Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Saudi Arabia's Personal Data Protection Law, regarded as one of the most comprehensive privacy legislations, became fully enforceable 14 Sept. 2024, three years after its initial announcement.
The PDPL applies to all entities — whether based inside or outside the kingdom — that process the personal data of Saudi citizens or residents and also extends to individuals who collect the personal data of others. Uniquely, the law safeguards privacy not only during a person's lifetime but also after their death. To ease the transition, a two-year grace period for compliance was initially granted and later extended to three years.
Preparatory guidelines for effective enforcement
While the PDPL itself had been announced, much of the accompanying guidance from the data protection authority, the Saudi Data and Artificial Intelligence Authority, was only released in the months leading up to the law's effective date. Even within this compressed timeframe, the guidance played a critical role in equipping organizations with the clarity needed to effectively navigate and implement the new regulatory framework.
The SDAIA's guidance materials included: rules for appointing a personal data protection officer; a regulation on personal data transfers outside the kingdom; guidelines for binding common rules for personal data transfers; guidelines for developing privacy notices; and guidelines to assist entities in determining when personal data should be destroyed or anonymized.
Staged implementation and ongoing regulatory development
The PDPL officially took effect one year ago, but the full implementation of its provisions remains in various stages of activation. Article 33, for example, stipulates that the competent authority shall set the requirements for: practicing commercial, professional, or non-profit activities related to personal data protection; licensing entities that issue accreditation certificates and those that conduct audits of data processing; and monitoring compliance of controllers and processors outside the kingdom.
Although some of these requirements have been published for public consultation, they have not yet been finalized or officially announced; full regulatory guidance is also forthcoming.
The staged implementation highlights the complexity of establishing a comprehensive data protection framework that balances regulatory oversight, industry development and international compliance obligations. By separating licensing, accreditation, auditing and cross-border compliance functions, the law creates a multi-layered enforcement architecture designed to ensure accountability across all levels of data processing.
However, until the competent authority finalizes and publicly issues these requirements, organizations and data handlers remain in a state of regulatory uncertainty. Clarity on these provisions and effective enforcement will be critical to achieving the law's objectives of safeguarding personal data while fostering trust in the digital ecosystem.
Clarifying obligations and closing gaps
Every law undergoes a lifecycle of amendments and improvements to address evolving challenges and circumstances. The PDPL is no exception. Just a few months after coming into effect, the second most important component of the law — the Implementing Regulations of the Personal Data Protection Law — was published for public consultation on proposed amendments.
One of the first adjustments concerns terminology. The definitions of "direct marketing" and "personal data breach" have been removed, while a new term, "competent authority's platform," has been added to describe the official digital system through which organizations will register and submit regulatory information.
Privacy notices also come under sharper focus. Under the draft amendments, notices must be written in clear and simple language to ensure they are easily understood. Special care must be taken when the data subject has limited or no legal capacity, such as minors or vulnerable individuals.
The amendments also resolve two long-standing gaps concerning advertising and marketing. First, while the law itself never referred to direct marketing, the implementing regulation introduced the term, creating an inconsistency. The new amendments remove this reference entirely, bringing the language back into alignment with the law.
Second, the earlier draft contained confusion around when consent was required. This ambiguity has now been eliminated, and the rule is straightforward: Companies must obtain explicit consent before sending any promotional messages.
Consent must be freely given, transparent and easy to withdraw at any time. Individuals should also have practical options to manage their marketing preferences; every communication must clearly disclose the sender's identity.
The role of the data protection officer is also being expanded. DPOs will be responsible for overseeing impact assessments, monitoring compliance, handling complaints and reporting directly to the regulator. Organizations will also be required to provide their DPO's contact details through the competent authority's platform.
Record keeping will become more rigorous. Organizations must maintain detailed records of their data processing activities during the processing period and for five years after. Records must be made available to the regulator upon request and must include key details such as the purposes of processing, data categories, retention timelines, security protocols, and details of data recipients—particularly those involved in cross-border transfers.
The amendments also expand registration requirements. Controllers must register in the National Register if they are public entities, process sensitive data, transfer personal data outside Saudi Arabia, or process the data of vulnerable individuals such as minors.
Finally, the amendments introduce procedural refinements. Under the new rules, controllers must respond to requests from the competent authority within 10 business days of receipt, reinforcing both efficiency and regulatory accountability. Additionally, the previous 90-day time limit for individuals to file complaints has been removed, allowing data subjects to raise complaints at any time.
Taken together, these changes reflect a clear policy direction: strengthening accountability, enhancing individual rights and ensuring organizations adopt transparent and responsible data practices.
For businesses, this will require updating privacy notices, revisiting consent and marketing mechanisms, formalizing DPO responsibilities, and preparing for closer regulatory oversight.
Enforcement measures and early compliance signals
While no official penalties have been announced to date, the SDAIA has confirmed that the Committees for Reviewing Violations of the Provisions of the Personal Data Protection Law and its Implementing Regulations are active and have received and reviewed several complaints concerning violations of the law.
In parallel, the Oversight and Anti-Corruption Authority reported an employee's suspension for accepting illicit payments in exchange for unlawfully disclosing customers' personal data, including contact information and complaint records.
Comparatively, the first EU General Data Protection Regulation fine was issued by Austria's Data Protection Authority just four months after the regulation came into effect. The 4,800-euro fine was imposed on an entrepreneur who installed a CCTV camera that recorded a large part of the sidewalk, violating transparency obligations and large-scale monitoring rules. Although the name of the company was not disclosed, this decision marked a significant step in GDPR compliance enforcement.
Approximately eight months after it took effect, the first publicly disclosed GDPR fine was imposed on Google by France's data protection authority, the Commission nationale de l'informatique et des libertés, in the amount of 50 million euros.
Saudi Arabia's initial enforcement measures, while not yet involving financial penalties, demonstrate a strong commitment to the law’s implementation; it reflects a recognition that both the regulatory framework and the market are still maturing and that applying the principle of progressive penalties is a prudent approach.
Conclusion
The PDPL's first year demonstrated significant progress in establishing a robust data protection framework in Saudi Arabia. While the law is fully in effect, its staged implementation, the ongoing refinement of the implementing regulations, and the recent clarifications on marketing, consent, recordkeeping and DPO responsibilities show a clear commitment to balancing regulatory oversight with operational clarity for organizations.
Early enforcement actions, even without financial penalties, signal compliance is being taken seriously, and the principle of progressive penalties will guide future enforcement. Looking ahead, the continued publication of guidance, finalization of regulatory requirements, and proactive engagement by both regulators and organizations will be essential in fostering a culture of accountability, trust and resilience in the kingdom's data ecosystem.
The PDPL is not only a regulatory milestone but a strategic foundation for the kingdom's digital transformation and alignment with international data protection standards.
Abdulaziz Almanea is a data management consultant.
