Every HR team has a quiet data problem. Personnel files live in shared drives, scanned passports sit in email attachments, payroll reports arrive unencrypted, and exit data lingers long after it should. The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and its 2023 regulations now make this a governance issue — not just a hygiene one.
What PDPL actually requires
The law applies to every employer processing personal data in or from the UAE. It imposes six processing principles: lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, and integrity. It grants data subjects — your employees — rights to access, correct, delete, restrict and port their data.
Why HR is the highest-risk function
Because HR handles the most sensitive categories: identity documents, medical records, performance data, disciplinary records, pay information, and in some cases biometric data. Most breaches we see in UAE employers start in HR shared drives, not IT systems.
“Your employees trust you with their most personal data. Treat it like you treat their salary.”
Nine things to put right this quarter
- Employee privacy notice — a written, dated notice explaining what data you collect, why, how long, and with whom you share it.
- Consent where required — certain processing (biometric attendance, background checks, marketing) needs explicit consent, not implied.
- Retention schedule — a table showing how long each data type lives in each system.
- Access control — role-based permissions on HRIS, payroll and document storage.
- DSAR process — a documented procedure for responding to employee data-access requests within 30 days.
- Breach response plan — named owner, 72-hour notification timeline, evidence log.
- Vendor due diligence — data-processing addenda with every HR tech vendor.
- Cross-border transfer mapping — every time employee data leaves the UAE, you need a lawful transfer basis.
- Training — everyone with HR access trained annually on the policy and their role.
The DIFC and ADGM overlay
Employers registered in DIFC or ADGM operate under separate, more mature data-protection regimes (DIFC DP Law 2020 and ADGM Data Protection Regulations 2021). Group employers spanning mainland and financial free zones need a coordinated privacy framework, not three parallel ones.
- Publish an employee privacy notice. Date it. Keep a signed acknowledgement.
- Build a retention schedule and enforce it on leaver data.
- Train every HR and payroll user annually.
- Document cross-border transfers. DIFC / ADGM / mainland need a joined-up plan.
Data protection in HR is not a technology project. It is a discipline project. The policies are standard; the follow-through is where employers diverge.