GRC360

GRC360/Payments & Privacy

PDPL Compliance Consultancy in Saudi Arabia

The Kingdom's Personal Data Protection Law, implemented end to end — from records of processing to breach response, to SDAIA's standard.

Last reviewed: July 2026 · Reviewed by the GRC360 QSA-led consulting team·Official source: SDAIA — National Data Governance Platform (PDPL) ↗

What is the Saudi PDPL?

The Personal Data Protection Law (PDPL) is the Kingdom’s first comprehensive privacy law — issued by Royal Decree M/19 in September 2021, amended in March 2023, and in force with SDAIA (the Saudi Data & AI Authority) as its supervisory authority. Together with its Implementing Regulations and Data Transfer Regulations, it defines how personal data belonging to individuals in Saudi Arabia must be collected, used, disclosed, stored, and transferred.

If your organization holds customer records, employee files, CCTV footage, marketing databases, or app analytics tied to identifiable people in the Kingdom, the PDPL applies to you — whether you are a bank in Riyadh, a retailer in Jeddah, or a cloud service provider abroad processing Saudi residents’ data.

Who Must Comply?

  • Controllers — any entity that determines the purpose and manner of processing personal data.
  • Processors — vendors and service providers processing data on a controller’s behalf, who must be bound by compliant agreements.
  • Foreign organizations — the law applies extraterritorially to anyone processing the personal data of Saudi residents.
  • Public and private sector alike — government entities, enterprises, SMEs, and startups.

Core PDPL Obligations

Processing requires consent unless another legal basis applies — such as actual interest, legitimate interest (for non-sensitive data), legal obligation, or vital interest. Knowing which basis carries each processing activity is the foundation of defensible compliance.

Transparency and privacy notices

Data subjects must be informed — before collection — of the purpose, basis, categories, recipients, and their rights, in clear language.

Records of Processing Activities (RoPA)

Controllers must maintain a structured register of what data they process, why, where it flows, how long it is kept, and how it is protected — the document SDAIA will ask for first.

Data subject rights

Individuals have rights to be informed, to access and obtain copies of their data, to request correction, and to request destruction. You need working procedures and deadlines, not just policy statements.

Security and breach notification

Personal data must be protected with appropriate organizational and technical controls, and personal data breaches must be notified to SDAIA within 72 hours — with affected individuals informed where the breach may cause them harm.

Cross-border transfers

Transfers outside the Kingdom are permitted only under defined conditions — adequacy, appropriate safeguards such as standard contractual clauses or binding common rules, and transfer risk assessments where required.

Data Protection Officer

Certain controllers — including those whose core activities involve systematic, large-scale processing — must appoint a DPO. (Our journal has a two-part practical guide on exactly this.)

Our PDPL Compliance Methodology

  1. Applicability & gap assessment — we map your processing landscape against every PDPL and Implementing Regulation requirement.
  2. Data inventory & RoPA — build the register of processing activities that anchors the whole program.
  3. Lawful basis mapping — assign and document the correct basis for each activity, including consent capture where needed.
  4. Policy & notice suite — privacy notices, retention schedules, data subject rights procedures, and processor agreements.
  5. Security alignment — proportionate technical controls, aligned with your existing NCA ECC, SAMA, or ISO 27001 obligations so you never build the same control twice.
  6. Breach readiness — a 72-hour-capable incident response playbook, tested with your team.
  7. Cross-border transfer compliance — transfer mapping, safeguards, and risk assessments.
  8. DPO support — appointment assessment, role definition, and ongoing advisory — or a managed DPO function delivered by our consultants.

Why Act Now

  • Enforcement is live — SDAIA actively supervises compliance, and violations can attract fines up to SAR 5 million per violation, doubled for repeat offences, with criminal penalties possible for unlawful disclosure of sensitive data.
  • Contracts demand it — Saudi enterprises increasingly require PDPL warranties from every vendor; non-compliance now costs deals, not just fines.
  • It compounds — a solid PDPL program strengthens SAMA, NCA, and ISO obligations that share the same controls.
  • Trust is the product — in a market this relationship-driven, demonstrable privacy discipline is a commercial advantage.

Why Choose GRC360

  • Saudi regulatory depth — we work inside the Kingdom’s framework ecosystem daily: SAMA, NCA, CST, and PDPL, and we understand how they interlock.
  • Practitioners, not template vendors — our PDPL journal series on DPO appointment is read by practitioners across the Kingdom; the same consultants deliver your program.
  • Audit-grade evidence — as a PCI SSC Qualified Security Assessor, we build programs designed to survive independent scrutiny.
  • End-to-end — from the first data inventory workshop to standing with you through an SDAIA inquiry.

Frequently asked

Questions we hear about PDPL — Personal Data Protection

What is the Saudi PDPL?+

The Personal Data Protection Law (PDPL) is Saudi Arabia's first comprehensive data protection law, issued by Royal Decree in 2021 and amended in 2023. It governs how organizations collect, process, store, and transfer the personal data of individuals in the Kingdom, and it is supervised by the Saudi Data & AI Authority (SDAIA).

Who must comply with the PDPL?+

Any organization — inside or outside Saudi Arabia — that processes personal data of individuals residing in the Kingdom. This covers controllers who decide why and how data is processed, and processors who handle data on their behalf.

What are the main PDPL obligations?+

Establishing a lawful basis for processing, issuing privacy notices, maintaining a Record of Processing Activities (RoPA), honouring data subject rights, implementing security controls, notifying SDAIA of breaches within 72 hours, governing cross-border transfers, and in certain cases appointing a Data Protection Officer.

What are the penalties for PDPL non-compliance?+

Violations can attract warnings and fines up to SAR 5 million per violation, with courts able to double fines for repeat offences. Unlawful disclosure of sensitive personal data can additionally carry criminal penalties including imprisonment.

Does my organization need a Data Protection Officer?+

A DPO is required in specific cases set by the regulations — including public entities and organizations whose core activities involve large-scale or systematic processing of personal data. Our assessment tells you definitively whether the threshold applies, and we can support or act as your DPO function.

Can personal data be transferred outside Saudi Arabia?+

Yes, but only under the conditions in the PDPL and its Data Transfer Regulations — such as transfers to jurisdictions with adequate protection, or with appropriate safeguards like standard contractual clauses and binding common rules, alongside a transfer risk assessment where required.

SDAIA · PDPL

Every record. Every consent. Every transfer. Accounted for.

Ready for PDPL — Personal Data Protection? Get an audit-grade plan this week.

Request a proposal →