Act Now in Dubai: Season 2 

On the 2ndand 3rd October 2023, the UAE held the first ever privacy and data protection law conference; a unique event organised by the Dubai International Financial Centre (DIFC) and data protection practitioners in the Middle East. The conference brought together data protection and security compliance professionals from across the world to discuss the latest developments in the Middle East data protection framework.  

Data Protection law in the Middle East has seen some rapid developments recently. The UAE has enacted its first federal law to comprehensively regulate the processing of personal data in all seven emirates. Once in force (expected to be early next year) this will sit alongside current data protection laws regulating businesses in the various UAE financial districts such as the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. Jordan, Oman, Bahrain and Qatar also have comprehensive data protection laws.  Currently what is causing most excitement in the Middle East data protection community is Saudi Arabia’s Personal Data Protection Law (PDPL) which came into force on 14th September 2022.  

The conference agenda covered various topics including the interoperability of data protection laws in the GCC, unlocking data flows in the region, smart cities, the use of facial recognition and data localisation. The focus of day 2 was on AI and machine learning. There were some great panels on this topic discussing AI standards, transparency and the need for regulation.   

Speakers included the UAE Minister for AI, His Excellency Omar Sultan Al Olama, as well as leading data protection lawyers and practitioners from around the world. Elisabeth Denham, former UK Information Commissioner, also addressed the delegates alongside data protection regulators from across the region. Act Now’s director, Ibrahim Hasan, was invited to take part in a panel discussion to share his experience of GDPR litigation and enforcement action in the UK and EU and what lessons can be drawn for the Middle East. 

Alongside Ibrahim, the Act Now team were at the conference to answer delegates’ questions about our UAE and KSA training programmes.
Act Now has delivered training  extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. We were pleased to see there that there was a lot of interest in our courses especially our DPO certificates.  

Following the conference, Ibrahim was invited to deliver a guest lecture to law students at Middlesex University Dubai. This is the biggest university in Dubai with over 4500 students from over 118 countries. Ibrahim talked about the importance of Data Protection law and job opportunities in the information governance profession. He was pleasantly surprised by the students’ interest in the subject and their willingness to consider IG as an alternative career path. A fantastic end to a successful trip. Our thanks to the conference organisers, particularly Lori Baker at the DIFC Commissioner’s Office, and our friends at Middlesex University Dubai for inviting us to address the students.  

Now is the time to train your staff in the new data protection laws in the Middle East. We can deliver online as well as face to face training. All of our training starts with a free analysis call to ensure you have the right level and most appropriate content for your organisation’s needs. Please get in touch to discuss your training or consultancy needs.  

Data Protection Law in Saudi Arabia: Implementing Regulation Published  

On 11th July 2023, the much-anticipated Implementing Regulation for Saudi Arabia’s first ever data protection law was published in draft form for public consultation. The regulation is the final step towards the implementation of the new law which will now officially come into force on 14th September 2023. Organisations will have until 13th September 2024 to comply to become fully compliant. At the same time, the draft regulation on the transfer of personal data outside Saudi Arabia was published. With a very short deadline for comments (31st  July 2023), those organisations doing businesses in the Middle East need to carefully consider the impact of the new law on their personal data processing activities.


The Personal Data Protection Law (PDPL) of Saudi Arabia was implemented by Royal Decree on 14th September 2021. It aims to regulate the collection, handling, disclosure and use of personal data. It will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) which has published the aforementioned regulations. PDPL was originally going to come fully into force on 23rd March 2022. However, in November 2022, SDAIA published proposed amendments which were passed after public consultation.  

Key Points to Note

The Implementing Regulation and the Data Transfer Regulation provide further guidance and clarity regarding the application of the new law.  

Like the GDPR, Data Controllers in Saudi Arabia may now rely on “legitimate interests” as a lawful basis to process personal data; this does not apply to sensitive personal data, or processing that contravenes the rights granted under PDPL and its regulations. The Implementing Regulation states that, before processing personal data for legitimate interests, a Data Controller must conduct an assessment of the proposed processing and its impact on the rights and interests of the Data Subject.
No doubt guidance on this assessment will follow but for now the UK Information Commissioner’s website is a good starting point.

The Implementing Regulation also fleshes out the detail of the various Data Subject rights under PDPL including access, correction and destruction. More detail is also provided about consent as a lawful basis of processing and when it can be withdrawn. The obligations of a Data Controller when appointing a Data Processor are also addressed in detail. 

 The Implementing Regulation introduces some new elements into PDPL, including a reference to a Legal Guardian, the definition of “Actual Interest”, and a National Register of Controllers. According to Article 37, the Competent Authority (SDAIA) will also set the rules for licensing entities to issue accreditation certificates for Controllers and Processors. 

Certain areas of the new law still require clarity. For example, according to Article 34 of the Implementing Regulation, the Competent Authority (SDAIA) is expected to issue additional rules, including circumstances under which a Data Protection Officer shall be appointed. Just like under the GDPR, PDPL permits data transfers outside of Saudi Arabia in certain circumstances and subject to various conditions, including to countries that have an appropriate level of protection for personal data which shall not be less than the level of protection established by PDPL. The Data Transfer Regulation covers, amongst other things, adequate countries and situations where, absent of any adequacy decision, personal data may still be transferred outside of Saudi Arabia. 

The Implementing Regulation is the final step towards the implementation of the new law. 13th September 2024 is not far away. Work needs to start now to implement systems and processes to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage.
The following should be part of an action plan for compliance: 

  1. Training the organisation’s management team to understand the importance of PDPL, the main provisions and changes required to systems and processes.  
  1. Training staff at all levels to understand PDPL at how it will impact on their role. 
  1. Carrying out a data audit to understand what personal data is held, where it sits and how it is processed. 
  1. Reviewing how records management and information risk  is addressed within the organisation. 
  1. Drafting Privacy Notices to ensure they set out the minimum information that should be included. 
  1. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification. 
  1. Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure. 
  1. Appointing and training a  Data Protection Officer. 

The UAE Federal Law

In November 2021, the United Arab Emirates enacted its first comprehensive national data protection law to regulate the collection and processing of personal data. Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data was published by the Cabinet Office on 27th November 2021 but to come into force regulations are required.
Whilst the two legal regimes are different, UAE is likely to follow Saudi Arabia’s lead and publish its detailed Executive Regulations very soon.  

Act Now in the Middle East  

Act Now Training can help your businesses prepare for PDPL and the UAE federal law. We have delivered training extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. Check out our UAE privacy programme. To help deliver this and other courses, Suzanne Ballabás, an experienced Dubai based data protection specialist, recently joined our team of associates.  We can also deliver customised in house training both remotely and face to face. Please get in touch to discuss your training or consultancy needs.

%d bloggers like this: