When are PDPL fines enforceable?

The substantive law is in force. Specific penalty quantum and breach windows are set by the Executive Regulations — treat enforcement as live, not future-state.

Article 10 lists triggers — high-risk processing, large-scale sensitive data and systematic monitoring. Even where optional, we recommend a DPO-equivalent role for regulated sectors.

How does PDPL overlap with GDPR?

Roughly 70% of controls map directly. Macksofy builds a single 'highest-bar' program so multinationals don't run two parallel privacy stacks.

What about DIFC and ADGM?

DIFC follows DP Law No. 5 of 2020, ADGM follows its 2021 Regulations. Both are GDPR-style and operate independently of the federal PDPL — we scope per legal-entity footprint.

UAE Federal Personal Data Protection Law

UAE PDPL Compliance Audit

End-to-end PDPL readiness — controller register, consent, DPO, cross-border transfers.

Full UAE Federal Decree-Law No. 45 of 2021 readiness — applicability assessment, data inventory, lawful-basis register, data-subject rights, controller / processor obligations, breach notification to the UAE Data Office and cross-border transfer controls. Designed for entities established in the UAE mainland and those processing UAE-resident data from abroad.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Aligned to

UAE Federal Decree-Law No. 45 of 2021 — Personal Data Protection
Executive Regulations (latest published version)
UAE Data Office decisions and guidance
DIFC Data Protection Law No. 5 of 2020 (free-zone overlap)
ADGM Data Protection Regulations 2021 (free-zone overlap)
GDPR mapping for multinationals
ISO 27701 Privacy Information Management

Why this matters

Compliance is leverage, not paperwork.

The UAE PDPL (Federal Decree-Law No. 45 of 2021) is the federal-level privacy regime that sits alongside the sectoral DIFC DP Law and ADGM DP Regulations. The Data Office (under the UAE Cybersecurity Council) supervises enforcement and the implementing Executive Regulations finalise penalty quantum, breach windows and DPO triggers. Boards that treat PDPL as a policy refresh miss the heavier obligations — cross-border transfer impact assessments, controller-to-processor contracting and the Data Office's evidence expectations during a complaint.

Applicability

Entities established in the UAE mainland (outside DIFC / ADGM free zones)
Controllers and processors handling UAE-resident personal data from outside the UAE
Healthcare, banking, telecom, e-commerce, edtech, HR services processing UAE data
Multinationals running shared services or BPO in the UAE for global clients
Cloud / SaaS providers with UAE data-residency commitments to customers

Standards & frameworks

Aligned to the regulations that matter.

UAE Federal Decree-Law No. 45 of 2021 — Personal Data Protection

Executive Regulations (latest published version)

UAE Data Office decisions and guidance

DIFC Data Protection Law No. 5 of 2020 (free-zone overlap)

ADGM Data Protection Regulations 2021 (free-zone overlap)

GDPR mapping for multinationals

ISO 27701 Privacy Information Management

Methodology

How we run a UAE PDPL engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

Phase 01 of 5

1 · Applicability + role

3 activities

Federal vs DIFC / ADGM jurisdiction assessment
Controller / processor / joint-controller determination
Mainland establishment + extraterritorial test

01
1 · Applicability + role
- Federal vs DIFC / ADGM jurisdiction assessment
- Controller / processor / joint-controller determination
- Mainland establishment + extraterritorial test
02
2 · Data inventory + RoPA
- Personal-data discovery across UAE entities + cloud
- Records of processing activities
- Sensitive personal data + criminal data flagging
- Cross-border transfer mapping
03
3 · Lawful basis + rights
- Consent capture + withdrawal flow
- Lawful-basis register per processing activity
- Data-subject request workflow + SLA
04
4 · Security + breach
- Article 20 appropriate technical + organisational measures
- Breach detection + Data Office notification SOP
- Processor + sub-processor contract uplift
05
5 · Governance + DPO
- DPO appointment where triggered (Article 10)
- Data Office registration / complaint response readiness
- Annual PDPL audit + board reporting cadence

Deliverables

Everything you need to satisfy auditors.

PDPL applicability + jurisdiction memo (federal vs free zone)
Records of Processing Activities for UAE operations
Lawful-basis + consent template pack (Arabic + English)
Cross-border transfer impact assessment pack
Data-subject rights portal + workflow spec
Breach notification SOP aligned to Data Office timelines
DPO charter (where triggered) + board reporting deck

Recent engagements

UAE-headquartered fintech (mainland)

PDPL readiness + DIFC overlap mapping

Outcome: Single privacy program covered mainland PDPL and DIFC DP Law; cleared two enterprise customer privacy diligences in one quarter

Global SaaS with UAE data-residency offering

RoPA + cross-border transfer architecture

Outcome: Transfer-impact assessments completed for 14 sub-processors; UAE customer contracts uplifted with PDPL-compliant DPA

At a glance

The shape of a UAE PDPL engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0 day

Day retest window

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

Applicability & jurisdiction3 pts
Data inventory & RoPA3 pts
Lawful basis & consent3 pts
Data-subject rights3 pts
Cross-border transfer3 pts
Breach response & DPO3 pts

Pillar 01

Applicability & jurisdiction

Federal PDPL, DIFC and ADGM regimes overlap — clean scoping prevents double work.

Mainland vs free-zone establishment test
Extraterritorial-processing assessment
Sector-overlay mapping (healthcare, telecom, finance)

Pillar 02

Data inventory & RoPA

Article 6 + 17 evidence — the artefact the Data Office samples first.

Personal-data discovery across UAE systems
Sensitive + criminal-data classification
Processing-activity register with retention

Pillar 03

Lawful basis & consent

Bilingual consent and Article 5 lawful-basis evidence built for UAE residents.

Arabic + English consent UX
Withdrawal + objection flow validation
Legitimate-interest balancing tests

Pillar 04

Data-subject rights

Access, correction, erasure, portability and objection workflows under Articles 13-16.

Rights-request intake + SLA workflow
Identity verification controls
Automated-decision opt-out evidence

Pillar 05

Cross-border transfer

Articles 22-23 — adequacy, contractual safeguards and Data Office approvals.

Adequacy-list reliance + monitoring
Standard contractual clauses + safeguards
Transfer-impact assessment per recipient country

Pillar 06

Breach response & DPO

Notification to the UAE Data Office, processor coordination and DPO independence.

Detection-to-notification timeline drill
DPO appointment + reporting lines
Data Office complaint response pack

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a UAE PDPL engagement. Click any station for detail in the methodology section above.

Week 1

Applicability + role

Week 2

Data inventory + RoPA

Week 3

Lawful basis + rights

Week 4

Security + breach

Week 5

Governance + DPO

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

Yes — if you process personal data of UAE residents from outside the UAE, the law applies extraterritorially. Establishment in DIFC or ADGM puts you under their separate free-zone DP laws instead.

Other audit engagements

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.