Complete guide to GCC hospital data security — UAE Personal Data Protection Law (PDPL), Saudi PDPL, data residency requirements, breach notification, DHA data security standards, and security software.
GCC data protection laws (UAE PDPL, Saudi PDPL) require data residency, consent, and breach notification within 72 hours. Non-compliance can result in fines up to SAR 5 million / AED 5 million. This guide covers GCC hospital data security.
GCC Data Protection Laws
| Law | Country | Key Requirements | Penalties |
|---|---|---|---|
| UAE PDPL | UAE | Consent, data residency, breach notification, DPO | AED 500K-5M |
| Saudi PDPL | Saudi Arabia | Consent, data localisation, breach notification | SAR 500K-5M |
| DHA Data Standards | Dubai | DHA data security, Malaffi integration | License revocation |
| Qatar PDPL | Qatar | Consent, data residency, breach notification | QAR 1M-5M |
| Bahrain PDPL | Bahrain | Consent, breach notification | BHD 10K-50K |
Hospital Data Security Requirements
- Data residency: Store all health data within country borders (UAE/Saudi)
- Encryption: Encrypt data at rest (AES-256) and in transit (TLS 1.3)
- Access control: Role-based access, MFA, audit logging
- Consent management: Document patient consent for data processing
- Breach notification: Notify regulator within 72 hours of breach
- Data subject rights: Allow patients to access, correct, delete their data
- Data Protection Officer: Appoint DPO for large healthcare organisations
- Regular audits: Annual security audits and penetration testing
DHA Health Data Security Standards
| Standard | Description | Compliance |
|---|---|---|
| DHCC data standards | Data security for DHCC facilities | Mandatory for DHCC |
| Malaffi security | Health information exchange security | Abu Dhabi facilities |
| DHA e-Claims security | Secure claims data transmission | All Dubai facilities |
| Patient privacy | DHA patient privacy standards | All Dubai facilities |
| Data residency | Health data stored in UAE | All UAE facilities |
Frequently Asked Questions
- What is UAE PDPL?
- UAE PDPL (Personal Data Protection Law — Federal Decree-Law No. 45 of 2021) regulates personal data protection in the UAE. For healthcare, it requires: consent for data processing, data residency (data must stay in UAE), breach notification within 72 hours, data subject rights (access, correction, deletion), and Data Protection Officer for large organisations.
- What is Saudi PDPL?
- Saudi PDPL (Personal Data Protection Law — issued 2021, enforced 2023) regulates personal data in Saudi Arabia. For healthcare: consent required, data localisation for health data, breach notification within 72 hours, patient rights to access and correct data, and penalties up to SAR 5 million for violations.
- What are GCC data residency requirements?
- GCC data residency laws require health data to be stored within the country: UAE — health data must stay in UAE (DHA requirement), Saudi Arabia — health data must stay in Saudi (PDPL + MOH requirement), Qatar — health data must stay in Qatar. Cloud providers must have in-country data centres. Cross-border data transfer requires approval.