TL;DR
- Oman's PDPL became fully enforceable on 5 February 2026 — organisations must be compliant now
- Jordan's PDPL has been active since March 2025; Kuwait's PDPL since February 2025
- Organisations across the GCC now face 5+ overlapping, enforceable data protection frameworks
- Unlike the EU's single GDPR, there is no unified Middle East standard — each jurisdiction has distinct requirements
- Manual compliance across 5+ frameworks is structurally unworkable; purpose-built Governance, Risk, and Compliance (GRC) platforms are the only scalable answer
- If you operate in two or more GCC jurisdictions, conduct a multi-framework gap assessment before Q3 2026
The pace of regulatory change across the GCC has been faster than most compliance teams anticipated. Saudi Arabia's PDPL, the UAE's Federal Decree-Law No. 45 on Personal Data Protection, and Qatar's Personal Data Privacy Protection Law (PDPPL) established the initial framework over the past three years. But in the twelve months to March 2026, three additional jurisdictions — Kuwait, Jordan, and Oman — moved from grace periods or early enforcement into active, fully operative data protection regimes.
The result: an organisation operating across the GCC now faces six distinct, enforceable national data protection laws simultaneously. Each has its own definitions, controller obligations, data subject rights timelines, cross-border transfer rules, and enforcement mechanisms.
(Source: GCC 2026 Compliance Roadmap, LinkedIn Pulse / Markevich, 2026 — GCC 2026 compliance roadmap)
This is qualitatively different from operating under the EU's General Data Protection Regulation (GDPR), where a single framework governs 27 member states. There is no GCC equivalent. Every country legislates separately, audits separately, and enforces separately.
Oman's PDPL, issued under Royal Decree No. 6/2022, establishes a comprehensive data protection regime modelled in part on international standards but with distinct local requirements. Organisations processing personal data relating to Omani residents must now:
Entities that process personal data at scale, or process sensitive categories of data, are required to designate a Data Protection Officer (DPO). This obligation applies regardless of whether the organisation is headquartered in Oman.
Oman's PDPL requires that personal data is processed only with explicit consent or under another recognised lawful basis. Consent must be freely given, specific, informed, and unambiguous — and must be documented.
Data subjects have the right to access their data, correct inaccuracies, request deletion, and object to processing. Organisations must have workflows in place to receive and respond to these requests within defined timeframes.
Personal data may only be transferred outside Oman to jurisdictions that provide an adequate level of protection, or under approved contractual mechanisms. This creates an additional compliance layer for organisations using cloud infrastructure or offshore processing.
Organisations must implement appropriate security measures to protect personal data — and must be able to demonstrate those measures to the Information Technology Authority (ITA), Oman's supervisory body.
The challenge for multi-national organisations is not any single law — it is the absence of harmonisation across the GCC. Each jurisdiction has taken a different approach to:
For a compliance team managing obligations across, say, UAE, KSA, Oman, and Kuwait simultaneously, this means four separate gap assessments, four separate policy frameworks, four separate audit trails — and four separate regulator relationships.
Legacy GRC approaches — spreadsheets, point-in-time audits, siloed policy documents — are not designed for this level of ongoing, multi-jurisdiction complexity. The compliance burden compounds every time a new framework becomes enforceable.
6clicks is purpose-built for exactly this kind of multi-framework compliance environment. Rather than treating each regulation as a separate project, 6clicks allows organisations to map their controls, policies, and evidence once — and then see where those controls satisfy requirements across multiple frameworks simultaneously.
For organisations navigating GCC data protection obligations, this means:
The goal is not to automate compliance away — it is to make the work of staying compliant across multiple jurisdictions structurally manageable, so that your team can focus on decisions rather than administration.
Get a practical walkthrough of defensible assurance for cyber and AI in this on-demand Dubai Forum demo. Arabic subtitles included: From audits to always-on assurance — Dubai Forum demo
Yes. Oman's PDPL has extra-territorial reach: it applies to any organisation that processes personal data relating to individuals in Oman, regardless of where the organisation is based. If you have customers, employees, or partners in Oman whose data you process, you are in scope.
Both laws establish obligations around consent, data subject rights, cross-border transfers, and security safeguards — but they differ in their definitions, timelines, and enforcement structures. Oman's supervisory authority is the Information Technology Authority (ITA); the UAE's is the UAE Data Office. Organisations must satisfy both independently; there is no mutual recognition mechanism between them.
Ask your GRC vendor whether it supports control mapping across GCC data protection frameworks simultaneously — not just one at a time. If your current platform requires a separate project or manual spreadsheet for each jurisdiction, it is not built for multi-framework compliance. Purpose-built platforms like 6clicks are designed to handle overlapping frameworks as a native capability.
Start with a gap assessment: map your current data flows, consent mechanisms, data subject rights processes, and cross-border transfer arrangements against Oman's PDPL requirements. Identify the gaps, prioritise by risk, and work through remediation in order. If you are also operating in UAE, KSA, or Kuwait, run the gap assessment across all applicable frameworks at the same time — the effort is far more efficient than sequential assessments.
No. Unlike the EU, where GDPR applies across all member states, the GCC has no unified data protection framework. Each country legislates, enforces, and audits independently. Regional harmonisation is a long-term aspiration, not a current reality. Organisations must comply with each applicable national law separately.
If you operate in one or more GCC jurisdictions and have not yet conducted a multi-framework data protection gap assessment, that is the right starting point. 6clicks can run that assessment across Oman, UAE, KSA, Kuwait, and Jordan simultaneously — so you get a consolidated view of your compliance posture across the GCC, not just a snapshot of one country.
Book a demo to see how 6clicks supports multi-framework GRC in the Middle East, or speak with one of our GRC specialists about your specific cross-border obligations.