Privacy
Saudi PDPL First Anniversary: Progress, Gaps & Next Steps
Why This Alert Is Important
The first anniversary of the Personal Data Protection Law (PDPL) in Saudi Arabia marks a critical moment of reflection on how the law is being operationalized. For organizations that process Saudi personal data—even those outside the kingdom—this anniversary serves as a checkpoint: Are compliance, governance and risk mitigation mechanisms keeping pace with evolving regulatory expectations?
Overview of the Enforcement Action
Saudi Arabia’s Personal Data Protection Law (PDPL) became fully enforceable on 14 September 2024, marking a major milestone in the Kingdom’s data governance landscape. Over the past year, the Saudi Data and Artificial Intelligence Authority (SDAIA) has issued key guidance on topics such as cross-border transfers, privacy notices, consent, and the appointment of data protection officers. To further clarify compliance obligations, SDAIA proposed amendments to the Implementing Regulations, including changes to terminology, expanded DPO responsibilities, stricter recordkeeping, and clearer consent standards.
Notably, the proposed rules require privacy notices to be written in simple, accessible language and mandate retention of processing records for five years. Organizations would also need to respond to regulatory requests within 10 business days. Although no public fines have been issued to date, enforcement activity is underway through complaint review and administrative actions. Meanwhile, foundational elements of the compliance ecosystem—including licensing and audit frameworks—remain in development. As the PDPL continues to evolve, organizations processing Saudi personal data should closely monitor regulatory updates and strengthen internal governance to meet emerging expectations.
Key Implications or Developments
- Regulatory uncertainty remains: Many elements of the PDPL’s enforcement architecture (licensing, accreditation, extraterritorial supervision) are still under development. Entities must monitor further rulemaking and public consultations.
- Elevated accountability for controllers: The proposed amendments reinforce obligations around transparency, recordkeeping, response times, and governance. This pushes organizations to mature privacy practices quickly.
- Early enforcement signals—no fines yet, but readiness is tested: The active review of complaints and internal administrative actions demonstrate that SDAIA intends to move from formalism to substance over time. Organizations should expect increased scrutiny even before fines are introduced.
- Cross-border reach and global applicability: The PDPL applies to organizations outside Saudi Arabia processing Saudi personal data. Entities in multinational operations must assess whether Saudi data flows or processing trigger obligations.
- Programmatic and operational impact: Organizations must update privacy notices, consent frameworks, recordkeeping, DPO roles, and internal response procedures (e.g. for regulator requests or complaints) to align with evolving expectations.
Saudi Arabia’s Personal Data Protection Law (PDPL) has completed a challenging first year. During the period the Saudi Data & AI Authority (SDAIA) amended the Implementing Regulations, issued amended Cross-border Data Transfer Regulations, issued guidance on DPO, appointment of Controllers, BCC, SCC and many other regulations signaling strong regulatory intent. While the oversight on sensitive sectors like finance has strengthened, yet the challenges remain - uncertainty around “material breach”, interpretation of “legitimate interest”, and the absence of adequacy list for cross-border transfers leave businesses in doubt. Smaller entities also face resource barriers to compliance. Going forward, the key next steps include issuing clearer guidance on grey areas, publishing the adequacy list, and demonstrating active enforcement. Equally important is the targeted awareness and training programs to support organizations building robust compliance cultures while ensuring individuals’ data protection.
Data Privacy Tip
The PDPL’s first anniversary is a timely opportunity for organizations to reassess and reinforce their privacy programs. Conducting a comprehensive health check—covering data inventories, consent mechanisms, cross-border transfers, and recordkeeping obligations—can help mitigate risk and strengthen compliance posture.
For a step-by-step overview of how Exterro helps streamline PDPL compliance, visit: Exterro for PDPL Compliance