Data Protection in the Telecommunications Sector of the UAE

I. Introduction

As the telecommunications sector in the United Arab Emirates (UAE) continues to evolve with the rapid adoption of digital technologies, safeguarding personal data has become a critical concern. With the rise of 5G networks, IoT devices, and cloud-based services, the volume of sensitive personal information being processed is growing exponentially. This digital transformation exposes telecommunication companies to emerging privacy concerns that threaten the confidentiality, integrity, and availability of data.

Under Federal Decree-Law No. 3 of 2003 (Telecomm Law), telecommunication services include transmitting, broadcasting, converting, or receiving communications via a telecommunications network. This covers wired and wireless communications, audio and visual content, signal transmission (excluding public broadcasts), machine control signals, equipment interconnection, internet services, and any other services approved by the High Committee. This Committee is set up by the Telecomm law to oversee the telecomm sector and regulate it. This sector encompasses a range of activities, such as providing internet access, managing communication networks, and offering digital content services.

II. Overview of Regulatory Framework

UAE Personal Data Protection Law (PDPL) – Federal Decree-Law No. 45 of 2021

The PDPL establishes the country’s first comprehensive data protection framework, governing personal data collection, processing, and storage. Modelled on international standards like the GDPR, the PDPL applies to entities processing personal data within the UAE (excluding free zones with their own regulations, such as DIFC and ADGM).

The PDPL grants individuals rights over their data, including access, correction, and deletion. It also imposes obligations on organizations to ensure transparency, data security, and lawful processing. Moreover, it regulates cross-border data transfers, requiring adequate safeguards for international data flows. The UAE Data Office is responsible for PDPL enforcement, issuing regulations, and ensuring compliance.

Federal Decree-Law No. 3 of 2003 - Telecommunications Law

At the core of the UAE's telecommunications regulatory framework is Federal Decree-Law No. 3 of 2003 (Telecomm Law) which regulates the telecommunications sector. It establishes the Telecommunications and Digital Government Regulatory Authority (TDRA) as the primary regulatory body overseeing the sector.

The Telecomm Law mandates that telecom operators and service providers ensure the security and privacy of personal data, and it imposes strict penalties for non-compliance, including fines and license revocation.

Telecommunications and Digital Government Regulatory Authority (TDRA)

The TDRA is the regulatory body responsible for overseeing the telecommunications sector in the UAE, including telecom operators, internet service providers, and other digital service providers. The TDRA has the following key responsibilities:

1. Issuing Regulations and Guidelines: The TDRA issues rules and regulations for telecom operators and service providers, including guidelines on data protection, cybersecurity, and consumer rights.
2. Monitoring Compliance: The TDRA conducts audits and inspections to evaluate compliance with relevant regulations including data protection regulations and cybersecurity standards.
3. Imposing Penalties: The TDRA has the authority to impose substantial monetary penalties on telecom operators and service providers for violations of data protection and cybersecurity regulations.

Standard Information Security Policy Guidelines by TDRA

The Standard Information Security Policy (SISP) establishes guidelines, standards, and procedures to protect the confidentiality, integrity, and availability of an organization’s information systems, and network infrastructure, safeguarding them against unauthorized access, modification, or downtime.  The SISP is approved by senior management and applies to employees, contractors, consultants, and third-party affiliates who interact with the organization’s information assets.

Key Security Principles for Telecom Companies

• Access Control: Implement role-based access controls to enforce a "need-to-know" approach and reduce security risks.
• Cybersecurity Policies: Enforce password management, encryption, antivirus protection, and patch management to secure networks and systems.
• Incident Management & Compliance: Monitor logs, audit security events, and respond to incidents per ISO 27001 and UAE cybersecurity laws.
• Business Continuity & Risk Management: Conduct risk assessments, backups, and continuity planning to mitigate cyber threats.
• User Compliance: Employees and external users must adhere to SISP policies, with regular security training and compliance checks.

Consumer Protection Regulations (CPR)

The Consumer Protection Regulations (CPR), issued by the TDRA, establishes the rights of telecom consumers in the UAE and the obligations of service providers. The CPR covers key areas such as service transparency, data privacy, billing practices, complaint resolution, and fair advertising.

Telecom providers must ensure clear and accurate service information, obtain subscriber consent before sharing personal data, and maintain billing transparency with proper records. The CPR grants consumers the right to secure services, fair contract terms, and effective dispute resolution. Secure services rely on cybersecurity measures and fraud prevention, safeguarding consumer data from breaches. Fair contract terms ensure transparency in data processing and consent, preventing misuse of personal information. Dispute resolution mechanisms provide recourse for privacy violations, reinforcing accountability in how consumer data is handled. Additionally, the CPR sets data retention requirements, mandating that providers store invoices, complaints, consent, and other records.

Internet Access Management (IAM) Regulatory Policy

The UAE Internet Access Management (IAM) Regulatory Policy, issued by TDRA, regulates internet content to ensure compliance with national laws on security, morality, and public interest. It mandates licensed ISPs to block prohibited content, maintain monitoring mechanisms, and comply with TDRA classifications.

While focused on content regulation, the IAM policy intersects with personal data protection by requiring ISPs to:

• Ensure user privacy when implementing content filtering.
• Securely handle exemption requests in line with UAE PDPL.
• Prevent unauthorized data collection through compliance monitoring.

III. Telecommunications Licensing and Private Sector Participation in the UAE

The UAE telecommunications sector operates under a government-regulated duopoly, where only du and Etisalat are licensed by the TDRA to provide public telecom services like mobile networks, internet access, and fixed-line communications. No new licenses are currently being issued for public telecom operators.

However, private companies can participate in the sector in specific areas with a TDRA license. These include:

• Private telecom networks for corporate or internal use
• Satellite communications and broadcasting
• Technology solutions, cloud services, and cybersecurity
• Telecom infrastructure and equipment supply

While foreign companies can establish wholly owned telecom-related businesses in UAE free zones, they cannot offer public telecom services within the country. Instead, they focus on B2B operations, technology solutions, or serving international markets.

The TDRA also regulates spectrum use, with frequencies allocated primarily to du and Etisalat. Private entities can apply for temporary spectrum authorizations or operate within designated frequency bands, but there is no spectrum trading or leasing system.

IV. Data Protection in the Telecommunications Sector & How Securiti Can Help

A. Privacy Principles

As per the PDPL, telecom operators and service providers are required to ensure that personal data is:

• Collected and processed lawfully, fairly, and transparently.
• Collected for specific, legitimate purposes and not further processed in a manner incompatible with those purposes.
• Accurate and kept up to date.
• Retained only for as long as necessary for the purposes for which it was collected.
• Processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Securiti’s Data Privacy Automation helps telecom operators comply with evolving global privacy regulations, ensuring that personal data is processed in accordance with the PDPL.

B. Data Collection

The PDPL prohibits the processing of personal data without the owner’s consent, except in specific cases. These include situations where processing is necessary for public interest, legal claims, public health, employment, social security, contractual obligations, or scientific and historical research. Data may also be processed if it has been made publicly available by the data subject or if it is required to fulfill obligations under UAE law.

Consent, when required, must be clear, accessible, and revocable at any time. Telecommunications providers must ensure compliance with these requirements while handling customer data.

Securiti’s Consent Management Module automates consent tracking and management, ensuring that telecom operators comply with consent requirements under the PDPL.

Securiti’s Privacy Notice Module automates and customizes privacy notices for compliance with global data laws, ensuring transparency and real-time updates.

C. Data Processing & Retention

Operators must maintain detailed data processing records, including processing purposes, retention policies, access permissions, and cross-border data flows. These records must be available for regulatory inspection by the TDRA and the UAE Data Office.

Telecommunications providers in the UAE must retain consumer records in compliance with the TDRA CPR. Licensees are required to maintain records and provide copies to TDRA upon request, ensuring transparency and regulatory compliance. The minimum retention periods for key records are as follows:

• Hard copy application forms – Retained for at least 3 years, then digitized indefinitely.
• Electronic application forms – Retained indefinitely.
• Voice, video, and screen recordings – Retained for at least 2 years.
• Subscriber consent and agreements (e.g., credit limits, mobile data caps, two-factor authentication) – Retained for at least 5 years.
• Subscriber invoices and billing data – Retained for at least 2 years.
• Post-subscription confirmation messages – Retained for at least 2 years.
• Notifications and warnings sent via SMS or other electronic means – Retained for at least 2 years.
• Consumer complaints and disputes – Retained for at least 2 years.
• Fixed broadband speed test records – Retained for at least 2 years.
• Technician visit reports – Retained for at least 2 years.
• All other records not specifically mentioned – Retained for at least 2 years.

Thus, telecom operators should implement the following measures for compliance:

• Developing a thorough privacy policy that governs the entire data lifecycle.
• Conducting regular IT assessments and audits.
• Ensuring that data is not retained longer than necessary.
  • Implement automated data deletion policies for expired records.
  • Use secure wiping techniques when disposing of storage devices.

Securiti’s Risk Assessment Solution helps organizations evaluate their internal protocols, ensuring the necessary technical and organizational measures are in place to prevent human errors.

D. Data Sharing with Third Parties

Telecommunications providers in the UAE must ensure that Subscriber Information is only shared with third parties under strict conditions in compliance with the TDRA CPR.

Licensees must obtain explicit prior consent from subscribers before sharing their information with affiliates or third parties that are not directly involved in providing the telecom service. However, if data sharing is necessary for service delivery, the involved third parties must take appropriate security measures to protect the confidentiality of subscriber data and use it only for service-related purposes.

To enforce these protections, telecom providers must ensure that contracts with third parties include clear obligations for maintaining data privacy, security, and restricted use. This ensures that subscriber information remains protected throughout any data-sharing arrangements.

Securiti’s Vendor Risk Management Solution automates vendor risk assessments, tracks subcontractor engagements and data breaches, and provides automated alerts, supplier assessments, and security audits for ongoing third-party risk monitoring.

Securiti’s Data Access Governance (DAG) Tool allows organizations to oversee and manage access to personal data across different jurisdictions.

E. Cross-Border Data Flows in the UAE Telecommunications Sector

Cross-border data transfers are a critical aspect of telecommunications, enabling seamless connectivity, data processing, and global service integration. Under the PDPL, data may be transferred outside the UAE if the recipient country has adequate data protection laws or if the UAE has a bilateral or multilateral agreement ensuring privacy safeguards (Article 22).

If no adequate protection level exists, data transfers are permitted under specific conditions (Article 23), such as contractual safeguards, explicit user consent, legal obligations, or public interest considerations. Telecommunications providers must ensure compliance with these requirements, particularly when handling customer data, interconnection agreements, and international data routing. Companies operating in jurisdictions with weaker data protections must implement contractual controls, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), aligning with UAE legal standards. Organizations should also apply encryption protocols for data transmitted across borders.

F. Data Subject Rights

As per the PDPL, telecom operators are obligated to grant customers several rights regarding the processing of their personal data, including the rights to:

• Be informed about the collection and processing of their personal data.
• Access their personal data.
• Request corrections if their personal data is inaccurate, incomplete, or outdated.
• Request the deletion of their personal data.
• Obtain a copy of their personal data in a structured, commonly used, and machine-readable format.

The TDRA in the CPR grants UAE telecom consumers specific rights to ensure fair, transparent, and secure services.

• Service Information & Contracts: Consumers have the right to receive clear pre-contract information, written contracts in Arabic or English, and details on pricing, terms, and conditions.
• Privacy & Data Protection: Service providers must protect personal data and cannot share it with third parties without explicit consent.
• Telephone Numbers: Consumers do not own their number but can request re-activation within one year if available.
• Advertisements & Spam: Users can report misleading ads, block spam messages, and report fraudulent calls.
• Service Security & Access: Telecom services must be safe, secure, and accessible without discrimination.
• Complaints & Dispute Resolution: Consumers can file complaints for free, receive a tracking reference, and escalate unresolved disputes to TDRA.
• Third-Party Services: Users must receive clear subscription details and a two-step confirmation process to avoid accidental sign-ups.

Securiti's Data Subject Request (DSR) Automation simplifies and streamlines the process of managing data subject requests, ensuring compliance while reducing manual effort and risk.

G. Data Breach Prevention and Incident Response

To comply with the SISP, telecom providers must implement proactive security measures to prevent data breaches and mitigate cybersecurity risks.

1. Implement Strong Security Controls

Telecom providers must adopt technical and organizational safeguards to protect personal data from unauthorized access, modification, or loss.

• Deploy firewalls, intrusion detection systems (IDS), and endpoint protection to monitor and secure networks.
• Enforce multi-factor authentication (MFA) and role-based access controls (RBAC) to restrict unauthorized data access.
• Implement encryption for data in transit and at rest to ensure confidentiality.
• Conduct regular vulnerability assessments and penetration testing to identify and fix security gaps.
• Apply patch management policies to update systems and mitigate known vulnerabilities.

2. Establish a Security Incident Response Framework

Providers must have structured processes for identifying, containing, and mitigating security incidents.

• Form an Incident Handling Team to oversee security incident management.
• Develop and implement a Security Incident Response Plan (SIRP) outlining detection, containment, mitigation, and recovery procedures.
• Maintain an incident log to track security breaches and analyze trends.
• Ensure employees are trained on reporting security incidents and following security protocols.

3. Business Continuity and Data Recovery

Telecom providers must ensure service continuity in case of cyber incidents affecting operations.

• Appoint a Business Continuity Manager to oversee response and recovery efforts.
• Maintain regular backups of critical data and test disaster recovery plans periodically.
• Implement failover systems to ensure uninterrupted service during cyberattacks.
• Conduct emergency response drills to assess organizational preparedness.

4. Data Breach Notification and Reporting Obligations

To comply with breach notification responsibilities, the PDPL in Article 9 states that telecom providers must notify authorities and affected individuals as soon as they become aware of a data breach that could compromise personal data.

1. Notification to UAE Authorities

The UAE Data Office must be notified immediately upon discovering a data breach affecting consumer privacy.

• Submit a detailed report outlining:
  • Nature, cause, and scope of the breach.
  • Approximate number of affected records.
  • Potential impact on consumers.
  • Corrective actions taken.
• Provide contact details of the Data Protection Officer (DPO) responsible for handling the breach.
• Cooperate with regulatory investigations and provide requested documents.

2. Notification to Affected Consumers

If the breach affects users' privacy, confidentiality, or security, telecom providers must inform affected individuals.

• Notify affected consumers without delay, providing:
  • Details of compromised data.
  • Recommended security actions (e.g., password reset, fraud monitoring).
  • Steps taken to contain the breach and prevent recurrence.
• Offer customer support channels for inquiries about the breach.

3. Incident Documentation and Follow-Up

Providers must analyze breaches, ensure corrective actions, and maintain records for regulatory audits.

• Maintain incident logs tracking all reported breaches and remediation actions.
• Conduct post-incident reviews to assess weaknesses and improve security controls.
• Audit security measures periodically to ensure ongoing compliance.

Securiti’s Data Security Posture Management Solution empowers organizations to mitigate data breach risks, safeguard data sharing, and enhance compliance while minimizing the cost and complexity of implementing data controls.

Securiti’s Breach Management Solution automates breach notifications and compliance actions, ensuring timely reporting of security incidents.

V. Data Governance Framework & How Securiti Can Help

As per TDRA Consumer Regulations and SISP, telecom operators are required to establish a governance framework to manage IT risks and operational risks. To effectively address these risks, they must develop frameworks for:

1.  IT Governance: Incorporating information security into the overall governance structure by creating policies, clarifying responsibilities, assigning roles, and establishing procedures that integrate security into all business functions.
2. Risk Identification and Assessment: Conducting regular audits and risk assessments to identify, analyze, and prioritize potential threats.
3. IT Controls Implementation: Implementing an information security system and a clear framework for managing IT projects, integrating people, processes, and technology to protect confidentiality and integrity.
4. Risk Measurement and Monitoring: Establishing key performance and risk indicators and having dedicated quality assurance and quality control procedures.

Securiti’s Data Governance Module automates data discovery, classification, and lifecycle management to ensure compliance and enable efficient data control across environments.

VI. Data Security Obligations for Telecom Providers in the UAE

The UAE TDRA, along with the PDPL, IAM Policy, and Standard Information Security Policy (SISP), sets clear data governance and security obligations for telecom providers. These regulations require technical, organizational, and procedural measures to protect personal data, secure networks, and ensure compliance with cybersecurity laws.

Below are the key obligations and actionable steps telecom providers can take to meet compliance requirements:

Technical & Security Safeguards (PDPL Article 7)

• Enforce multi-factor authentication (MFA) and strong password policies.
• Apply end-to-end encryption and pseudonymization to protect data.
• Implement network monitoring and intrusion prevention systems.

Securing Networks & Infrastructure (SISP Guidelines)

• Regularly update systems with patch management policies.
• Deploy firewalls, antivirus, and endpoint protection.
• Restrict USB access and enforce VPN-secured remote access.

Data Access & Governance (PDPL & SISP)

• Use role-based access controls (RBAC) and maintain audit logs.
• Ensure secure disposal of personal data and conduct regular compliance audits.

Employee Training & Compliance Audits (SISP & PDPL)

• Conduct security awareness campaigns and quarterly compliance audits.
• Require employees to sign security agreements before accessing systems.

Securiti’s Data Security Solution prevents unauthorized access to sensitive data with monitoring, threat detection, and compliance controls across cloud and on-premises environments.

VII. Conclusion

UAE telecom providers must adopt a structured data governance framework to meet PDPL, IAM, and SISP and CPR requirements. By implementing strong security controls, ensuring cross-border compliance, and maintaining proactive cybersecurity measures, telecom companies can safeguard personal data, protect their networks, and ensure compliance with UAE regulations. Telecom providers can use Securiti’s automation tools and software to ensure compliance.

Request a demo to learn more.