.
Keep your passwords and usernames secure and store them in a password manager. Log into public Wi-Fi when working on sensitive and personal information.
Let people unsubscribe when they no longer want to connect with you. Open emails and attachments from any unknown sources.


Share this article

Upcoming event

Black Hat MEA 2024

  • KSA
  • Riyadh