Overview

What Is the Saudi PDPL?

Saudi Arabia's Personal Data Protection Law (PDPL) — issued under Royal Decree M/19 in 2021 and enforced from September 2023 — is the Kingdom's comprehensive legislative framework for protecting the personal data of individuals. It governs how organisations collect, process, store, share, and dispose of personal data, establishing clear rights for data subjects and binding obligations for every entity that handles personal information.

The PDPL applies to any organisation — whether headquartered in Saudi Arabia or abroad — that processes the personal data of Saudi residents. It is administered and enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA), with the National Data Management Office (NDMO) responsible for operational implementation. The law is structurally aligned with global frameworks including the EU's GDPR, while incorporating provisions specific to Saudi legal and cultural context.

0
Year Enacted
0
Core Principles
0
Data Subject Rights
0
Hour Breach Notification
🔒

Who must comply? Any entity — Saudi or international — that collects, stores, processes, or transfers the personal data of individuals located in Saudi Arabia. This includes businesses, government bodies, healthcare providers, financial institutions, e-commerce platforms, and all digital service providers serving the Saudi market.

Legal Foundation

The 8 Core Principles of PDPL

Every data processing activity within your organisation must conform to these eight foundational principles. Violation of any principle — even unintentionally — can constitute a breach of the PDPL and trigger regulatory action by SDAIA.

Lawfulness & Fairness
Data must be processed on a lawful basis — consent, contractual necessity, legal obligation, vital interests, or legitimate interest.
Purpose Limitation
Data may only be collected for specified, explicit, and legitimate purposes and cannot be further processed in an incompatible manner.
Data Minimisation
Only data that is adequate, relevant, and limited to what is necessary for the stated purpose may be collected or processed.
Accuracy
Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or corrected without delay.
Storage Limitation
Data must not be kept longer than necessary for its stated purpose. Retention schedules must be defined, documented, and enforced.
Security & Integrity
Appropriate technical and organisational measures must be in place to protect data against unauthorised access, loss, destruction, or alteration.
Transparency
Data subjects must be informed about how their data is collected, used, and shared through clear, accessible privacy notices.
Accountability
Organisations are responsible for demonstrating compliance with all PDPL principles and must maintain comprehensive documentation as evidence.
Individual Rights

7 Rights of Data Subjects

The PDPL grants individuals whose data is being processed a comprehensive set of enforceable rights. Organisations must have documented procedures to respond to rights requests — with defined response timelines and escalation paths.

Right to Access
Request a copy of all personal data held about them, along with how it is being processed.
Right to Correction
Require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to Erasure
Request deletion of personal data where it is no longer necessary or the consent basis has been withdrawn.
Right to Object
Object to processing based on legitimate interests or for direct marketing — processing must stop unless compelling grounds exist.
Right to Data Portability
Receive personal data in a structured, machine-readable format and transmit it to another controller.
Right to Restrict Processing
Restrict processing in specific circumstances — such as when accuracy is contested — until the issue is resolved.
Right to Withdraw Consent
Withdraw previously given consent at any time, without affecting the lawfulness of prior processing.
Key Obligations

What Organisations Must Do

The PDPL imposes a series of concrete, operational obligations on every entity that processes personal data. These are not aspirational guidelines — they are legally enforceable requirements backed by significant financial and penalties.

01
Obtain Valid Consent
Consent must be freely given, specific, informed, and unambiguous — obtained before data collection begins. Pre-ticked boxes and bundled consent are not valid. Records of consent must be maintained and producible on demand.
02
Publish a PDPL-Compliant Privacy Notice
A clear, plain-language privacy notice must be published at the point of data collection, disclosing: what data is collected, the legal basis, retention period, third-party sharing, cross-border transfers, and how data subjects can exercise their rights.
03
Implement Technical & Organisational Security Measures
Appropriate security controls must protect personal data — including encryption, access controls, pseudonymisation, and regular testing. The level of protection must be proportionate to the sensitivity and volume of data processed.
04
Report Data Breaches Within 72 Hours
Any personal data breach must be reported to SDAIA within 72 hours of discovery. If the breach likely causes high risk to individuals, affected data subjects must also be notified directly and promptly.
05
Appoint a Data Protection Officer (DPO)
Organisations processing sensitive or large-scale data must appoint a qualified DPO to oversee PDPL compliance — with sufficient authority, resources, and independence.
06
Restrict Cross-Border Data Transfers
Personal data may only be transferred outside Saudi Arabia if the receiving country provides adequate protection, adequate safeguards are in place, or a specific exception applies. SDAIA approval may be required.
Compliance Roadmap

How to Achieve PDPL Compliance

PDPL compliance is an ongoing programme of data governance, technical controls, and cultural change. The following roadmap is CyberOps' proven approach, refined through dozens of successful PDPL compliance engagements across Saudi Arabia.

8-Step PDPL Compliance Roadmap
01
Data Discovery & Inventory Mapping
You cannot protect what you cannot see. Map every type of personal data your organisation collects, where it is stored, who has access, how it flows, and the legal basis for each processing activity. This produces your Record of Processing Activities (RoPA) — a core PDPL compliance document.
Week 1–4
02
GAP Assessment Against PDPL Requirements
Measure your current practices against every PDPL obligation — consent mechanisms, privacy notices, security controls, breach response, data subject rights processes, DPO appointment, and cross-border safeguards. Every gap is documented, risk-rated, and prioritised for remediation.
Week 3–6
03
Consent Framework & Privacy Notice Redesign
Redesign all consent mechanisms to meet the PDPL's 'freely given, specific, informed, unambiguous' standard. Draft or update your privacy notice to include all mandatory PDPL disclosures in both Arabic and English, in accessible language.
Week 5–9
04
Technical Security Controls Implementation
Implement technical controls for the PDPL's security obligation — encryption at rest and in transit, access controls, pseudonymisation, SIEM monitoring, patch management, and regular security testing. Enhanced controls are required for sensitive personal data (health, financial, biometric).
Month 2–5
05
Data Subject Rights Response Process
Establish a documented, tested process for receiving and responding to data subject rights requests — with defined timelines, identity verification procedures, and escalation paths for complex or refused requests.
Month 3–5
06
Breach Response Plan & 72-Hour Notification Process
Develop and test a breach response plan that enables detection, containment, assessment, and SDAIA notification within 72 hours — including breach triggers, severity assessment, escalation chains, notification templates, and data subject notification procedures.
Month 4–6
07
Staff Training & Awareness Programme
Every staff member handling personal data must receive PDPL training covering: what constitutes personal data, legal basis requirements, handling rights requests, breach recognition and reporting, and the consequences of non-compliance.
Ongoing
08
Ongoing Compliance Monitoring & Annual Review
Establish continuous monitoring: quarterly privacy impact assessments for new processing activities, annual RoPA reviews, regular audits of consent records and third-party processor agreements, and clear governance accountability. SDAIA may audit your compliance at any time.
Continuous
Framework Alignment

PDPL vs Other Privacy Frameworks

Organisations already compliant with GDPR or other privacy frameworks will find significant overlap with PDPL. However, important differences exist — particularly around cross-border transfers, sensitive data categories, and enforcement authority.

Feature PDPL (Saudi) GDPR (EU)
Legal basis for processing 6 lawful bases 6 lawful bases
Data breach notification 72 hours to SDAIA 72 hours to DPA
DPO requirement Certain entities Certain entities
Cross-border transfers SDAIA approval required Adequacy / SCCs
Right to erasure Included Included
Max administrative fine SAR 5M (doubled for repeats) €20M or 4% turnover
Enforcement authority SDAIA / NDMO National DPAs
Our Services

CyberOps PDPL Compliance Service

CyberOps provides end-to-end PDPL compliance services for organisations processing the personal data of Saudi residents. Our GRC team combines deep legal understanding of the PDPL with the technical security expertise to implement required controls — delivering compliance programmes that work in practice.

Our full PDPL service covers every phase: data discovery, RoPA development, gap assessment, consent framework design, privacy notice drafting, DPO advisory, security controls implementation, rights process design, breach response planning, staff training, and ongoing monitoring.

Start Your PDPL Compliance Journey Today

Get a free PDPL readiness assessment from our GRC specialists. We'll identify your key gaps and give you a clear roadmap — within 48 hours.

Get in Touch