There is currently no modern data protection law of general application in the United Arab Emirates, and there is accordingly no Data Protection Authority.

Local media reports indicate that a draft data protection law applicable to the financial services sector is being considered, along with a draft data protection law of general application. There has been no indication of the expected timeline for issuance of these laws.

Otherwise, there are local law considerations that could be material in the context of considering personal data processing activities, either in an HR context or more broadly. These include penal code prohibitions on disclosures of secrets or misuse of information/data, as well as sector specific considerations such as a healthcare technology law requiring data localisation and an IoT (Internet of Things) policy requiring the same. None of these local law considerations have been prepared with GDPR in mind.

Depending on the circumstances of a data breach, it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.

The UAE has a number of free zones, some of which have modern data protection regimes applicable to entities licensed in such free zones. Besides a healthcare-focussed free zone that has regulations relating to patient health information, there are two notable financial services free zones: the Dubai International Financial Centre (DIFC); and Abu Dhabi Global Market (ADGM). ADGM and DIFC can be understood as legal jurisdictions with a high degree of legislative autonomy. Both have modern data protection regimes that reflect some degree of similarity with the European Data Protection Directive 95/46. The data protection rules in both these jurisdictions are currently being updated for general consistency with GDPR.