Keeping Up With Data Regulations In The UAE


Since the introduction of data laws in the UAE, organisations are taking significant steps to adhere to the regulations.

The implications of data crime are keeping organisations on their toes, and enterprises expect security mishaps to go up beyond last year’s numbers. As a result, governments are focusing on compliance to safeguard businesses and protect consumer interests.

There’s an increased willingness among organisations in the Middle East to increase security budgets to keep their data safe and protected. In a survey by Equinix for businesses’ digital-first strategies, 85 per cent of global respondents confirmed improved cybersecurity as a key priority, and 84 per cent stated that complying with local market data regulations is critical.

As a result, we find a growth in the number of government-mandated standards for data collection, storage and usage. Further, to better align with international data protection principles, several countries and jurisdictions in the GCC have reformulated their data laws in recent years.

UAE’s data protection laws

Last year, the UAE announced a landmark federal data protection law, which put the Emirates into greater transparency and harmonisation with other regional jurisdictions. The law enhances the privacy rights of data subjects. Previously, without a standalone federal data protection law, the UAE’s data protection and privacy were governed by various laws that created ambiguity.

The new federal law came into force in January 2022 and clarified what is permissible regarding collecting, processing, reviewing and transferring personal data. The law’s critical features impacted employee monitoring and internal investigations.

The Personal Data Protection Law (PDPL) was announced in February 2022. It follows the global trend of increased adoption of dedicated general data protection laws in the GCC, where relatively recent data protection laws have been followed by new ones in Saudi Arabia and the UAE in the last quarter of 2021. Enterprises are clearly concerned about the implications of a regulation update to business functions.

Meanwhile, the UAE and Gulf governments are speeding up data transformation and blockchain adoption. When that happens, there will be an immediate need for more data storage.

Data storage is becoming one of the pillars driving the UAE and Gulf’s technology sector. “In the past three years, the demand for data storage soared because of the many hyper-scalers and cloud companies coming into the country. Starting now, the government is accelerating its need for data with digital economies and ‘smart city’ programmes picking up really well,” said Hassan AlNaqbi, CEO of Abu Dhabi’s Khazna Data Centres, recently.

The Data Protection Law covers the personal data of individuals and would apply to controllers and processors located in the UAE and outside. “Similar rules will be enforced by other jurisdictions too. We have identified a select few markets in the Gulf, North Africa and Asia-Pacific where we can build a land bank for the data centres. There could be joint ventures if that helps access those markets faster,” added AlNaqbi.

Khazna Data Centres are establishing new facilities, adding to the ones it already operates. It has brought all of the data centres operated by G42, the Abu Dhabi headquartered investment group, and that of e& under its fold.

The aftermath

The streaming data protection announcements in the UAE are a testament to the enhancement of data protection transparency and privacy rights.

The more technology-driven businesses become, the more open enterprises become to new data security risks at each stage. It’s not only essential to protect the data but to also correctly assess the available technology solutions vis-à-vis the business.

Digital transformation provider Injazat recently extended its collaborations with Dell Technologies and VMware to meet the rising demand for robust consumption of As-a-Service hybrid digital infrastructure offerings in the UAE.

As part of the collaboration, Injazat will provide organisations with greater access to technology across Dell Technologies’ infrastructure stack, which includes data protection and Cyber Recovery-as-a-Service (CRSaaS).

Soon after the PDPL announcement, the UAE education sector also witnessed a renewed focus on data protection for universities and their technology providers.

The PDPL governs a high standard of data protection with substantial rights for individuals and stringent requirements on organisations to evidence their compliance through detailed documentation such as data protection impact assessments.

At the same time, universities have realised the need to be vigilant and use this data appropriately. Education institutions in the UAE must manage students’ increasing volume of personal data to deliver personalised experiences and support learners’ outcomes.

Towards a safer data-driven future

Organisations across sectors continue strengthening internal policies and procedures to ensure compliance with the new data protection law. For instance, even Dubai Healthcare City has its own formal data protection law now.

The Dubai government wants to have 100 per cent of government data on open channels and shared portals available for everyone.. Adhering to the laws governing data sharing, Dubai’s Roads and Transport Authority is selling its data to other government bodies and private companies.

Al Tamimi & Co, a legal firm based in UAE claims that the law aims to manage data with international best practices, promote transparency and establish rules for dissemination and exchange.

By leveraging robust technology and trustworthy vendors, institutes can develop strong internal data protection and security practices to meet PDPL requirements. Students can be rest assured that their data is in good hands.

The UAE regulations require critical data to be generated from within to be stored in-country. When it was issued in December, it was perceived as a crucial piece of legislation amid its gradual transition to a fully-fledged digital economy.

While all seems well and on the right track, there are rumours that UAE’s data laws will become stricter than GDPR soon. If it is indeed true, businesses better get their data compliance strategy mapped.

If you liked reading this, you might like our other stories
One Year of GDPR: Privacy Laws, Data Breaches, and the Impact of Regulations
All You Need To Know: Dubai’s Virtual Assets Regulatory Authority