# UAE Federal PDPL — Data Protection Impact Assessment > Draft and validate a DPIA under UAE Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL) and its Executive Regulations. Covers data inventory, lawful basis, cross-border transfers, and 72-hour breach notification. Tags: UAE, PDPL, Privacy, DPIA, Data protection ## Example Prompts - Draft a DPIA for our UAE operations under Federal PDPL - Check our DPIA for lawful basis and 72-hour breach notification - Validate DPIA for cross-border transfers and data subject rights URL: https://rakenne.app/skills/ae-pdpl-data-protection-assessment/index.md Try this skill: https://rakenne.app/a/?skill=ae-pdpl-data-protection-assessment ## Overview Draft and validate a DPIA under UAE Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL) and its Executive Regulations. Covers data inventory, lawful basis, cross-border transfers, and 72-hour breach notification. ## Example Conversation > **You:** We need a DPIA for our UAE entity under Federal PDPL. We need to document lawful basis per processing, cross-border transfers, 72-hour breach notification, and data subject rights. Can you draft it and run the checker? > **Agent:** I’ll draft the DPIA with processing inventory, lawful basis per activity (consent, contractual, legal obligation, etc.), cross-border transfer mechanism (adequacy or contractual safeguards), data subject rights (access, rectification, erasure, restriction, portability, objection), DPO where required, and 72-hour breach notification procedure. Then I’ll run `uae_pdpl_dpia_checker`. > **Agent:** Created `dpia-uae-pdpl.md`. Running `uae_pdpl_dpia_checker`… > **Agent:** Check **PASS** — lawful basis is specified per processing, cross-border transfer mechanism is documented, 72-hour breach notification is in place, data subject rights are addressed, and DPO is documented. Ready for review. ## What the Tools Validate **`uae_pdpl_dpia_checker`** scans the DPIA document for: - **Lawful basis** — Each processing activity must have a specified lawful basis (consent, contractual necessity, legal obligation, vital interests, public interest, legitimate interests). - **Cross-border transfer mechanism** — Adequate jurisdictions (per UAE Data Office list) or approved contractual/other safeguards must be documented. - **Breach notification** — Procedure for notifying the UAE Data Office (and affected individuals as required) within **72 hours** must be documented. - **Data subject rights** — Access, rectification, erasure, restriction, portability, objection must be addressed. - **DPO** — DPO appointment must be documented where required under the PDPL. **Output:** PASS if all are present; otherwise FAIL with a line per missing element. Fix gaps and re-run until the check passes. ## Output Excerpt **DPIA (excerpt):** ```markdown ## Lawful basis | Processing activity | Lawful basis | |----------------------------|------------------------| | HR payroll | Contractual necessity | | Marketing (email) | Consent | | Regulatory reporting | Legal obligation | ## Breach notification - Breaches that pose a risk to personal data are reported to the UAE Data Office within **72 hours** of becoming aware. Affected individuals are notified where required by the PDPL and Executive Regulations. ``` **uae_pdpl_dpia_checker report (excerpt):** ``` === UAE PDPL DPIA CHECK === Result: PASS Document: dpia-uae-pdpl.md Lawful basis is specified per processing activity... Data breach notification timeline (72 hours) is documented. DPIA meets UAE PDPL DPIA expectations. ``` ## Getting Started Add your source materials to the project workspace (e.g. processing inventory or transfer map), then activate the *UAE Federal PDPL — Data Protection Impact Assessment* skill. The agent will guide you through drafting the DPIA and running `uae_pdpl_dpia_checker` until the check passes. --- Back to [Skill Library](https://rakenne.app/skills/index.md)