Close Menu
    Friday, April 25
    Contact us
    Middle East

    Saudi Arabia’s Personal Data Protection Law: Compliance Steps as Grace Period Nears End

    Sam AllcockBy Updated:No Comments3 Mins Read

    On 14 September 2023, Saudi Arabia’s Personal Data Protection Law (PDPL), enacted by Royal Decree No. M/19 and amended by Royal Decree No. M/148, officially came into force. A one Hijri year grace period was granted to organizations to achieve compliance, set to conclude around 2 September 2024. Post this date, the Saudi Data and Artificial Intelligence Authority (SDAIA), serving as the Competent Authority, will commence enforcement actions against non-compliant entities.

    Key Compliance Requirements Under the PDPL

    Organizations processing personal data within Saudi Arabia, or handling data of Saudi residents from abroad, must adhere to several obligations:

    • Fair Processing Notification: Inform data subjects about the legal basis for data collection, its purpose, the controller’s identity, data recipients (including cross-border transfers), and potential consequences of not providing data.

    • Privacy Policy: Develop and present a privacy policy detailing the purpose of data collection, types of data collected, processing methods, data retention and destruction practices, and data subjects’ rights.

    • Data Security Measures: Implement appropriate organizational, administrative, and technical safeguards to protect personal data, including during international transfers.

    • Data Privacy Impact Assessments: Conduct evaluations of processing activities to identify and mitigate potential risks to data subjects.

    • Data Breach Notification: Report any data breaches to the Competent Authority promptly upon discovery.

    • Data Protection Officer (DPO): Appoint a DPO responsible for ensuring compliance with the PDPL.

    • Data Destruction: Erase personal data once its collection purpose is fulfilled, unless anonymization is applied as per regulatory standards.

    • Record of Processing Activities: Maintain detailed records of data processing activities, including purposes, data recipients, cross-border transfers, and retention periods, available for review by the Competent Authority.

    • Employee Training: Conduct training sessions to educate employees about PDPL principles and compliance requirements.

    • Cross-Border Data Transfers: Ensure that international data transfers meet the conditions outlined in the PDPL and its Data Transfer Regulations.

    Enforcement and Penalties

    Non-compliance with the PDPL can result in significant penalties:

    • Specific Violations: Unauthorized disclosure of sensitive personal data with intent to harm can lead to imprisonment of up to two years and/or fines up to SAR 3 million (approximately USD 790,000).

    • General Violations: Other breaches may incur warnings or fines up to SAR 5 million (approximately USD 1.3 million), with potential doubling for repeat offenses.

    Additional sanctions may include criminal charges, confiscation of profits obtained through violations, and public disclosure of enforcement actions.

    Conclusion

    With the grace period’s end approaching, organizations must prioritize compliance with the PDPL to avoid penalties and ensure the protection of personal data. Proactive measures, including policy updates, staff training, and system audits, are essential to meet the regulatory requirements set forth by Saudi authorities.

    Share.

    Sam Allcock is a journalist at Global News Hut – Middle East News, covering the political, economic, and cultural dynamics of one of the world’s most complex regions. With a deep interest in Middle Eastern affairs, Sam brings clarity and insight to fast-moving developments, offering readers balanced and well-researched reporting. Known for his analytical approach and commitment to factual storytelling, Sam has written on a wide range of topics—from geopolitical tensions and energy markets to social reform and regional innovation. His work strives to cut through the noise and provide international audiences with a grounded perspective on issues that matter. Outside the newsroom, Sam is passionate about exploring the historical context behind current events and regularly contributes to conversations on global policy and media transparency. Follow Sam for thoughtful, in-depth coverage of the Middle East and beyond.

    Leave A Reply