PDPL Compliance: A Practical Guide for Saudi Organizations

PDPL is not just another regulation added to the compliance list — it redefines the relationship between Saudi organizations and the personal data they process. By the end of this guide, you will have a practical 12-step implementation roadmap covering data inventory, policy building, data subject rights activation, and breach management — designed specifically for the Saudi institutional context, not an Arabized copy of European GDPR guides. Organizations that delay compliance face not only fines up to 5 million SAR — but loss of client and partner trust in a market rapidly moving toward digital transparency.

PDPL Scope — Who Is Subject to the Law: PDPL applies to every entity that processes personal data within Saudi Arabia, regardless of size or sector. But the scope is broader than many realize: foreign companies that process Saudi residents' data — even without physical presence in the Kingdom — are also subject. A Dubai-based e-commerce platform selling to Saudi customers and collecting their addresses and payment data is obligated to comply with PDPL. This also includes cloud service providers, analytics platforms, and digital marketing companies processing Saudi data.

PDPL distinguishes between two types of personal data. Ordinary data includes name, email, phone number, and address. Sensitive data includes health and biometric data (fingerprints, facial recognition), genetic data, financial credit data, association or union membership data, and data revealing ethnic or racial origin. Processing sensitive data requires explicit and specific consent — a general "I agree to terms" checkbox is not sufficient.

The Eight Legal Bases for Processing: This is where the most common mistake occurs — Saudi organizations copy European GDPR templates and assume "legitimate interest" covers everything. PDPL defines eight legal bases that differ from GDPR in fundamental ways. Basis one: consent — must be explicit, specific, and revocable at any time. Basis two: contract performance with the data subject — such as processing customer data for order delivery. Basis three: compliance with another Saudi law — such as retaining financial records per ZATCA requirements. Basis four: protecting the vital interest of the data subject — in medical emergencies, for example.

Basis five: public interest — typically limited to government entities. Basis six: data already made public by the data subject. Basis seven: scientific, research, or statistical purposes with appropriate safeguards. Basis eight: legitimate interest of the controller — but with more restrictive conditions than GDPR: the legitimate interest must not conflict with data subject rights, and this assessment must be documented (Legitimate Interest Assessment). Organizations relying on legitimate interest as a blanket basis without documented assessment face real legal risk during inspections.

Data Subject Rights — And How to Build a Handling System: PDPL grants data subjects extensive rights that organizations must fulfill within specific timelines. Right of access: every person has the right to know what data the organization holds about them and how it is processed — response required within 30 days. Right of rectification: if data is inaccurate or incomplete. Right of erasure: when no legal basis for retention remains — with exceptions for legal obligations. Right of data portability: obtaining a copy of data in machine-readable format. Right to object to processing: in specified cases.

Building a request handling system requires: a clear request form (paper and electronic), an identity verification process for applicants (personal data cannot be handed to anyone claiming to be the data subject), a tracking system ensuring response within 30 days, and an escalation procedure for complex requests or those conflicting with other obligations. Organizations without this system will discover the problem when a customer files a complaint with SDAIA — and they will have nothing to show as evidence of compliance.

Cross-Border Data Transfer — The Most Sensitive Area: Every Saudi organization using AWS, Google Cloud, Microsoft Azure, or even SaaS tools like Salesforce and HubSpot transfers personal data outside the Kingdom. PDPL requires for data transfers outside the Kingdom: adequate protection level in the receiving country (determined by SDAIA), or appropriate safeguards such as standard contractual clauses, or explicit consent from the data subject. Government data and sensitive data are subject to stricter restrictions that may require data to remain within the Kingdom — which is driving major cloud providers to open local regions in Riyadh.

The Personal Data Protection Law is not just a legal obligation — it is a framework for building institutional trust with clients and partners.

Practical application: if your organization uses cloud services, review Data Processing Agreements (DPA) with each provider. Ensure they include clauses meeting PDPL requirements for cross-border transfers. If data is stored in data centers outside the Kingdom, document the legal basis for this transfer and inform data subjects in the privacy policy.

Breach Notification — The 72-Hour Window: When a personal data breach occurs that is likely to harm data subjects, PDPL requires the organization to notify SDAIA within 72 hours of becoming aware of the breach. The notification must include: nature and scale of the breach, types of affected data, measures taken for containment, and recommended actions for data subjects. What constitutes a "notifiable breach" includes: unauthorized access to customer databases, loss of devices containing unencrypted personal data, ransomware attacks encrypting personal data, and any leak — even accidental — of sensitive data.

Organizations without a breach response plan discover the problem when a breach actually occurs: day one is spent in panic, day two trying to understand what happened, day three drafting an incomplete report — and the 72-hour window has closed. The solution: prepare a response plan in advance including a ready notification template, a list of internal and external contacts, and clear criteria for determining whether a breach is notifiable.

PDPL Implementation Roadmap — 12 Practical Steps: Step 1 — Form the compliance team and appoint a Data Protection Officer (DPO). Step 2 — Comprehensive inventory of all personal data: where it is collected, where it is stored, who accesses it, and where it is transferred. Step 3 — Classify data into ordinary and sensitive. Step 4 — Determine the legal basis for each processing activity from the eight bases.

Step 5 — Draft the public privacy policy (the published document for customers) and the processing record (the internal document). Step 6 — Build consent acquisition and management mechanism — consent must be provable and revocable. Step 7 — Build the data subject request handling system (access, rectification, erasure, portability).

Step 8 — Review and update contracts with vendors and processors — every third party processing personal data on your behalf needs a Data Processing Agreement (DPA). Step 9 — Implement technical measures: encryption for sensitive data, role-based access control, and access/modification logs. Step 10 — Prepare a data breach response plan with the SDAIA notification template.

Step 11 — Employee training — every employee handling personal data needs training on: what personal data is, how to handle it securely, and what to do when a breach is suspected. Step 12 — Periodic audit and continuous improvement: semi-annual review of the processing record, policy updates based on regulatory changes from SDAIA, and compliance reports for senior management.

Privacy Policy vs. Processing Record — Two Completely Different Documents: The privacy policy is a public document published on the website that tells customers and visitors: what data is collected, why, how it is used, their rights, and how to contact the DPO. It must be written in clear language — not obscure legal jargon. The processing record is a detailed internal document containing: every personal data processing activity, the legal basis for each, retention periods, protection measures applied, and cross-border transfers. This document is what SDAIA requests during inspections — its absence is direct evidence of non-compliance.

Penalties — What You Need to Know: Fines reach up to 5 million SAR. Unlawful disclosure of sensitive data may expose the responsible person to imprisonment up to 2 years. Transferring personal data outside the Kingdom in violation of the law carries fines up to 1 million SAR and imprisonment up to 1 year. But the biggest damage is often not the fine — it is loss of client and partner trust. In a Saudi market moving toward comprehensive digitization, digital reputation has become a real institutional asset.

Next Steps: If your organization has not yet started its PDPL compliance journey, the right starting point is not buying a tool — but understanding your current state. Begin with an inventory of the personal data you process and identify the gaps between your current practices and the law's requirements. The PDPL compliance kit in the store includes policy templates, record forms, and a step-by-step implementation guide — designed for the Saudi context and not translated from GDPR templates.