Data privacy in Saudi Arabia is no longer a future obligation. It is a fully enforced legal reality. The Kingdom’s Personal Data Protection Law (PDPL), enacted by Royal Decree No. M/19 in September 2021 and amended in March 2023, came into full force on 14 September 2023. The compliance grace period expired on 14 September 2024. As of that date, every organization processing personal data of individuals in Saudi Arabia, public or private, domestic or international, is legally required to comply.
The regulator is active. In 2025 and 2026, SDAIA‘s enforcement committees issued 48 decisions confirming PDPL violations, covering core compliance failures including collecting or processing personal data without a valid legal basis, unauthorized disclosure of personal data, failure to implement technical and organizational safeguards, and sending marketing communications without consent. The enforcement phase is not theoretical. It is operational.
For Saudi organizations and international businesses serving Saudi residents, PDPL compliance demands immediate, structured attention. This guide explains what SDAIA does, what the PDPL requires, how it applies across priority sectors, and how organizations can build a durable compliance program supported by expert business consulting. For organizations managing PDPL alongside other Saudi regulatory obligations, see Top Regulatory Compliance Challenges in 2026.
SDAIA: Saudi Arabia’s Data Regulator
Mandate and authority
The Saudi Data and Artificial Intelligence Authority (SDAIA) is the competent authority responsible for supervising and enforcing the PDPL. Established as part of Saudi Arabia’s broader digital transformation agenda under Vision 2030, SDAIA’s mandate extends beyond data protection to encompass national data governance, AI strategy, and data sovereignty.
SDAIA provides support and advice to enhance entity compliance with the law, enables individuals to file complaints against PDPL violators, preserves the privacy of individuals, contributes to the protection of data as a national asset, enhances national data sovereignty, and builds a national register of controllers, SDAIA operates the National Data Governance Platform, the central digital infrastructure through which organizations register as data controllers, submit compliance assessments, and interact with the regulator on PDPL obligations.
SDAIA has designated SAMA with the responsibility of achieving PDPL compliance by the entities it licenses, an approach that has resulted in effective compliance programs within the financial sector and may be replicated for other regulated industries.
SDAIA is a regulator with investigative powers, penalty authority, and an actively growing enforcement track record. 48 enforcement decisions were issued in 2025 to 2026 alone. The time for assessing whether PDPL applies has passed. The time for demonstrating compliance is now.
PDPL Core Requirements: Seven Obligations Every Organization Must Implement
1. Lawful basis for processing
Every act of collecting, using, storing, or sharing personal data must rest on a defined lawful basis. Organizations must obtain clear and explicit consent before collecting or processing personal data, unless another lawful basis applies. Consent must be documented and easily withdrawn by individuals, and businesses must only collect data necessary for a defined and legitimate purpose. The PDPL recognizes several lawful bases beyond consent, including contractual necessity, legal obligation, vital interests, and legitimate interest, but each must be documented and demonstrable to SDAIA on request.
2. Data subject rights
The PDPL grants individuals a comprehensive set of rights over their personal data: the right to access, the right to correction, the right to deletion, the right to object to processing, and the right to data portability. Organizations must build the internal processes and technical infrastructure to receive, assess, and respond to these requests within defined regulatory timeframes. Failure to honor data subject rights is one of the most commonly cited enforcement findings in SDAIA’s 2025 to 2026 review cycle. SGC’s Business Process Management and Improvement practice designs the request workflows and documented processes that make this capability operationally reliable.
3. Data breach notification, 72 hours
Organizations must notify SDAIA within 72 hours of becoming aware of a personal data breach that poses risks to data subjects. This obligation demands a documented incident response process, defined breach classification criteria, a tested notification workflow, and clear internal ownership for breach response. Organizations that discover breaches and fail to notify SDAIA within the required window face compounding penalties. SGC’s Cybersecurity and Business Continuity practice builds the incident detection, response, and breach notification capabilities this obligation demands. See also Building Cyber Resilience Beyond Firewalls and Software for the security governance foundation this requires.
4. Cross-border data transfers
SDAIA’s Regulation on Personal Data Transfer Outside the Kingdom, issued September 2024, sets out conditions for cross-border transfers. SDAIA has not yet published an ‘adequate countries’ list, meaning all cross-border transfers require Standard Contractual Clauses or Binding Corporate Rules approved by SDAIA. Organizations must map all personal data flows that cross Saudi borders, conduct risk assessments for high-risk transfers, and maintain transfer documentation on the National Data Governance Platform.
5. Data Protection Officer (DPO) appointment
The PDPL requires specific categories of organizations to appoint a Data Protection Officer: public entities, those processing sensitive data at scale, those conducting cross-border transfers, and those processing children’s or vulnerable individuals’ data. Organizations that qualify must document the DPO appointment, define the role’s authority and reporting line, and register the DPO through the National Data Governance Platform. SDAIA provides an assessment tool to guide organizations in determining whether DPO appointment is mandatory.
6. Controller registration
All data controllers must register on SDAIA’s National Data Governance Platform. In particular, controllers that are public entities, process sensitive data, conduct cross-border transfers, or handle data of children or vulnerable individuals must register. Registration provides SDAIA with the baseline information needed to monitor compliance and contact organizations when enforcement actions are initiated.
7. Technical and organizational safeguards
The PDPL requires organizations to implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, alteration, or misuse. This encompasses encryption, access controls, data minimization practices, retention and deletion schedules, vendor management requirements for processors, and documented policies that can be evidenced to SDAIA during an audit. These requirements connect directly to the technical controls expected under the National Cybersecurity Authority (NCA)‘s cybersecurity framework, making PDPL compliance and cybersecurity compliance closely interrelated obligations best addressed together under an integrated GRC framework.
SDAIA’s Data Classification Framework: Four Tiers
Understanding the classification model
SDAIA’s national data governance framework establishes a four-tier data classification model that organizations must apply to all data assets to determine the appropriate protection controls.
Tier 1 (Public Data) covers information intentionally made available for public access with no restriction. Minimal protection controls are required.
Tier 2 (Internal Data) covers information intended for use within the organization but not classified as confidential. Standard access controls apply.
Tier 3 (Confidential Data) covers information whose unauthorized disclosure would cause significant harm, this tier covers the majority of personal data categories subject to PDPL protections, including customer records, employee data, financial information, and commercial agreements.
Tier 4 (Restricted or Sensitive Data) requires the highest protection level and includes health data, genetic data, biometric data, financial details, religious beliefs, political opinions, and criminal records.
Processing Tier 4 data requires explicit consent or a specific statutory basis, enhanced security controls, DPO oversight where applicable, and for cross-border transfers, SDAIA authorization and mandatory risk assessments. Applying this classification framework across an organization’s data inventory is the practical starting point for building a PDPL compliance program.
Applying SDAIA’s four-tier data classification framework to your entire data inventory is not optional, it is the foundational step that determines which assets require the most rigorous protections and structures every subsequent compliance decision.
Cloud and AI Compliance Under SDAIA
Cloud obligations
For cloud environments, the critical obligations are data residency assessment, processor agreement requirements, and cross-border transfer controls. Organizations must map any personal data flows outside Saudi Arabia and determine which transfers require SCCs or other approved measures. Cloud service agreements must include PDPL-compliant data processing terms, and organizations remain accountable for their cloud provider’s handling of personal data even when processing is fully outsourced.
AI systems and generative AI
SDAIA has issued guidelines regarding the adoption and use of generative AI systems, covering challenges associated with their use, principles for responsible use, and recommended practices. Organizations deploying AI systems that process personal data for customer profiling, employee assessment, fraud detection, or marketing personalization must assess their AI applications against PDPL principles of purpose limitation, data minimization, and transparency. Automated decision-making that produces significant effects on individuals requires specific disclosure and, in many cases, a human oversight mechanism.
SGC Management Consulting’s ICT Consulting and Digital Transformation practice helps organizations navigate cloud and AI compliance obligations, ensuring that technology architectures are designed with PDPL requirements built in from the outset. For the broader technology governance context, see ICT Consulting in Bahrain: How Technology Governance Supports Business Strategy.
The PDPL Implementation Roadmap: Six Phases
Phase 1, Data inventory and mapping (Weeks 1 to 6)
Conduct a comprehensive inventory of all personal data the organization collects, processes, stores, and transfers. Map data flows across systems, departments, and third-party relationships. Classify all data assets against SDAIA’s four-tier classification framework. This phase produces the foundational evidence base for all subsequent compliance decisions.
Phase 2, Gap assessment and risk analysis (Weeks 5 to 10)
Assess the organization’s current practices against PDPL’s core requirements: lawful basis documentation, data subject rights mechanisms, breach notification procedures, cross-border transfer controls, DPO obligation assessment, controller registration status, and technical safeguards. Prioritize gaps by regulatory risk and operational impact.
Phase 3, Policy and process design (Weeks 8 to 16)
Design and implement the internal policies, procedures, and technical controls required to close identified gaps. This includes privacy notices, consent management mechanisms, data subject rights request workflows, breach notification protocols, data retention and deletion schedules, vendor data processing agreements, and staff training programs. SGC’s Business Process Management and Improvement practice designs these workflows to be operationally reliable and demonstrable to SDAIA.
Phase 4, Controller registration and DPO appointment (Weeks 10 to 14)
Complete registration on SDAIA’s National Data Governance Platform. Determine DPO obligation status using SDAIA’s assessment tool. Appoint and register a DPO if required. Document the DPO’s authority, reporting line, and contact details.
Phase 5, Testing, training, and governance setup (Weeks 14 to 20)
Test data subject rights request workflows. Conduct breach notification simulation exercises. Deliver staff training across all functions handling personal data. Establish the governance structure, ownership, review cycles, monitoring mechanisms, and escalation paths, that sustains compliance as the organization and the regulatory environment evolve.
Phase 6, Ongoing compliance monitoring
PDPL compliance is not a one-time project. SDAIA continues to issue regulatory updates, guidelines, and enforcement decisions that require organizations to update their programs. A continuous monitoring capability, including regulatory horizon scanning, annual program reviews, and periodic data mapping refreshes, is the infrastructure that keeps compliance defensible over time.
How SGC Management Consulting Supports SDAIA and PDPL Compliance
Sky Gate Consulting W.L.L., established in 2013 and operating as SGC Management Consulting, supports organizations across Saudi Arabia and the GCC in building the PDPL compliance programs that satisfy SDAIA’s requirements and protect organizational, reputational, and commercial interests.
SGC’s Governance, Risk and Compliance (GRC) practice provides the integrated framework architecture that PDPL compliance requires, connecting data protection obligations to the organization’s broader risk management, internal control, and governance structures. For organizations managing PDPL alongside NCA cybersecurity requirements, AML frameworks, and sector-specific regulations, an integrated GRC approach prevents the fragmented compliance management that creates gaps. See GRC: A Strategic Guide for Modern Organizations for the foundational framework.
SGC’s ICT Consulting and Digital Transformation practice addresses the technology dimensions of PDPL compliance: cloud architecture review, data flow mapping across digital systems, AI governance framework design, and technical safeguard implementation, SGC’s Cybersecurity and Business Continuity practice addresses the intersection of PDPL security obligations and NCA cybersecurity requirements, building the incident detection, response, and breach notification capabilities that PDPL’s 72-hour notification obligation demands, SGC’s Business Process Management and Improvement expertise supports the process design dimension: building data subject rights request workflows, consent management processes, vendor assessment procedures, and data retention workflows that must function consistently and be demonstrable to SDAIA during an audit.
To discuss your organization’s PDPL compliance posture, Contact SGC Management Consulting.
Conclusion
Saudi Arabia’s PDPL is fully enforced, actively investigated, and carrying penalties of up to SAR 5 million per breach. Fines can double for repeat offenses, and violations involving sensitive personal data can lead to criminal charges and up to two years’ imprisonment for egregious disclosures.
The question for Saudi organizations in 2026 is not whether PDPL compliance matters, it is whether your current compliance posture is defensible under SDAIA scrutiny. Building that defensibility requires the combination of data mapping, policy design, technical safeguards, governance infrastructure, and continuous monitoring that a well-structured compliance program delivers.
Organizations that invest in this work now, supported by consulting partners with genuine expertise in SDAIA’s requirements and the GCC regulatory environment, are building the data governance foundation that protects operational continuity and earns stakeholder trust. Learn more about how SGC Management Consulting supports SDAIA and PDPL compliance across Saudi Arabia and the GCC
Frequently Asked Questions
The PDPL is Saudi Arabia’s comprehensive data privacy legislation, enacted by Royal Decree No. M/19 in 2021 and fully enforced since 14 September 2024. It applies to all public and private sector organizations that process personal data of individuals residing in Saudi Arabia, regardless of where the organization is headquartered. Its extraterritorial scope means that international companies processing Saudi residents’ data from outside the Kingdom are also subject to its requirements. SDAIA serves as the competent authority responsible for supervising and enforcing the PDPL, with active enforcement already underway.
Non-compliance with the PDPL carries significant legal and financial consequences. Fines reach up to SAR 5 million per breach, approximately USD 1.3 million, with repeat offenses capable of doubling the applicable fine. Intentional or repeated violations involving sensitive personal data can result in criminal proceedings and imprisonment of up to two years. Beyond direct penalties, SDAIA has authority to suspend processing activities, which can create significant operational disruption for organizations whose core services depend on data processing. In 2025 to 2026, SDAIA’s enforcement committees already issued 48 violation decisions, the enforcement phase is fully operational.
DPO appointment is mandatory for public entities, organizations that process sensitive personal data at scale, those conducting cross-border data transfers, and organizations processing data of children or vulnerable individuals. The obligation applies more broadly than many organizations assume. SDAIA provides an assessment tool on the National Data Governance Platform to help organizations determine their DPO obligation status. Organizations that determine a DPO is required must document the appointment, define the role’s independence and reporting line, and register the DPO with SDAIA.
Cross-border transfers of personal data outside Saudi Arabia require either transfer to a country that SDAIA determines provides adequate data protection, or explicit SDAIA authorization supported by approved transfer mechanisms. Currently SDAIA has not published an adequacy country list, meaning all cross-border transfers require Standard Contractual Clauses or Binding Corporate Rules approved by SDAIA. Organizations must map all international data flows, conduct risk assessments for transfers involving sensitive data, implement the appropriate transfer mechanism, and maintain transfer documentation on the National Data Governance Platform.
The PDPL shares foundational principles with the EU’s GDPR, lawful processing bases, data subject rights, breach notification, and data transfer controls, but operates through a distinct Saudi regulatory framework with its own enforcement mechanisms, transfer requirements, and penalty structure. Key differences include SDAIA authorization requirements for cross-border transfers rather than adequacy decisions, and specific Saudi-law provisions around sensitive data. Organizations operating in both Saudi Arabia and the EU must build compliance programs that address both frameworks’ requirements. GDPR compliance does not automatically satisfy PDPL, and vice versa.
PDPL and the National Cybersecurity Authority (NCA) frameworks are closely interconnected. PDPL’s Article 22 requires technical and organizational safeguards to protect personal data, and the specific security controls expected align substantially with NCA’s Essential Cybersecurity Controls. The 72-hour breach notification obligation under PDPL requires an incident detection and response capability that is most effectively built as part of a broader cybersecurity governance program. Organizations in regulated sectors managing both PDPL and NCA compliance achieve better outcomes and lower total compliance costs by designing these programs together under an integrated GRC framework. See Building Cyber Resilience Beyond Firewalls and Software for practical guidance.
The most important first step is a comprehensive data inventory and mapping exercise, identifying what personal data the organization collects, where it is stored, how it is used, who it is shared with, and whether it crosses Saudi borders. This mapping exercise produces the foundational evidence base for all subsequent compliance decisions: lawful basis determinations, consent mechanism design, DPO obligation assessment, cross-border transfer documentation, and technical safeguard requirements. Organizations that attempt to build PDPL policies and controls without completing this data mapping first consistently find that their compliance programs address visible requirements while missing the systemic gaps that create the most significant regulatory exposure. SGC Management Consulting can support this process. Contact us to discuss your organization’s PDPL readiness.
