Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Key Proposed Updates to Saudi Arabia’s PDPL Implementing Regulations

Published May 7, 2025
Author

Asaad Ahmad Qureshy

Associate Data Privacy Analyst at Securiti

Listen to the content

I. Introduction

The Saudi Data & Artificial Intelligence Authority (SDAIA) has launched a public consultation on Proposed Amendments to the Implementing Regulations of the Personal Data Protection Law (PDPL). Public feedback is open through May 27, 2025, via the Istitlaa Platform. These draft changes aim to align regulatory language more closely with the Personal Data Protection Law (PDPL) itself, simplify how key information is communicated to data subjects, and clarify obligations for data controllers, particularly around registration, privacy policies, and oversight functions. The proposals also ease certain compliance requirements, such as those related to direct marketing and complaint procedures.

Below is an overview of the major changes and their implications for data controllers and processors operating in the Kingdom.

II. Streamlined Language Requirements for Privacy Policies

Currently, controllers are required to tailor communications to individuals lacking full legal capacity by providing information in an “appropriate language.” This is being revised and the new requirement will simply state, “The Controller shall provide the required information in an appropriate and simplified language…”

This change emphasizes clarity and accessibility for all data subjects especially minors or vulnerable individuals by requiring that notices and privacy information be both suitable and easily understandable, not merely translated.

The updated regulations also introduce clearer standards for privacy policies. Controllers may now have to ensure that:

  • There is an explicit privacy policy, and it is written in clear, simplified, and comprehensible language that accommodates varying levels of understanding across different data subject groups.
  • The language used aligns with the customary language in which services or products are provided to the relevant audience.
    • This proposed amendment is particularly useful as it addresses the ambiguity regarding whether privacy policies must be translated into different languages in the KSA.

III. Direct Marketing Provisions Removed

Several provisions related to direct marketing may be removed from the Regulations, including:

  • The definition of “Direct Marketing” (which includes both physical and electronic communications, such as advertisements or promotions).
  • A requirement to disclose the sender’s identity when sending direct marketing material.

Organizations engaging in direct outreach should not interpret this as a license to proceed without consent, as the consent requirement still persists.

Personal Data Breach Definition Removed

The definition of a "Personal Data Breach" may also be removed from the Implementing Regulations. Previously, this definition referred to any incident involving the breach, corruption, or unauthorized access to personal data, whether intentional or accidental, automated or manual.

Instead of retaining a rigid definition, the revised regulations rely on the breach notification obligations already set out under Article 20 of the PDPL, Article 24 of the Implementing Regulations and the Personal Data Breach Incidents Procedural Guide. That article requires data controllers to notify both the Competent Authority and affected data subjects upon knowing of any breach, damage, or illegal access. Controllers must report to the Authority within 72 hours of becoming aware of the breach and include relevant details and mitigation measures. Where the breach poses a risk to the data subject’s rights or interests, the data subject must also be notified without undue delay and in clear, accessible language.

IV. Reduction in Record-Keeping Requirements

Key obligations around maintaining Records of Processing Activities (ROPAs) are also potentially being repealed. The following requirements are expected to be deleted:

  • The mandate that processing records must be in writing,
  • The specific list of minimum information to be included, such as:
    • Controller and DPO contact details
    • Purposes and categories of data
    • Retention periods
    • Recipients and transfers
    • Security measures

While the obligation to maintain records is still present, the removal of this granular list suggests a more flexible compliance framework.

V. Complaint Timeframe Restrictions Removed

It seems as if the requirement setting the 90-day deadline for data subjects to submit complaints to the Competent Authority may also be deleted. In the current regime, the Authority has discretion to accept late complaints if the individual had valid reasons for the delay.

A. Responding to Compliance Requests

A newly proposed provision requires controllers to respond to inquiries from SDAIA concerning their compliance with the PDPL and its Implementing Regulations within 10 business days.

The deletion of this clause reflects a desire to remove unnecessary barriers to recourse, allowing individuals greater freedom to pursue complaints regardless of procedural timing.

VI. Expansion and Clarification of the DPO Role

Significant changes are also expected to the structure and obligations surrounding Personal Data Protection Officers (DPOs). The Rules for Appointing Personal Data Protection Officer will be repealed if this amendment comes into force and replaced with a more prescriptive framework:

  • Controllers must formally document the appointment of a DPO.
  • Upon appointment, the DPO’s contact information must be submitted via the Competent Authority’s platform, and updated whenever a change occurs.

The DPO’s role will no longer be limited to compliance monitoring. Under the new Article 34, their responsibilities may now explicitly include:

  • Acting as the main liaison with the Competent Authority and implementing its instructions.
  • Providing internal support to the controller and promoting awareness of the PDPL.
  • Enabling data subject rights and handling related requests or complaints.
  • Notifying the Authority of any personal data breach.
  • Maintaining and updating the controller’s processing records.
  • Overseeing remediation efforts when the controller violates data protection requirements.
  • Supervising DPIAs, audits, and control reports and issuing necessary recommendations.

VII. Centralized Enforcement: New Platform Introduced

A new paragraph in Article (1) is potentially being introduced, describing an electronic platform under the supervision of the Competent Authority. This platform is intended to serve as a hub for:

  • Support services and compliance tools
  • Implementation of the PDPL’s requirements
  • Management of the National Register of Controllers

This will mark a practical step towards centralizing oversight and facilitating digital compliance mechanisms for regulated entities. Once operational, the platform is expected to play a key role in simplifying registration, submissions, and communication with the regulator.

In a related move, The Rules Governing the National Register of Controllers Within the Kingdom will be repealed and replaced with a new article detailing mandatory registration criteria if this amendment is passed. Registration through the platform will now be required if any of the following apply:

  • The controller is a public entity.
  • The controller’s core activity involves processing personal data.
  • The controller transfers personal data outside the Kingdom or discloses it internationally.
  • The controller processes sensitive data.
  • The controller processes data about individuals lacking full or partial legal capacity.

This requirement extends not only to legal entities but also to individuals who meet the controller definition and process personal data beyond personal or family use.

Each controller will have a dedicated record within the platform, containing documentation referred to in Article 31 of the PDPL as well as any additional processing-related information required by the Authority.

VIII. Key Takeaways for Businesses

These regulatory changes are more than editorial tweaks; they signal a clear shift toward simplification and flexibility. However, controllers and processors should be cautious not to interpret the removal of specific rules as a relaxation of obligations. Your organization, as best practice, should observe the following steps:

  • Monitor further guidance from the SDAIA, especially around the launch and scope of the new enforcement platform.
  • Maintain internal records of processing as a safeguard in the event of audits or incidents.
  • Continue to obtain consent and disclose sender identity (as best practice) in direct marketing activities.
  • Review data breach response protocols to ensure incidents are still escalated appropriately despite the absence of a formal breach definition.

As the PDPL continues to evolve, organizations operating in Saudi Arabia should take this opportunity to revisit their compliance programs and ensure their data governance frameworks remain aligned with the law’s intent.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 13:38

Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines

Sanofi Thumbnail
Watch Now View
Spotlight 10:35

There’s Been a Material Shift in the Data Center of Gravity

Watch Now View
Spotlight 14:21

AI Governance Is Much More than Technology Risk Mitigation

AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3

You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge

Watch Now View
Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 27:29

Building Safe AI with Databricks and Gencore

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View

Latest

Pete Angstadt joins Securiti View More

Why I joined Securiti

I’m thrilled to be joining Securiti as they embark on their next phase of growth. Why did I decide to join? In short -...

AI System Observability: Go Beyond Model Governance View More

AI System Observability: Go Beyond Model Governance

Across industries, AI systems are no longer just tools acting on human prompts. The AI landscape is evolving rapidly, and AI systems are gaining...

Top Data Security Challenges & How to Solve Them View More

Top Data Security Challenges & How to Solve Them

Learn the top data security challenges organizations face today. Learn about the challenge and its solution. Enhance your data security posture today.

View More

How to Implement a Robust Data Security Framework

Data privacy regulations mandate strict data security measures. Learn how to implement a robust data security framework to ensure swift compliance.

Mastering Cookie Consent: Global Compliance & Customer Trust View More

Mastering Cookie Consent: Global Compliance & Customer Trust

Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.

Why Data Access Is Your Weakest Link—And How DSPM Fixes It View More

Why Data Access Is Your Weakest Link—And How DSPM Fixes It

Learn how DSPM provides unified Data+AI Access governance, offering contextual data intelligence, automated controls, safe AI+data access, and consistent least-privilege enforcement.

From AI Risk to AI Readiness: Why Enterprises Need DSPM Now View More

From AI Risk to AI Readiness: Why Enterprises Need DSPM Now

Discover why shifting focus from AI risk to AI readiness is critical for enterprises. Learn how Data Security Posture Management (DSPM) empowers organizations to...

The European Health Data Space Regulation View More

The European Health Data Space Regulation: A Legislative Timeline and Implementation Roadmap

Download the infographic on the European Health Data Space Regulation, which features a clear timeline and roadmap highlighting key legislative milestones, implementation phases, and...

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New