The DP Law applies to all businesses that are processing personal data in the UAE (irrespective of whether the personal data relates to data subjects inside the UAE) or that are based abroad but are processing personal data relating to data subjects that are inside the UAE. The new DP Law therefore has an "extra-territorial" reach similar to the GDPR. 

The DP Law does not apply to government data (which is left undefined in the DP Law), government authorities that control or process personal data or personal data held by security and judicial authorities. It also does not cover the processing of personal data for personal purposes, health personal data or banking personal data as there are separate laws regulating the protection of such data. 

The DP Law will not apply to entities in UAE free zones where such free zones have their own data protection and privacy laws (such as the Dubai International Financial Centre and Abu Dhabi Global Market). Whilst it is expected that the DP Law will operate alongside the existing free zone regimes in the UAE, there is at this point some uncertainty as to how the different data protection regimes in the UAE will interact with one another.

The DP Law also provides that certain UAE businesses that do not process large volumes of personal data in their ordinary course of business may be able to obtain an exemption from some or all elements of the DP Law. Further details of the exemption are to be set out in the Regulations.

Many elements of the DP Law are consistent with those adopted in other modern data protection regulations. However, there are some notable differences too. 

Lawful bases – Personal data can only be processed with the consent of the data subject except in limited circumstances. These include if the processing is: necessary to execute a contract to which the data subject is a party; required to protect interests of the public; relates to data already in the public domain; required for filing or defending against legal proceedings; necessary for certain medical purposes, including assessing one's ability to perform work, medical diagnosis, providing health or social care, health insurance services or management of health care systems pursuant to applicable laws; necessary to comply with legal obligations or exercising legal rights in the fields of recruitment or social security; necessary to comply with other laws. Interestingly, the DP Law does not include a right to process personal data pursuant to one's "legitimate interests", a common legal basis in other international data protection and privacy laws. 

Consent – If consent is used as the lawful basis for processing then it should be obtained from data subjects in a specific, clear and unambiguous form and should be made through a positive statement or clear affirmative action. Data subjects are entitled to withdraw their consent at any time.

Rights of Data Subjects – Data subjects are granted various rights under the DP Law. These include the rights to transfer their personal data; rectification or erasure of personal data; restriction on processing of personal data; the right to object to certain types of processing and automated processing; and rights to access information without any charge applied by data controllers.

Data Protection Officer – The DP Law requires businesses (both controllers and processors) to appoint a data protection officer (DPO) in certain circumstances, including where the processing creates a high-level risk due to the use of new technology or the volume of the personal data; processing includes an assessment of sensitive personal data as part of profiling or automated processing; or where large volumes of sensitive personal data are processed. The DPO may be an existing employee of the business or a third party and may be based in the UAE or outside of the UAE.  

Data Protection Impact Assessments – Data controllers are required to assess their proposed processing activities where there is a high risk to the privacy and confidentiality of personal data when using modern technologies. The DP Law prescribes the minimum information that should be included in such assessments. 

Limitations on Processing – Personal data must only be processed in accordance with a specified and clear purpose. Personal data must also be kept up to date, secure and kept only for as long as is required by the specified purpose.

Privacy Notice – The DP Law does not include an express requirement on data controllers to provide privacy notices to data subjects at the time of collecting their personal data. However, processing must be transparent and lawful. This would suggest that the data controller must provide certain information to the data subject in respect of any processing of their personal data, including the purposes of the processing, the sectors or entities inside or outside of the UAE with whom personal data will be shared and the appropriate safeguards to be applied if the personal data is transferred outside of the UAE.

International Transfers – Similar to the GDPR's concept of "adequacy", the DP Law allows for the transfer of personal data outside of the UAE to countries that are approved by the Data Office as having an adequate level of data protection. It may be possible to transfer data to other jurisdictions where any exemptions apply. These include securing the explicit consent of the data subject, provided that this does not conflict with the public or security interests of the UAE, or if the transfer is necessary to perform obligations or to execute a contract with the data subject. Further details on the list of "adequate" countries is expected in the Regulations or from the Data Office at a later stage. 

Notification of Breach – If a data breach is likely to result in a risk to the privacy, confidentiality and security of personal data then it must be notified to the Data Office. The data controller must always notify the data subject irrespective of whether there is a high risk to the data subject or not. The timelines for breach notifications are to be set out in the Regulations.

The DP Law will be overseen by the UAE's Data Office which is to be established pursuant to a separate Federal Decree-Law No. 44 of 2021 that was enacted at the same time as the DP Law. The Data Office is the first "onshore" data protection regulator and will be responsible for the protection of personal data in the UAE. The Data Office will be responsible for preparing legislation and policies regarding data protection; issuing guidance for implementing the data protection legislation; handling complaints and data breach notifications; and imposing administrative penalties based on a proposal by the Director General (to be appointed in due course) of the Data Office. 

The DP Law does not set out the administrate penalties that can be imposed on businesses for breaches of the DP Law. We expect the details to be included in the Regulations. 

All businesses that are covered by the DP Law will need to audit their existing data use in order to update processes, contracts, notices and employee awareness to ensure compliance with the DP Law. For any business with a global privacy program it should be expanded to include the UAE and we would strongly recommend taking appropriate steps now to ensure compliance as soon as possible:

DPO: If you wish to use your existing DPO to also cover the UAE then you should consider whether that individual has the sufficient skills and know-how of the local requirements in the UAE to properly fulfil its role. 

Audit: Undertake an audit of your processing activities to ensure that (1) data being processed is relevant, accurate and being processed for the purposes for which it was collected pursuant to a legal basis set out in the DP Law; (2) consents obtained remain valid; and (3) appropriate technical and operational measures are in place. Audits are crucial to start populating registers of processing activities that record personal data use and demonstrate compliance and accountability.

Employment: Update your employment contracts to reflect the DP Law regime, taking note of changes to consent requirements. 

Supply Chain Management: If you outsource any of your processing activities (e.g. payroll, HR, recruitment, direct marketing, employee benefits) then you will need to enter into robust data processing agreements with their suppliers to ensure compliance with the DP Law. Audits of supply chain are essential.

Training: Undertake staff training to ensure that changes are understood and to explain what is expected of staff when handling personal data.