Back to BlogSecurity

GCC Hospital Data Security 2026 — UAE PDPL & Saudi PDPL Compliance Guide

Jul 3, 2026 12 min readAESA

Complete guide to GCC hospital data security — UAE Personal Data Protection Law (PDPL), Saudi PDPL, data residency requirements, breach notification, DHA data security standards, and security software.

GCC data protection laws (UAE PDPL, Saudi PDPL) require data residency, consent, and breach notification within 72 hours. Non-compliance can result in fines up to SAR 5 million / AED 5 million. This guide covers GCC hospital data security.

GCC Data Protection Laws

GCC Data Protection Laws
LawCountryKey RequirementsPenalties
UAE PDPLUAEConsent, data residency, breach notification, DPOAED 500K-5M
Saudi PDPLSaudi ArabiaConsent, data localisation, breach notificationSAR 500K-5M
DHA Data StandardsDubaiDHA data security, Malaffi integrationLicense revocation
Qatar PDPLQatarConsent, data residency, breach notificationQAR 1M-5M
Bahrain PDPLBahrainConsent, breach notificationBHD 10K-50K

Hospital Data Security Requirements

  1. Data residency: Store all health data within country borders (UAE/Saudi)
  2. Encryption: Encrypt data at rest (AES-256) and in transit (TLS 1.3)
  3. Access control: Role-based access, MFA, audit logging
  4. Consent management: Document patient consent for data processing
  5. Breach notification: Notify regulator within 72 hours of breach
  6. Data subject rights: Allow patients to access, correct, delete their data
  7. Data Protection Officer: Appoint DPO for large healthcare organisations
  8. Regular audits: Annual security audits and penetration testing

DHA Health Data Security Standards

DHA Health Data Security Standards
StandardDescriptionCompliance
DHCC data standardsData security for DHCC facilitiesMandatory for DHCC
Malaffi securityHealth information exchange securityAbu Dhabi facilities
DHA e-Claims securitySecure claims data transmissionAll Dubai facilities
Patient privacyDHA patient privacy standardsAll Dubai facilities
Data residencyHealth data stored in UAEAll UAE facilities

Frequently Asked Questions

What is UAE PDPL?
UAE PDPL (Personal Data Protection Law — Federal Decree-Law No. 45 of 2021) regulates personal data protection in the UAE. For healthcare, it requires: consent for data processing, data residency (data must stay in UAE), breach notification within 72 hours, data subject rights (access, correction, deletion), and Data Protection Officer for large organisations.
What is Saudi PDPL?
Saudi PDPL (Personal Data Protection Law — issued 2021, enforced 2023) regulates personal data in Saudi Arabia. For healthcare: consent required, data localisation for health data, breach notification within 72 hours, patient rights to access and correct data, and penalties up to SAR 5 million for violations.
What are GCC data residency requirements?
GCC data residency laws require health data to be stored within the country: UAE — health data must stay in UAE (DHA requirement), Saudi Arabia — health data must stay in Saudi (PDPL + MOH requirement), Qatar — health data must stay in Qatar. Cloud providers must have in-country data centres. Cross-border data transfer requires approval.