As the UAE’s digital economy grows, the importance of robust data protection and privacy frameworks cannot be overstated. This summer has seen key developments in the UAE’s data protection regulations, both at the federal level and within the Dubai International Financial Centre (DIFC). Organisations should be aware of these changes and take proactive steps to embed privacy into their operations. 

Pending enforcement of the UAE PDPL 

The UAE’s Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) technically came into force in September 2021. However, the law’s executive regulations, which will trigger enforcement, have yet to be issued. As of now,, the PDPL remains one to watch, with compliance obligations expected to start only six months after the regulations are published. 

While this delay buys businesses more time, it should not be viewed as a reason to pause. Organisations that invest now in strong data governance frameworks will be better positioned for compliance once the PDPL becomes enforceable. 

DIFC data protection law: strengthened and aligned globally  

On 8 July 2025, the DIFC amended its Data Protection Law (No. 5 of 2020), with changes effective from 15 July 2025. These updates align the DIFC more closely with international standards like the EU’s GDPR and bring significant implications for businesses operating within its jurisdiction. 

Key changes include: 

  • Expanded scope: The DPL now applies to all DIFC-incorporated entities, wherever they process data, and to non-DIFC entities handling personal data within the DIFC. 

  • Private right of action: Individuals can now bring claims directly before the DIFC Courts if their data rights are infringed, without first filing with the Commissioner. 

  • Stricter compliance obligations: New requirements include conducting Data Protection Impact Assessments (DPIAs), annual reviews of whether a Data Protection Officer (DPO) is required, and tighter rules on cross-border transfers. 

  • Financial penalties: Fines ranging from USD 10,000 to USD 50,000 may be imposed for breaches such as inadequate transfer safeguards, failure to conduct DPIAs, or failure to meet annual DPO assessment obligations. 

Businesses operating in Dubai, especially within the DIFC, should take immediate action to: 

  • Assess compliance with updated DIFC requirements, including DPIAs, cross-border transfers, and DPO obligations. 

  • Update internal governance by maintaining records of processing activities and embed privacy-by-design into workflows. 

  • Train staff on new obligations and empower teams to manage data responsibly. 

  • Prepare for the PDPL by mapping data flows and reviewing policies now, to avoid last-minute scrambles once executive regulations are issued. 

The UAE is moving steadily towards a mature, globally aligned data protection regime. Organisations that embrace robust privacy practices today will not only stay compliant tomorrow but also secure the long-term trust of customers, partners, and regulators. HewardMills’ team of global data protection experts maintains a watchful eye on these ever-shifting regulations and can support your team stay abreast of changes and mitigate any risks to your business.