PDPL Saudi Arabia: A Practical Guide for Compliance Teams

The Personal Data Protection Law (PDPL) is Saudi Arabia's first comprehensive privacy law, and for many organisations operating in the Kingdom it is the most significant compliance change of the last five years. Issued by Royal Decree M/19 in September 2021 and supplemented by Implementing Regulations, PDPL came into force on 14 September 2023 with a one-year grace period, meaning full enforcement applied from 14 September 2024. Since then, the Saudi Data and AI Authority (SDAIA) has been actively supervising compliance.

PDPL is sometimes described as "GDPR for Saudi Arabia". That comparison is useful at a high level — PDPL borrows several concepts from GDPR — but it is also misleading. PDPL has Saudi-specific definitions, enforcement mechanisms and cross-border transfer expectations that differ in important ways. Treating PDPL as if it were a copy of GDPR is a fast route to non-compliance.

This guide walks through what PDPL actually requires, who is in scope, and how to build a programme that holds up under SDAIA supervision. It is intended for DPOs, privacy leads, compliance officers and CISOs in Saudi banks, insurers, healthcare providers, telecoms, retailers, government bodies and any organisation that processes personal data of individuals in the Kingdom.

What PDPL is — and what it isn't

PDPL is the legal framework governing the processing of personal data in Saudi Arabia. It defines:

• What counts as personal data and what counts as sensitive personal data
• Who counts as a controller and who counts as a processor
• The lawful bases under which personal data may be processed
• The rights individuals (data subjects) have over their personal data
• The obligations on controllers and processors, including security, accuracy, retention and accountability
• The conditions under which personal data may be transferred outside Saudi Arabia
• The supervisory powers of SDAIA and the penalties for non-compliance

PDPL is enforced by SDAIA, with the National Data Management Office (NDMO) playing a parallel role on data governance for government entities. Sector regulators — SAMA for finance, the Communications, Space and Technology Commission for telecoms, the Ministry of Health for healthcare — also retain supervisory powers in their respective sectors.

What PDPL is not: a one-time checklist, a job that lives entirely with the legal team, or a problem that can be solved by buying a privacy tool. It is an ongoing governance discipline that requires legal, compliance, security, IT, HR, marketing and operations to work together against a shared evidence base.

Who is in scope?

PDPL applies broadly. The law covers any organisation — public or private, established inside or outside Saudi Arabia — that processes personal data relating to individuals in the Kingdom. There is no employee count or revenue threshold. In practice, the in-scope population includes:

• Saudi government entities, including ministries, authorities and municipalities
• Saudi banks, insurers, finance companies, payment providers and exchanges
• Healthcare providers, including hospitals, clinics and laboratories
• Telecoms operators and digital service providers
• Retailers, e-commerce platforms and consumer brands
• Education providers
• Logistics, transport and travel companies
• Technology platforms with users in Saudi Arabia, regardless of where the platform is hosted
• Any B2B service provider that processes personal data on behalf of Saudi customers

Extraterritorial reach is one of the most important features of PDPL. An organisation outside Saudi Arabia that processes personal data of individuals located in the Kingdom is in scope of PDPL, even if it has no Saudi office. This is similar to GDPR's extraterritorial reach but is rooted in the Saudi legal framework, not the European one.

The core obligations

PDPL's core obligations cluster around several themes that any privacy practitioner will recognise — but the Saudi-specific framing matters.

Lawful basis for processing. Personal data must be processed on a legitimate basis, with consent being one of the principal bases. PDPL is more restrictive than GDPR on the use of legitimate interests as a standalone basis, and it places significant weight on explicit consent for non-essential processing. Organisations should have a documented lawful basis for every processing activity.

Consent. Where consent is the basis, it must be informed, freely given and demonstrable. Consent for processing of sensitive personal data has higher requirements. Consent can be withdrawn, and the organisation must respect that withdrawal without undue delay.

Data subject rights. PDPL grants individuals the right to be informed about processing, to access their personal data, to request correction or destruction of inaccurate data, to withdraw consent, and to object to certain processing. Organisations must have a documented process to receive and respond to data subject requests within the timelines set by the Implementing Regulations.

Records of processing activities (RoPA). Controllers and processors must maintain records describing the personal data they process, the purposes, the recipients, the retention periods and the security measures applied. The RoPA is the foundational document that everything else in the programme depends on — and it is one of the first things SDAIA will ask to see in a supervisory engagement.

Data protection impact assessments (DPIA). Where processing is likely to result in high risk to data subjects — large-scale processing of sensitive data, automated decision-making with significant effects, processing of vulnerable populations — a DPIA is required before processing begins. The DPIA documents the risks and the controls put in place to mitigate them.

Security of processing. Controllers and processors must implement appropriate technical and organisational measures to protect personal data, proportionate to the risks and the nature of the data. In practice, this is where PDPL meets the NCA Data Cybersecurity Controls (DCC): the cybersecurity controls that operationalise the privacy obligation.

Breach notification. Personal data breaches must be reported to SDAIA without undue delay, and affected data subjects may also need to be notified. The Implementing Regulations set out the specific timelines and content requirements for breach notifications. The 72-hour notification window familiar from GDPR is a useful working assumption, but the legal text and SDAIA guidance should be the authoritative source for any individual incident.

Data Protection Officer (DPO). Many organisations are required to appoint a DPO, particularly where their core activities involve large-scale processing of personal data or processing of sensitive data. The DPO must have sufficient independence and expertise, and must be able to engage directly with senior management.

Cross-border transfers. PDPL restricts the transfer of personal data outside Saudi Arabia. Transfers are permitted where the destination jurisdiction provides an adequate level of protection, where appropriate contractual or technical safeguards are in place, or where one of the specific exceptions in the Implementing Regulations applies. Transfers of sensitive personal data are more restricted. The practical effect is that organisations operating cloud workloads, SaaS platforms or shared services outside the Kingdom need to assess each transfer carefully.

Accountability. Controllers must be able to demonstrate compliance with PDPL — not just claim it. This is the "accountability principle" familiar from GDPR, and it is what turns PDPL from a paper exercise into a programme that requires genuine evidence.

Sensitive personal data

PDPL defines a category of sensitive personal data that attracts higher protections. This typically includes data revealing racial or ethnic origin, religious or political beliefs, criminal records, biometric data, genetic data, health data and data about minors. Processing of sensitive personal data requires a higher standard of consent and more stringent security controls, and unauthorised disclosure of sensitive personal data can attract criminal penalties on top of the administrative ones.

For sectors like healthcare, where sensitive data is the bulk of what is processed, PDPL has particular bite. A connected programme treats the sensitive data inventory as a first-class artefact and applies layered controls — access, encryption, monitoring, retention, purpose limitation — wherever sensitive data is stored or transmitted.

Penalties and enforcement

PDPL gives SDAIA significant supervisory powers, including the power to investigate, request information, audit data controllers and processors, and apply penalties. The administrative fines can reach up to SAR 5 million per violation, and repeat offences can be doubled. Unauthorised disclosure of sensitive personal data can attract criminal penalties including imprisonment.

Beyond the formal penalties, the reputational impact in the Saudi market is significant — and SDAIA has the discretion to publish enforcement actions. For consumer-facing brands, the trust impact of a published enforcement action is often more painful than the fine itself.

How PDPL interacts with the rest of the Saudi GRC landscape

PDPL does not exist in isolation. It sits alongside several other Saudi frameworks that any practitioner needs to manage in parallel.

NCA frameworks. The NCA family — particularly the Data Cybersecurity Controls (DCC) and the Cloud Cybersecurity Controls (CCC) — provides the cybersecurity controls that operationalise PDPL. A control implemented to satisfy DCC frequently satisfies a PDPL security obligation as well. The smart pattern is to maintain one control library tagged for both PDPL and DCC, so a single update flows to both regulator-facing views. For the full picture of the NCA family, see our NCA frameworks complete guide.

SAMA frameworks. For financial institutions, PDPL sits alongside the SAMA framework family — CSF, BCM, IT Governance, CTI, Counter-Fraud and Outsourcing. SAMA's expectations on customer data protection, third-party assurance and incident management overlap meaningfully with PDPL. For the SAMA picture, see our SAMA frameworks complete guide.

ISO 27001 and ISO 27701. ISO 27001 is the international information security standard; ISO 27701 extends it for privacy. Many Saudi organisations operate an ISO 27001 ISMS as their cybersecurity baseline and are now layering ISO 27701 — or PDPL controls — on top to formalise their privacy programme. Mapping these to PDPL closes most of the security gap and accelerates the privacy programme significantly.

NDMO data management standards. For government entities, the NDMO data management and personal data protection standards add specific public-sector expectations that complement PDPL.

Building a defensible PDPL programme

Three habits separate the privacy programmes that hold up under SDAIA supervision from those that don't.

Habit one: a current Record of Processing Activities. Your RoPA is the source of truth. If it is out of date, every other document in the programme is questionable. Treat it as a living artefact, not a one-off compilation, and assign clear ownership for each entry. Tie the RoPA to the data classification scheme so that sensitive data is visible at a glance.

Habit two: an operationalised data subject request workflow. When a data subject sends a request, the clock starts. Organisations that handle requests through ad-hoc email threads always struggle to meet the deadlines and to evidence what they did. A documented workflow with named owners, defined SLAs and an audit trail of every step is the minimum any inspector will expect.

Habit three: integrated breach response. When a personal data breach happens, the privacy team needs to know within hours, not days. That requires the security incident response process and the privacy notification process to be the same process — different stakeholders, same workflow. Decoupled processes always miss the notification window.

GRC Vantage's compliance module supports all three habits — a connected RoPA, data subject request workflows, breach notification timers, DPIA templates, consent management and a PDPL control library mapped to the Implementing Regulations and to NCA DCC. It is used by Saudi organisations to run PDPL alongside their cybersecurity programmes from a single source of truth.

A 90-day PDPL readiness plan

For teams starting late or rebuilding a programme that has stalled, here is a 90-day plan focused on the essentials.

Days 0–30: Discovery. Conduct a personal data discovery exercise across the organisation. Build the first version of the RoPA. Identify the lawful basis for each processing activity. Identify sensitive data and where it lives. Inventory cross-border transfers and the basis for each one. Identify whether a DPO is required and who it will be.

Days 31–60: Build. Implement the data subject request workflow. Draft and approve the privacy notice and any required customer-facing consents. Stand up the breach notification process and connect it to the security incident response runbook. Implement the foundational DCC-aligned security controls — encryption, access control, monitoring, retention. Run a DPIA on the highest-risk processing activities.

Days 61–90: Operate. Train the organisation on PDPL fundamentals. Run a tabletop simulation of a personal data breach including SDAIA notification. Present the first PDPL board report. Publish the privacy notice. Set the cadence for ongoing RoPA refresh, DPIA review, training and reporting.

90 days is enough to move a programme from "non-existent" to "defensible". Reaching full maturity takes longer, particularly for organisations with large legacy data estates — but the cadence you set in those first 90 days determines how quickly you can get there.

Where to go next

This pillar is part of our deeper series on the Saudi GRC framework landscape. To go deeper:

• For the cybersecurity layer that operationalises PDPL, read the NCA frameworks complete guide
• For the financial-sector regulator, read the SAMA frameworks complete guide
• For a side-by-side mapping of SAMA CSF and ISO 27001, see SAMA CSF and ISO 27001 mapping

If you would like to see a connected PDPL + DCC programme running on real data, book a demo of GRC Vantage and we will walk you through how Saudi organisations use the platform to manage privacy and cybersecurity from one workspace, supported by Saudi-based teams in Riyadh and Dammam.

Frequently asked questions

What is the Saudi PDPL?

The Personal Data Protection Law (PDPL) is Saudi Arabia's first comprehensive data privacy law. It was issued by Royal Decree M/19 in September 2021, supplemented by Implementing Regulations, and is enforced by the Saudi Data and AI Authority (SDAIA). It governs the processing of personal data inside Saudi Arabia and certain processing outside the Kingdom that relates to Saudi data subjects.

Who has to comply with PDPL?

PDPL applies to any organisation — public or private, located inside or outside Saudi Arabia — that processes personal data relating to individuals in Saudi Arabia. There is no employee-count or revenue threshold. Saudi banks, insurers, healthcare providers, telecoms, retailers, government bodies, technology platforms and most B2C and B2B businesses are in scope.

When did PDPL become enforceable?

PDPL came into force on 14 September 2023 with a one-year grace period for compliance. Full enforcement applied from 14 September 2024. Since then SDAIA has been actively supervising compliance and has the power to investigate, request information and apply penalties.

What are the penalties for PDPL non-compliance?

Administrative penalties can reach up to SAR 5 million per violation, and can be doubled for repeat offences. Unauthorised disclosure of sensitive personal data can attract criminal penalties including imprisonment and additional fines. Beyond the legal penalties, the reputational impact in the Saudi market is significant — and SDAIA has the power to publish enforcement actions.

Does PDPL allow personal data to leave Saudi Arabia?

Cross-border transfer of personal data is permitted under defined conditions — a recognised level of protection in the destination jurisdiction, an explicit legal basis, contractual safeguards, or specific exceptions. Transfers of sensitive personal data are more restricted. The default expectation is that personal data of Saudi data subjects remains inside the Kingdom unless one of the recognised conditions is met.

How does PDPL interact with NCA's data cybersecurity controls?

PDPL is the privacy law — it sets the legal expectations for handling personal data. The NCA Data Cybersecurity Controls (DCC) are the cybersecurity controls that operationalise data protection. Mature programmes treat them together: one data classification scheme, one set of controls, two regulator-facing views. A control implemented for DCC frequently satisfies a PDPL obligation as well, and vice versa.

How does GRC Vantage support PDPL compliance?

GRC Vantage ships a PDPL control library mapped to the Implementing Regulations, supports records of processing activities, data subject request workflows, breach notification timelines, DPIA templates and consent management. It is built and supported in Riyadh and Dammam, with deployment options inside KSA for data residency and is used by Saudi organisations to run PDPL alongside SAMA, NCA and ISO programmes from one workspace.