ServicesCase StudiesPricingIndustriesClinics & HealthcareReal EstateLaw FirmsAccounting & FinanceGovernment & Public SectorBanking & FintechInsuranceGuidesUAE AI ComplianceDIFC Regulation 10PDPL for ClinicsPDPL for Law FirmsPDPL for Real EstateReadiness Check →Live DemoAboutContactالعربيةFree 20-min Audit
Guides

UAE AI Compliance Guide: PDPL & DIFC Regulation 10

Two separate regimes govern AI and data in the UAE. Most businesses are caught by at least one — and many don't know which.

Check your AI compliance →

Deploying AI in the UAE means operating under two distinct data protection regimes: the federal Personal Data Protection Law (PDPL, Decree-Law 45/2021) for mainland businesses, and the DIFC Data Protection Law with Regulation 10 on Automated Processing for firms in the Dubai International Financial Centre. The frameworks are not interchangeable — a DIFC business is not governed by federal PDPL, and a mainland business does not owe obligations under DIFC Regulation 10. Many UAE SMEs operate across both jurisdictions and owe obligations under both. This guide maps the key obligations for businesses deploying LLMs, RAG systems, or AI-powered workflows.

What this means for your business

  • Identify which jurisdiction(s) apply to your business — mainland PDPL, DIFC DPL, ADGM DPR, or multiple
  • Conduct a Data Protection Impact Assessment (DPIA) before deploying AI that processes personal data at scale or in novel ways
  • Provide transparency notices to individuals whose data an AI system processes — including the system's purpose, outputs, and safeguards
  • Establish a lawful basis for every category of personal data your AI system processes
  • Map cross-border data flows — if data moves between mainland and free zones, or outside the UAE, safeguards are required
DIFC businesses

Full enforcement since January 2026. Three transparency requirements, mandatory DPIAs with verified fines.

Healthcare

Patient records, appointment data, and clinical AI under PDPL. Can your clinic use ChatGPT with patient data?

Legal

Client confidentiality meets AI. DIFC and mainland obligations for firms running RAG over case archives.

Real estate

Buyer identity, transaction records, and lead data under PDPL. What brokerages need to know.

How on-premise AI addresses these obligations

On-premise LLM deployment addresses the most common compliance gap: data leaving your environment. When the model runs on your own hardware inside the UAE, your staff's queries and your customers' data never reach an external API. No cross-border transfer, no third-party processor to add to your DPIA, no cloud sub-processor to disclose. It doesn't eliminate your compliance obligations — you still need transparency notices, DPIAs, and a lawful basis — but it removes the most exposed surface area.

Frequently Asked Questions

Does PDPL apply to my Dubai business?
If your business is registered on the UAE mainland (not in a financial free zone like DIFC or ADGM), federal PDPL (Decree-Law 45/2021) applies. DIFC and ADGM-registered firms operate under their own separate data protection regimes and are exempt from federal PDPL — but may owe parallel obligations under DIFC Data Protection Law 5/2020 or ADGM Data Protection Regulations.
What is a DPIA and when do I need one?
A Data Protection Impact Assessment (DPIA) is a documented risk assessment of how a processing activity affects individuals' privacy. Under PDPL Article 21, a DPIA is required when processing involves new technologies likely to create high risk, or systematic automated evaluation of personal aspects — which covers most LLM and RAG deployments by interpretation. Under DIFC law (amended July 2025), failure to conduct a mandatory DPIA carries a maximum fine of USD 50,000 under Article 20 of the DIFC Data Protection Law (increased from USD 20,000 by the July 2025 amendment).
Can a UAE business use ChatGPT or Azure OpenAI with customer data?
Only with appropriate safeguards. Sending customer personal data to a cloud AI provider creates a cross-border transfer (the processing occurs on servers outside the UAE) and adds a third-party processor to your DPIA. For sensitive categories — patient health data, financial records, legal files — the risk profile is significantly higher. On-premise deployment eliminates this transfer entirely. Note: as of early 2026, the UAE Data Office has not published an official adequacy country list, so organisations currently must rely on standard contractual clauses (SCCs), binding corporate rules (BCRs), explicit consent, or another mechanism listed under PDPL Articles 22–23 to authorise any cross-border transfer.
What is the difference between mainland PDPL and DIFC Regulation 10?
Federal PDPL (Decree-Law 45/2021) applies across the UAE mainland and sets general personal data protection obligations including lawful basis, data subject rights, and DPIAs for high-risk processing. DIFC Regulation 10 on Automated Processing is an AI-specific supplement to DIFC Data Protection Law 5/2020, in full enforcement since January 2026, that requires specific transparency notices for AI systems and mandates DPIAs for high-risk AI — with a maximum fine of USD 50,000 for DPIA failure under Article 20 (DIFC Amendment Law, July 2025).

Check your readiness in 3 minutes

Free, ungated, 3 minutes

Check your AI compliance →