UAE PDPL and Insurance Brokers: What You Need to Know Before It's Enforced

What the PDPL requires

The PDPL establishes a set of principles that will be familiar to anyone with experience of GDPR in Europe, though with UAE-specific provisions. At its core, it requires that personal data be processed lawfully, fairly, and transparently; collected only for specified, explicit, and legitimate purposes; and retained only for as long as necessary.

For insurance brokers, the most operationally significant requirements relate to consent, data subject rights, security, and data transfers.

Consent and lawful basis

Under the PDPL, you need a lawful basis for processing personal data. For insurance brokers, this is typically contractual necessity (you cannot provide insurance without collecting personal data) or legitimate interest. Where you collect data beyond what is strictly necessary for the insurance product — for example, marketing communications — you need explicit consent.

This means your customer intake process needs to clearly distinguish between data collected to process the insurance request and data collected for other purposes. A WhatsApp conversation where the customer sends their Emirates ID does not constitute documented consent.

Data subject rights

The PDPL grants individuals rights including access to their personal data, correction of inaccurate data, and erasure in certain circumstances. Insurance brokers need to be able to respond to these requests within defined timeframes.

If your customer data is distributed across WhatsApp conversations, email attachments, and spreadsheets, responding to a data subject access request is an onerous manual exercise. Centralised, structured data storage makes this manageable.

• Right to access — customer can request all personal data you hold about them
• Right to correction — customer can request correction of inaccurate data
• Right to erasure — limited right to request deletion (subject to legal retention requirements)
• Right to restriction — customer can request processing be limited in certain circumstances
• Right to data portability — customer can request their data in a structured, machine-readable format

Security requirements

The PDPL requires appropriate technical and organisational security measures. For insurance data — which often includes Emirates ID, financial information, and health data — this means encrypted storage, access controls, and audit logs. It also means having a documented data breach response procedure.

Storing policy documents and customer data in personal WhatsApp, unencrypted email, or shared drives without access controls is not compatible with PDPL security requirements.

Data transfers outside the UAE

If you use cloud software hosted outside the UAE — which many SaaS tools are — the PDPL has specific requirements around international data transfers. Software that stores data on UAE servers, or that meets the PDPL's adequacy requirements, avoids this complexity.

Practical steps for brokers

• Audit where customer personal data is currently stored — email, WhatsApp, spreadsheets, CRM
• Map what data is collected, why, and for how long it is retained
• Implement a privacy notice that customers see before data is collected
• Establish a documented process for responding to data subject requests
• Move to centralised, access-controlled storage for customer documents and communications
• Ensure software vendors have UAE data residency or appropriate transfer mechanisms