UAE PDPL Self-Assessment — Veltrixair Privacy Unit

UAE compliance starts with jurisdictional analysis — the single most common failure mode in due diligence is applying the wrong regime. This category carries the highest weight (16%) because getting jurisdiction wrong cascades into every subsequent control. Federal PDPL, DIFC DP Law, and ADGM DP Regulations are not interchangeable.

01

Jurisdictional analysis has been formally completed for all UAE entities and operations. Per-entity regulatory mapping: Federal PDPL (onshore mainland) · DIFC DP Law (DIFC-licensed entities) · ADGM DP Regulations (ADGM-licensed entities). Group structures with operations across zones are subject to multiple regimes simultaneously. Federal PDPL · DIFC DP Law · ADGM DP Regs Most common UAE compliance failure

2.3 points

02

DPO obligation has been formally evaluated under each applicable regime. DPO required for: high-risk or large-scale processing (Federal) · large-scale systematic monitoring or special category data (DIFC) · regular and systematic monitoring at large scale (ADGM). Each regime has distinct trigger criteria. Documented determination required either way. Federal Art. 10 · DIFC Art. 16 · ADGM Reg. 19 Multi-regime DPO analysis

2.3 points

03

Where required, DPO has been appointed and registered with the appropriate regulator. Federal PDPL DPOs registered with UAE Data Office. DIFC DPOs registered with the DIFC Commissioner. ADGM DPOs registered with the ADGM Office of Data Protection. Multi-regime entities may need separate registrations. Cabinet Decision 44/2022 · DIFC · ADGM

2.3 points

04

A privacy policy has been adopted reflecting all applicable UAE regimes. Single integrated policy for multi-regime entities, OR jurisdiction-specific variants. Must be approved at executive level. Sets organisational position on lawful basis, data subject rights, transfers, breach response. PDPL · DIFC Art. 14 · ADGM Reg. 17

2.3 points

05

Roles & responsibilities are documented for every business function processing personal data. Function-level role mapping. Multi-regime entities must specify which regime governs which activities. The UAE Data Office and DIFC/ADGM regulators ask who is accountable for specific processing. PDPL · accountability principle

2.3 points

06

A privacy risk register exists and is reviewed at least quarterly. Should track regulatory exposure across all applicable regimes, control gaps, third-party risks, breach scenarios, cross-border transfer risks. Particular focus on multi-regime conflicts and gaps. PDPL · DIFC · ADGM accountability

2.3 points

07

PDPL awareness training has been rolled out across the organisation. Role-specific content. Annual refresh minimum. Multi-regime entities require training that covers each applicable regime. Evidence retained — completion records, content versioning, comprehension checks. PDPL · accountability operationalisation

2.3 points

You cannot apply the right regime to the right data without knowing what data exists and where. Data inventory under UAE compliance has an additional dimension: each data asset must be tagged to the regime under which it falls, since processing the same dataset under different regimes carries different obligations.

08

A complete inventory of personal data systems exists and is maintained. All applications, databases, cloud services, file shares, SaaS tools, third-party integrations holding personal data. Updated at least quarterly; ideally driven by automated discovery. Federal · DIFC · ADGM accountability

1.83 points

09

Data assets are tagged to the regime that governs their processing. Per-system tag: Federal PDPL · DIFC · ADGM · multi-regime · sectoral overlay. The same customer dataset processed in DIFC has different obligations than the same dataset processed onshore. Without tagging, regime-specific obligations cannot be applied consistently. Multi-regime governance discipline

1.83 points

10

Sensitive personal data is identified and handled under enhanced controls. Sensitive data (PDPL definition): family background, ethnicity, political/religious beliefs, criminal records, biometric, genetic, health, sexual life. DIFC and ADGM have similar sensitive categories. Enhanced obligations: explicit consent, restricted processing, additional safeguards. PDPL Art. 1 · DIFC Schedule 2 · ADGM

1.83 points

11

Data flows have been mapped end-to-end, including cross-zone flows. Collection → use → storage → sharing → retention → deletion. Per-process. Particular attention to flows between Federal/DIFC/ADGM zones — these are technically cross-jurisdictional even within UAE and trigger transfer mechanisms. PDPL · purpose limitation

1.83 points

12

Records of Processing Activities (ROPA) document is current and complete. Per-purpose records: lawful basis, categories of data, data subjects, recipients, retention, security measures, transfer mechanism. Required by DIFC (Art. 15) and ADGM (Reg. 18); strongly expected under Federal PDPL accountability. DIFC Art. 15 · ADGM Reg. 18 · Federal accountability

1.83 points

13

Data minimisation is enforced at point of collection. Forms, applications, customer onboarding, employee onboarding. Purpose limitation principle requires only necessary data be collected for the specific declared purpose. Common UAE Data Office finding. PDPL · DIFC Art. 9 · ADGM Reg. 9

1.83 points

UAE PDPL recognises consent as the default lawful basis but accepts other grounds (contract necessity, legal obligation, vital interests, public interest). Federal Decree-Law 26/2025 on Child Digital Safety adds substantive obligations for any processing involving minors — mandatory age verification, content filtering, parental controls, and a strict prohibition on behavioural profiling of children for marketing.

14

Lawful basis is documented for every processing activity. PDPL recognises: consent · contract necessity · legal obligation · vital interests · public interest · employment / social security · medical purposes · archival research. Per-activity documentation showing the specific provision relied on. DIFC and ADGM follow GDPR-style lawful basis structure. PDPL Art. 4 · DIFC Art. 9 · ADGM Reg. 9 Foundation of compliance

2.3 points

15

Privacy notices meet transparency requirements — clear, accessible, comprehensive. Specifies data collected, purposes, recipients, retention, data subject rights, DPO contact (where applicable), transfer mechanisms. Available at point of collection. Plain language. Arabic and English where applicable to user base. PDPL Art. 13 · DIFC Art. 14 · ADGM Reg. 17 Transparency requirement

2.3 points

16

Consent is collected via affirmative action — explicit, informed, freely given, demonstrable. Active opt-in. Granular per purpose. Pre-checked checkboxes are violations. Audit trail of consent events retained — timestamp, version, channel. PDPL requires consent to be "proven" — controllers must be able to demonstrate it. PDPL Art. 6 · DIFC Art. 12 · ADGM Reg. 11 Demonstrable consent

2.3 points

17

Consent withdrawal is as easy as consent giving. Same channel, same friction level. A user who consents in one click should be able to withdraw in one click. Hidden withdrawal mechanisms are a violation of the principle. PDPL Art. 6 · DIFC Art. 12

2.3 points

18

Marketing consent is collected as a separate, explicit opt-in. No marketing or promotional communication without explicit opt-in. Consent for service delivery does not authorise marketing. Federal Decree-Law 26/2025 imposes strict additional requirements where marketing reaches minors. PDPL · Federal Decree-Law 26/2025

2.3 points

19

Child Digital Safety obligations under Federal Decree-Law 26/2025 are operational. For platforms serving minors: mandatory age verification mechanisms · active content filtering · parental controls · clear labelling for minor-targeted content · strict prohibition on behavioural profiling of children for marketing. See Child Digital Safety. Federal Decree-Law 26/2025 2025 child safety overlay

2.3 points

20

Consent records are retained with full audit trail. Timestamp, version of notice consented to, channel, IP / device. Retained for the longer of: duration of consent, plus statute-of-limitations period for any related dispute. Required to demonstrate consent under PDPL. PDPL Art. 6 · accountability

2.3 points

UAE data subject rights map closely to GDPR — access, rectification, erasure, portability, restriction, objection. Response timelines are tighter than peer regimes: PDPL Executive Regulations require response generally within 14 days. DIFC and ADGM follow GDPR's 30-day default with extension provisions. Multi-regime entities must operate to the strictest applicable timeline per request.

21

A clear, accessible channel exists for data subjects to exercise their rights. Online form, dedicated email, in-app mechanism — at least one. Cannot be hidden behind login walls or buried in policy. DPO contact prominent where DPO is required. Multi-regime entities should clarify which regulator handles complaints. PDPL Art. 14 · DIFC Art. 33 · ADGM Reg. 12

2 points

22

Right of access — workflow exists to provide data subjects a summary of processing. Categories of data, summary of processing activities, identities of recipients, retention periods. Operational workflow exists; not just policy text. Within 14-day Federal default; 30-day DIFC/ADGM default. PDPL Art. 13 · DIFC Art. 32 · ADGM Reg. 11

2 points

23

Right to rectification & erasure — workflows exist and respond within timeline. Both correction of inaccurate data and "right to be forgotten" deletion when no longer required. Backup and downstream-system propagation included. Per applicable regime's response timeline. PDPL Art. 13 · DIFC Art. 32-33 · ADGM

2 points

24

Right to data portability is operational — machine-readable export available. Common, machine-readable format (CSV, JSON, structured XML). Self-service preferred where feasible. UAE data subjects have explicit portability right — distinguishes UAE from some peer regimes that limit portability scope. PDPL Art. 13(5) · DIFC Art. 35 · ADGM

2 points

25

Response timelines are tracked — overdue requests escalated. 14-day Federal PDPL default tracked; 30-day DIFC/ADGM default with extension provisions. SLA dashboard. Overdue threshold triggers escalation. Audit-ready evidence of timeliness. Cabinet Decision 44/2022 · DIFC · ADGM

2 points

26

Complaint & grievance mechanism is published with regulator escalation path. Published channel for complaints. Escalation path identified per applicable regime: UAE Data Office (Federal), DIFC Commissioner, or ADGM Office of Data Protection. Multi-regime entities should clarify which regulator hears which complaint type. PDPL · DIFC · ADGM regulator engagement

2 points

PDPL Article 20, DIFC Art. 14, and ADGM Reg. 16 all require "appropriate technical and organisational measures" — interpreted in practice against ISO 27001 / CIS Controls baselines. Sectoral overlays (Central Bank for banking, DESC and NESA for critical infrastructure, DHA for healthcare) layer on additional security obligations.

27

Encryption is in place for personal data at rest and in transit. TLS for transit; AES-256 or equivalent for at-rest. Key management discipline — keys not stored alongside encrypted data. Cloud KMS or equivalent. Sensitive data requires enhanced encryption. PDPL Art. 20 · DIFC Art. 14 · ADGM Reg. 16

2.17 points

28

Access controls follow least-privilege with role-based access & MFA. Per-system access reviews. MFA on all administrative access. Privileged access management for high-risk systems. Quarterly access recertification. NESA Information Assurance / DESC ISR alignment for regulated sectors. PDPL · NESA / DESC sectoral overlay

2.17 points

29

Vulnerability management is operational with defined remediation SLAs. Continuous scanning. Critical vulnerabilities patched within 72 hours. High within 7 days. SLAs tracked; overdue patches escalated. PDPL Art. 20

2.17 points

30

Logging & monitoring covers personal data systems with retention discipline. Audit logs of access, modifications, exports. Retention sufficient for forensics (typically 1 year minimum). Monitoring with alerting on anomalous patterns. SIEM/SOC for organisations of meaningful size. PDPL Art. 20 · sectoral overlays

2.17 points

31

Sectoral residency requirements are met where applicable. Central Bank — payment and customer data must be UAE-resident. Health data — electronic medical data cannot leave UAE except in authorised cases. NESA / DESC critical infrastructure — sectoral residency obligations. Microsoft Azure UAE, AWS Bahrain, Oracle UAE provide compliant options. Central Bank · DHA · NESA · DESC

2.17 points

32

DPIA conducted for high-risk processing activities. Required for: large-scale sensitive data processing · systematic monitoring · automated decision-making · novel technology including AI. Required under DIFC Art. 20 and ADGM Reg. 21. Strongly expected under Federal PDPL for high-risk activities. PDPL · DIFC Art. 20 · ADGM Reg. 21

2.17 points

DIFC and ADGM impose strict 72-hour breach notification standards. Federal PDPL requires "prompt" notification per Executive Regulations. Multi-regime entities must operate to the strictest standard per breach. Failure to notify is a separately penalisable violation independent of the underlying breach.

33

A documented breach response plan exists with defined activation triggers. Written plan. Activation criteria. Defined roles (IR commander, legal lead, communications lead, regulator liaison). Tested on cadence. See Breach Response. PDPL Art. 9 · DIFC Art. 41 · ADGM Reg. 22 Multi-regime breach plan

2.6 points

34

Breach detection capability is in place with defined alerting. SIEM, UEBA, EDR — capability proportionate to organisation size. Alert thresholds calibrated. 24/7 monitoring or on-call rotation for critical systems. Detection time directly affects 72-hour notification compliance. PDPL Art. 20 · DIFC · ADGM

2.6 points

35

Regulator notification workflow is operational and tested — 72-hour deadline. Initial notification template. Regulator notification channel established for each applicable regime: UAE Data Office, DIFC Commissioner, ADGM Office. Designated notifier identified. 72-hour clock starts on awareness, not on confirmation. Practice run conducted at least once. PDPL Art. 9 · DIFC Art. 41 · ADGM Reg. 22 72-hour notification

2.6 points

36

Data subject notification process exists for affected individuals. Channel established. Pre-prepared message templates in Arabic and English. Mass-notification capability for breaches affecting many individuals. Required when breach poses high risk to data subjects under all three regimes. PDPL · DIFC · ADGM

2.6 points

37

Tabletop exercises run at least annually testing the breach response. Realistic scenarios. Cross-functional participation including legal, comms, technical, executive, DPO. Multi-regime entities should exercise scenarios crossing zone boundaries. Lessons learned captured and actioned. PDPL · DIFC · ADGM operational discipline

2.6 points

UAE PDPL, DIFC, and ADGM each maintain their own cross-border transfer regimes — adequacy determinations and approved transfer mechanisms vary by jurisdiction. Financial sector localisation rules layer on top. Cross-border transfer governance is materially more complex than single-regime jurisdictions because flows between Federal/DIFC/ADGM zones may themselves be technically cross-jurisdictional.

38

All cross-border transfers of personal data are inventoried. Inventory of every flow leaving UAE / DIFC / ADGM zones: cloud providers, SaaS platforms, vendors, intra-group transfers, support and analytics. Per-flow: destination country, regime governing source, data categories, lawful basis, transfer mechanism. PDPL Art. 22 · DIFC Art. 26 · ADGM Reg. 13

2.6 points

39

Transfer mechanism is in place for each cross-border flow under each applicable regime. Adequacy decision · Standard Contractual Clauses · Binding Corporate Rules · explicit consent · contractual necessity · vital interests. Each regime maintains its own list of adequate jurisdictions and approved SCC templates. Multi-regime entities must satisfy each regime separately. PDPL Art. 22-23 · DIFC Art. 27 · ADGM Reg. 14 Multi-regime transfer mechanisms

2.6 points

40

Transfer Impact Assessment conducted for sensitive data transfers. Documents the destination country's legal framework, recipient's safeguards, residual risk. Required when sensitive data leaves jurisdiction without adequacy decision. Particularly relevant under DIFC and ADGM, GDPR-aligned. PDPL · DIFC Art. 27 · ADGM Reg. 14

2.6 points

41

Sectoral residency restrictions are honoured where applicable. Central Bank of UAE — payment data UAE-resident, payment-services data 5+ year retention, 72-hour card-scheme breach notification. DHA — health data restrictions. NESA / DESC — critical infrastructure. These overlay PDPL transfer rules and are typically stricter. Central Bank · DHA · NESA · DESC

2.6 points

42

Cross-border transfer log is maintained with monitoring discipline. Per-transfer log: date, volume, destination, source regime, lawful basis, mechanism. Periodically reviewed. Used to support disclosure requests during regulatory investigations. UAE Data Office, DIFC, and ADGM may request transfer evidence. PDPL · DIFC · ADGM accountability

2.6 points

Under all three UAE regimes, the Controller remains accountable for processor actions. Combined with retention discipline, this category covers operational backbone. Lower weighted because gaps here are typically remediable with focused effort; higher-weighted categories represent more systemic failures.

43

A complete inventory of Data Processors exists. All vendors processing personal data on behalf of the organisation — cloud providers, SaaS tools, analytics platforms, marketing vendors, payroll, recruitment, customer support. Inventory tagged by which regime governs each vendor relationship. PDPL · DIFC Art. 24 · ADGM Reg. 23

0.75 points

44

Data Processing Agreements are in place with every processor. DPA terms specifying processor obligations, audit rights, sub-processor consent, breach notification, return / deletion at engagement end. See Vendor Risk Management. PDPL · DIFC Art. 24 · ADGM Reg. 23

0.75 points

45

Vendor due diligence process exists with risk-based depth. Onboarding security questionnaire. Tier-based assessment depth. Refresh cadence. Documented evidence retained. Particular focus on processors handling sensitive data or operating across regime boundaries. PDPL · proportionate oversight

0.75 points

46

Sub-processor consent and notification mechanism is operational. Authorisation regime — general or specific. Notification of changes. Right to object. Cascade flow-down to sub-processors documented. Particular focus where sub-processors host outside UAE. DIFC Art. 24 · ADGM Reg. 23

0.75 points

47

Retention schedules exist per data category and per purpose. Documented retention period per data type. Justification linked to original purpose or statutory obligation. Reviewed annually for currency. Sectoral overlays (e.g., 5-year payment data retention under Central Bank rules) tracked separately. PDPL Art. 7 · sectoral overlays

0.75 points

48

Automated deletion workflows enforce retention schedules. Time-based deletion automation. Manual deletion as exception, not norm. Evidence retained that deletion actually occurred. PDPL Art. 7 · DIFC · ADGM

0.75 points

49

Backup retention follows the same retention schedule as primary data. Most common UAE retention gap. Backups frequently outlive their primary data — and those backups remain in scope. Backup retention windows must align with primary retention. PDPL Art. 7 · operational discipline

0.75 points

50

Erasure rights from data subjects propagate to backups, archives, and processors. End-to-end deletion workflow. Vendor processor cooperation contractually required. Evidence of full propagation retained. Most challenging integration in practice across multi-regime entities. PDPL Art. 13 · DIFC · ADGM

0.75 points

Band	Score	Interpretation in UAE multi-regime context
Pre-compliance	Below 30%	Substantial gaps across most categories. Highest probability cause: jurisdictional analysis incomplete or wrong regime applied. Treat as fresh build prioritising jurisdictional clarity first — without that, every other control is operating in the wrong frame.
Building	30 — 55%	Foundation visible, core gaps remain. Typical state for organisations that focused on a single regime (often Federal PDPL) without addressing DIFC/ADGM operations. Realistic 6-month remediation horizon. Concentrate first on multi-regime governance, transfer mechanisms, and child safety obligations under Federal Decree-Law 26/2025.
Operationally compliant	55 — 75%	Most obligations operational across applicable regimes. Remaining gaps typically targeted — specific consent flows, vendor portfolio coverage, cross-regime data flow tagging, sectoral overlay alignment. UAE Data Office / DIFC / ADGM inspection would identify specific findings rather than systemic failures.
Audit-ready	75 — 90%	Programme operating at near-full coverage across all applicable regimes. Remaining gaps usually high-effort items — backup-retention alignment, full erasure propagation across multi-regime systems, sophisticated cross-border transfer mechanisms. Stands up to credible regulatory inspection.
PDPL-mature	Above 90%	Comprehensive operational compliance across all applicable UAE regimes. Maintenance discipline rather than build effort. Honest 90%+ self-assessments are uncommon — under-scoring is more useful than over-scoring. Most UAE organisations on this band are also pursuing ISO 27701 certification as the natural complement.

UAE PDPL self-assessment — three regimes, one organisation.

Federal PDPL

DIFC DP Law

ADGM DP Regulations

Your readiness right now.

Jurisdictional analysis & governance

Data inventory & mapping

Lawful basis, consent & child safety

Data subject rights

Security safeguards

Breach response & regulator notification

Cross-border transfers

Vendor governance & retention

Where you actually stand.

Start working through the items above.

How the score works.

Three regimes. One programme.