UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data turns the abstract idea of "data privacy" into 12 concrete operating obligations. This guide turns those 12 obligations into a checklist your office manager can execute without a law degree.
Three scoping questions, in order:
The law applies whether you have 3 employees or 3,000. Whether you store data in a spreadsheet, in other UAE accounting tools, or on a piece of paper in a drawer. The compliance bar scales — a 5-person firm doesn't need a formal DPO and a 50-page privacy policy — but the principles apply uniformly.
"Personal data" under Article 1 of PDPL means "any data relating to an identified or identifiable natural person." That is broader than most SMB owners realize. It includes:
What is not personal data: aggregated statistics with no path back to an individual ("48% of our customers are in Dubai" is fine), genuinely anonymized data, and data about legal entities (a company's TRN is not personal data, but the contact-person's name attached to it is).
Article 7 calls out a sensitive subcategory with stricter rules. The categories: data revealing racial or ethnic origin, religious beliefs, philosophical beliefs, political opinions, criminal convictions, biometric data, genetic data, health data, sexual orientation. Most SMBs do not process sensitive data and should actively avoid collecting it. If you find yourself with it (an employee's medical certificate, for instance), treat it with elevated controls — restricted access, encryption at rest, explicit consent.
Spend one afternoon listing every system that holds personal data: your CRM, your accounting software, your email service, your file storage, your HR file folder, the spreadsheets on people's laptops. For each system, document what categories of personal data are stored and roughly how many records.
This is the foundation. You cannot comply with anything else without first knowing where the data lives.
PDPL recognizes six lawful bases. Pick one per data category:
"Legal obligation" is the most-used basis for SMBs — keeping VAT records for 5 years is a legal obligation under FTA Decision 2/2019, and that's a clean lawful basis. Customer marketing on the other hand is almost always "consent" or "legitimate interest" and requires explicit grounding.
Required content: who you are (with contact), what data you collect, why, lawful basis, retention period, recipients, cross-border transfer info, data subject rights, contact for privacy questions.
Don't copy a generic template. Most internet templates were written for GDPR (Europe) and don't reference UAE-specific rules. Reference PDPL article numbers explicitly. UAE Data Office expects this.
Consent under PDPL must be: freely given, specific, informed, unambiguous, and withdrawable. If you're using consent as your lawful basis (newsletter signup, marketing emails), the consent UI matters:
Eight rights you must support: access, rectification, erasure, restriction, portability, objection, withdraw consent, complain to UAE Data Office. Most SMBs see fewer than 10 requests a year. You don't need a full ticketing system; you need a documented inbox (privacy@yourdomain.ae), a 30-day response SLA, and a written internal procedure.
For each personal data category, document how long you keep it and why. Examples:
The hard part is operationalizing deletion. A retention policy nobody enforces is worse than no policy. Set calendar reminders, build cron jobs, integrate deletion into your offboarding process.
If your data lives outside the UAE, you need a documented justification. The simplest path: host inside a jurisdiction the UAE Data Office has deemed "adequate" — that includes GCC member states with PDPL-equivalent laws (Bahrain, Saudi Arabia post-PDPL, Qatar). If you're using a cloud service hosted in the US or EU, you need either explicit data subject consent for the transfer or Standard Contractual Clauses with the provider.
See HIBR's data residency commitment for a worked example.
If a vendor processes personal data on your behalf — your accounting software, your email marketing tool, your call-recording service — you need a Data Processing Agreement (DPA) with them. The DPA documents who controls the data, what the vendor can do with it, breach notification obligations, deletion on termination.
List your top 10 vendors. Get a DPA from each. Most will have a standard one you can sign in 10 minutes; if a vendor refuses to sign one, that's a serious red flag.
The level of technical control should match the data's sensitivity. Minimum bar for any SMB:
Every employee who handles personal data should complete annual privacy training. Document attendance. The training doesn't need to be elaborate — a 60-minute session covering "what's personal data, what's our policy, how to spot and report a breach" is sufficient. The point is documentation: when UAE Data Office asks how staff are trained, you have an answer.
Critical because the clock is 72 hours from discovery. Pre-write:
If a breach happens at 11pm on a Friday — and most breaches are noticed at inconvenient times — you'll thank yourself for having a runbook instead of writing one under pressure.
Quarterly, sit with the privacy point-of-contact and review: new processing activities started this quarter, new vendors onboarded, new systems deployed, data subject requests received, any incidents (even near-misses), retention deletions completed. Document the review.
This is the cheapest possible "DPO function" — a documented quarterly accountability moment that proves you take this seriously.
Article 22 is where most UAE SMBs accidentally end up out of compliance, because they don't think about it. You're processing data outside the UAE if:
You have three valid paths under Article 22:
The practical answer for most SMBs: prefer vendors that explicitly host UAE/GCC data in the region. HIBR's approach is documented here.
Under Article 19, a personal data breach must be reported to the UAE Data Office within 72 hours of discovery. If the breach poses a risk to data subjects' rights, those individuals must also be notified — usually within the same 72 hours.
The 72-hour clock starts when you discover the breach, not when it happens. So if an employee notices on Monday morning that data was exfiltrated on Friday evening, the clock starts Monday. This is in your favor: it means investigation time is included.
What counts as a breach:
What doesn't trigger notification: a near-miss that didn't actually expose data, an attempted but blocked attack, a system going down without data being accessed.
HIBR is the UAE-built ERP designed for PDPL compliance from line 1. Built-in:
More on the security architecture: /erp/data-residency/ · /erp/security/audit/.
Reserve a beta seat — beta participants receive our PDPL Quick-Start Pack: privacy policy template, DPA template, consent UI examples, breach runbook template. Free for the first 100 UAE SMBs that sign up.
Reserve founder slot →Yes. PDPL applies to every business processing personal data of UAE residents, regardless of business size or geographic scope of customer base. The law does not have a small-business exemption — only a "personal use" exemption that covers individuals managing their own contact lists.
Formal DPO appointment is required only for organizations processing sensitive personal data at scale, large-scale automated processing, or where designated by UAE Data Office. Most SMBs do not formally need a DPO, but should appoint an internal privacy point-of-contact. The contact's email (e.g., privacy@yourdomain.ae) should be in your privacy policy.
PDPL is closely modeled on GDPR but has UAE-specific provisions, particularly around cross-border transfer (Article 22 with the adequate-jurisdiction list), breach notification (72 hours, similar to GDPR), and consent mechanics. A GDPR-compliant program is mostly PDPL-ready but needs the UAE-specific overlay.
The Executive Regulations under PDPL define administrative fines. Penalties can reach 5 million for serious breaches, with day-rate penalties for ongoing non-compliance. More common in practice: UAE Data Office issues correction orders, monitors compliance, and escalates only on willful or repeat violations.
They coexist. FTA Decision 2/2019 requires 5 years of VAT record retention; PDPL's storage-limitation principle says don't keep data longer than necessary. The FTA requirement satisfies PDPL's "legal obligation" lawful basis — you keep VAT-related personal data for 5 years because the law requires it. After 5 years, delete unless another legal basis applies.
If cookies can identify a returning visitor, they're processing personal data under PDPL. You need a cookie banner that gets explicit consent before non-essential cookies fire. Strict necessary cookies (session management) don't need consent. Analytics, advertising, and marketing cookies do.