Sign in
Create FREE Account

Saudi PDPL’s First Anniversary: Amendments, Enforcement Signals, and What’s Next

Table of Contents

Saudi Arabia’s Personal Data Protection Law (PDPL) reached its first enforcement anniversary on 14 Sept. 2025. The law has moved from launch to live operations with guidance, draft amendments, and early enforcement architecture now visible. For businesses handling Saudi residents’ data—inside or outside the Kingdom—the direction of travel is clear: formalize governance, be audit-ready, and expect closer supervisory engagement.

One Year On: What’s firmly in force?

PDPL applies extra-territorially and even safeguards privacy post-mortem. The law formally took effect on 14 Sept. 2023, with a transition period that ran to 14 Sept. 2024—the point at which it became fully enforceable. Saudi authorities also framed the journey since the 2021 announcement as a staged “grace” window for organizations to get ready.

To support readiness, the Saudi Data & AI Authority (SDAIA) published a bundle of guidance in the run-up to enforcement: rules for appointing a data protection officer, a Regulation on Personal Data Transfer Outside the Kingdom, binding rules for transfers, privacy-notice guidance, and a destruction/anonymization guide. Together these provide the operational spine for PDPL programs.

Cross-border transfers and breach playbooks

Cross-border data movement now rests on a dedicated Transfer Regulation, which sets out safeguards and controller obligations for exporting personal data. If you rely on global SaaS or multi-region cloud, your contracts and risk assessments need to match this regime.

On incident response, SDAIA released a Personal Data Breach Incidents Procedural Guide that clarifies notification and handling expectations—useful not only for crisis response but for tabletop exercises and regulator-ready documentation.

What changed (or is changing): the draft amendment package

Within months of enforcement, Saudi authorities tabled proposed amendments to the PDPL Implementing Regulations for public consultation. Several points stand out for product and marketing teams:

  • Terminology cleanup: removal of the Implementing Regulations’ standalone definitions of “direct marketing” and “personal data breach,” aligning the text more tightly with the primary law.
  • Marketing = consent-first: explicit confirmation that promotional messages require prior, freely given, documented consent, with simple opt-out and clear sender identity.
  • Privacy notices upgraded: notices must use clear, simple language and account for minors or individuals with limited legal capacity.
  • DPO role expanded: organizations document the appointment; provide DPO contact details via the authority’s platform; and empower the DPO to oversee assessments, manage complaints, liaise with the authority, and monitor compliance.
  • Record-keeping hardens: maintain detailed records during processing and for five years after, covering purposes, categories, retention, security, and recipients—especially for cross-border flows.
  • National Register triggers: registration duties expand (e.g., public entities; processing sensitive data; cross-border transfers; processing data of vulnerable groups).
  • Faster regulator response: controllers must respond to PDPL inquiries from the competent authority within 10 business days.
  • Access to redress widened: deletion of the 90-day complaint filing cap, allowing data subjects to raise complaints without that prior cut-off.

Enforcement architecture: committees are active

SDAIA has confirmed that specialized Committees for Reviewing Violations are active and have already reviewed complaints under the PDPL and its Regulations—an essential step in moving from “paper law” to operational oversight. The Rules of Procedure for these committees have also been published.

Separately, Saudi Arabia’s Oversight and Anti-Corruption Authority (Nazaha) has publicized disciplinary actions involving unlawful disclosure of customer data. While not a PDPL fine per se, these actions signal a wider governance posture: misuse of personal data is now a compliance, integrity, and enforcement topic.

How PDPL compares to GDPR’s “year one”

For context, the EU’s GDPR saw its first fine within months of going live and a high-profile sanction against Google by month eight. Saudi’s approach so far emphasizes progressive ramp-up: guidance, committee activation, and targeted oversight, with financial penalties expected as the regime beds down. Organizations should treat the present window as an opportunity to close gaps before sanctions become routine.

What global companies should do now

  1. Map Saudi data flows (systems, vendors, transfers) and align contracts to the Transfer Regulation’s safeguards.
  2. Re-paper marketing & telemetry so that any promotional outreach into the Kingdom is consent-first and fully documented—with simple, symmetric opt-out if you don’t you can see serious fines like Honda did when using the OneTrust consent banner with the wrong configuration and setup.
  3. Stand up a PDPL-aware breach program using SDAIA’s procedural guide; run at least one tabletop that tests regulator notification and individual communications.
  4. Empower the DPO with a clear mandate, direct reporting, and visibility across assessments, complaints, and cross-border reviews.
  5. Build a five-year ROPA archive (records of processing) and verify that sensitive-data and minors’ processing have extra controls.
  6. Operationalize “10 business day” response to SDAIA inquiries—treat it like an SLA, with a prepared evidence pack.

Practical FAQs we’re hearing

Do we need new transfer assessments? If you export Saudi personal data, yes. The Transfer Regulation expects “appropriate safeguards” and documented risk treatment—think: updated SCC-style clauses (KSA-specific), processor due diligence, and technical controls matching data sensitivity.

Is marketing to Saudi residents now opt-in only? Promotional messaging requires explicit, withdrawable consent with easy preference controls and clear sender ID. Audit your CRM, SDKs, and cookie banners for PDPL alignment.

Have there been big fines yet? Not publicly disclosed as of this writing, but complaint handling is live. Expect a transition from guidance to sanctions as the committees’ caseload matures.

Captain Compliance: fast-track your PDPL readiness

  • Data Classification & ROPA: auto-tag Saudi resident data and produce regulator-ready records (with five-year retention) tied to purposes, recipients, and transfer posture.
  • Vendor & Transfer Oversight: centralize processor assessments, KSA transfer safeguards, and approval workflows aligned to the Transfer Regulation.
  • Consent-First Marketing: enforce opt-in, proof-of-consent, and one-click opt-out across CRM, SDKs, and email/SMS platforms.
  • Breach Playbooks: codify PDPL-specific notification triggers and produce SDAIA-ready incident reports.
  • DPO Workspace: route PIAs, complaints, and authority inquiries to your DPO with the 10-business-day response SLA baked in.

PDPL Saudi Arabia Compliance Software Help

Year one of PDPL enforcement has shifted Saudi privacy from planning to practice. Guidance is out, committees are working, and amendments are tuning the regime toward clearer consent, stronger accountability, and faster regulator engagement. If you process Saudi data, treat this as your deadline to operationalize—before “encouragement” becomes enforcement.

Written by: 

Muhammad Zaid Khan

Relevant Posts

Recent Posts

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.

Book a Demo

Data Privacy and Compliance from Superheroes

Copyright © 2025 Captain Compliance | Cookie Transparency Powered By 
730 NW 9th St, Fort Lauderdale, FL 33311 | +1 (954) 408-2192 | heroes@captaincompliance.com