The grace period is over.
For years the PDPL sat on the books as a framework to prepare for. Its implementing regulations are now issued, and the law is in active enforcement. Personal data means any information that identifies a living individual: names, emails, phone numbers, identification, location data. If you hold any of it, the law already reaches you. The question is no longer whether it applies, but whether you can show that you comply.
The law follows the data, not the licence.
It applies to any entity that processes the personal data of UAE residents, wherever it is incorporated, including overseas companies marketing into the UAE. That is almost every operating business here, with one exception.
Mainland and most free zone companies
If you process resident data and you are not licensed in DIFC or ADGM, the federal PDPL governs you. The UAE default.
DIFC and ADGM companies
The two financial free zones run their own frameworks: the DIFC Data Protection Law and the ADGM Data Protection Regulations. Comply with your centre's regime, not the federal PDPL.
You hold data the law reaches if you have any of these:
- Lead capture. A website form that takes a name and email.
- Customer database. A CRM holding client and prospect records.
- HR and employees. Payroll, passports, and visa files on staff.
- Cross-border. An overseas firm marketing to UAE residents.
Five obligations, and where firms get caught.
The trouble is rarely that a business refuses to meet these. Nobody mapped which ones apply, so the gaps stay invisible until a request, a partner, or the regulator surfaces them.
A lawful basis for every record
Personal data must rest on a lawful basis: consent, contractual necessity, a legal duty, or a legitimate interest.
Where firms get caught: collecting first and justifying later, the posture the law was written to end.A privacy notice that says enough
Individuals must be told how their data is used at the point you collect it.
Where firms get caught: a generic policy copied from another jurisdiction, the first thing a serious counterparty checks.A working answer to data subject rights
Residents can ask to access, correct, or delete their data, and you must respond within the set timeframe.
Where firms get caught: a policy on paper, but no process that can find and act on the record.Discipline on cross-border transfers
Data may only move to jurisdictions with adequate protection, or under specific contractual safeguards.
Where firms get caught: cloud tools exporting data in ways the contracts do not yet cover.A breach you can report in time
Significant breaches must be reported to the UAE Data Office, and in defined cases to the people affected.
Where firms get caught: the clock starts when the breach happens, not when you finish deciding what to do about it.Fines are real, but the faster cost is the deal you lose for not having your house in order.
The UAE Data Office can impose substantial fines for unlawful processing, weak security, or ignoring a rights request. That is the downside everyone fears. The everyday cost is quieter: banks, enterprise clients, and overseas partners increasingly ask to see a privacy notice and a data process before they transact, and a thin answer reads as an unserious business. Compliance here is not paperwork. It sits alongside your AML obligations as part of looking like a company worth dealing with.
The people who trusted us with the detail.
Everything was perfect, very fast, easy and super professional. You helped me and my family get our Golden Visas without any stress.
From the initial assessment to final implementation, the team demonstrated strong expertise, structured methodology, and clear communication.
They delivered what they promised without any hidden agenda and informed me of better and less costly ways to achieve what I need.
Thanks to Manish Kumar, we were finally able to speed up the process of getting our visa after months of struggling with other agents.
He was super quick to reply, very efficient and honestly the best I have worked with. He made the whole process so much easier.
Manish demonstrated deep expertise, professionalism, and a thorough understanding of the incorporation process. Proactive, responsive, and efficient.
They've assisted me and my family obtain golden residency in the UAE. All timelines were clearly defined and all processes transparent.
Communication was clear from the start, everything managed end to end with full transparency on costs.
Manish was instrumental in setting up our company in Dubai. Always responsive, readily available to answer our questions.
A trusted advisor, a skilled navigator of complex regulatory landscapes, with unshakeable integrity.
Great and professional support from Manish. I recommend working with him on any project.
What founders ask first.
Does the PDPL apply to my free zone company?
What is the first practical step toward PDPL compliance?
Do I need a Data Protection Officer under the UAE PDPL?
Last verified June 2026. The PDPL and its regulations continue to develop. Confirm the current position for your operations before acting.