Regulation3 min read
By Mujahid Hasan, Sales Director, nshield.io

PDPL Has Been the Law Since 2 January 2022. Not 2027.

Most UAE business conversations still treat the Personal Data Protection Law like it's a January 2027 deadline. It isn't. Federal Decree-Law 45 of 2021 has been in force since 2 January 2022 — more than four years.

The Misframing

The 2027 framing is a misreading of Article 56 of the law. Article 56 establishes a transition timeline — but the transition begins when the Executive Regulations are published, not when the law itself takes effect. The law took effect on 2 January 2022. The Executive Regulations are still pending as of April 2026.

Once the Executive Regulations publish, organizations will have six months to align. That is the actual compliance window. Not four years.

Six Months. From a Draft You Haven't Seen Yet.

The organizations that waited for the ER publication will spend those six months in panic mode — rebuilding data inventories, negotiating cross-border transfer addenda, retrofitting consent flows, and appointing DPOs under time pressure. The organizations that prepared in 2022, 2023, 2024, and 2025 will spend those six months filing.

What should already be in place today:

  • Data inventory across every business system — before the ER drops, not after
  • Privacy notices, consent flows, and breach-notification procedures that meet the law's existing obligations
  • DPO appointment for high-risk processing (Article 10)
  • Cross-border transfer documentation — SCCs or adequacy assessments where relevant

Patient Health Data Is a Separate Regime

One common mistake: assuming PDPL covers everything a healthcare organization holds. It doesn't. PDPL explicitly exempts patient health records from its scope — those are governed by ADHICS (Abu Dhabi), NABIDH (Dubai), and the Federal Health Data Law (FL 2/2019). PDPL does apply to every other category of personal data a healthcare organization holds: employee records, vendor contracts, marketing contacts, administrative data. Clinics need both regimes.

Penalty Reality

The specific penalty schedule is pending the Executive Regulations. Legal analyses (DLA Piper, Simmons & Simmons, Baker McKenzie) cite ranges from AED 50,000 up to AED 10 million per violation depending on severity — but the definitive figures will come from the ER itself. The absence of the ER is not the absence of enforceability: the UAE Data Office can take action under the existing provisions of the law.

If your answer to “show me your data inventory” is a long pause, that's the work to start this quarter — before the ER compresses the timeline.

PDPL is one of 13 mandates in our open UAE Regulations Registry. Every row traced to a primary source; re-validated quarterly; CC BY 4.0.

Sources and Citations

[1] UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). Published: 26 September 2021. In force: 2 January 2022. Available at: uaelegislation.gov.ae

[2] PDPL Article 56 — transition provisions. Organizations have six months from publication of the Executive Regulations to align.

[3] Baker McKenzie, Clyde & Co. Analyses of PDPL Executive Regulations status. 2024–2025.

[4] DLA Piper, Simmons & Simmons. Secondary legal analyses of PDPL penalty ranges (AED 50K–10M cited; definitive figures pending ER).

[5] PDPL Article 2 — scope provisions exempting patient health records governed by sectoral health regulation.

PDPL Readiness, Without the Panic

A PDPL readiness assessment maps your current controls against Article 10 (DPO), Article 22 (cross-border transfers), and the Article 56 timeline — and gives you a sequenced plan before the ER publishes.

Schedule a PDPL Readiness Assessment
← All InsightsNext: CBUAE Reconciliation →