Saudi PDPL's first anniversary: Amendments, enforcement and ongoing developments

Saudi Arabia's Personal Data Protection Law, regarded as one of the most comprehensive privacy legislations, became fully enforceable 14 Sept. 2024, three years after its initial announcement.

The PDPL applies to all entities — whether based inside or outside the kingdom — that process the personal data of Saudi citizens or residents and also extends to individuals who collect the personal data of others. Uniquely, the law safeguards privacy not only during a person's lifetime but also after their death. To ease the transition, a two-year grace period for compliance was initially granted and later extended to three years.

Preparatory guidelines for effective enforcement

While the PDPL itself had been announced, much of the accompanying guidance from the data protection authority, the Saudi Data and Artificial Intelligence Authority, was only released in the months leading up to the law's effective date. Even within this compressed timeframe, the guidance played a critical role in equipping organizations with the clarity needed to effectively navigate and implement the new regulatory framework.

The SDAIA's guidance materials included: rules for appointing a personal data protection officer; a regulation on personal data transfers outside the kingdom; guidelines for binding common rules for personal data transfers; guidelines for developing privacy notices; and guidelines to assist entities in determining when personal data should be destroyed or anonymized.

Staged implementation and ongoing regulatory development