Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Key Proposed Updates to Saudi Arabia’s PDPL Implementing Regulations

Published May 7, 2025
Author

Asaad Ahmad Qureshy

Associate Data Privacy Analyst at Securiti

Listen to the content

I. Introduction

The Saudi Data & Artificial Intelligence Authority (SDAIA) has launched a public consultation on Proposed Amendments to the Implementing Regulations of the Personal Data Protection Law (PDPL). Public feedback is open through May 27, 2025, via the Istitlaa Platform. These draft changes aim to align regulatory language more closely with the Personal Data Protection Law (PDPL) itself, simplify how key information is communicated to data subjects, and clarify obligations for data controllers, particularly around registration, privacy policies, and oversight functions. The proposals also ease certain compliance requirements, such as those related to direct marketing and complaint procedures.

Below is an overview of the major changes and their implications for data controllers and processors operating in the Kingdom.

II. Streamlined Language Requirements for Privacy Policies

Currently, controllers are required to tailor communications to individuals lacking full legal capacity by providing information in an “appropriate language.” This is being revised and the new requirement will simply state, “The Controller shall provide the required information in an appropriate and simplified language…”

This change emphasizes clarity and accessibility for all data subjects especially minors or vulnerable individuals by requiring that notices and privacy information be both suitable and easily understandable, not merely translated.

The updated regulations also introduce clearer standards for privacy policies. Controllers may now have to ensure that:

  • There is an explicit privacy policy, and it is written in clear, simplified, and comprehensible language that accommodates varying levels of understanding across different data subject groups.
  • The language used aligns with the customary language in which services or products are provided to the relevant audience.
    • This proposed amendment is particularly useful as it addresses the ambiguity regarding whether privacy policies must be translated into different languages in the KSA.

III. Direct Marketing Provisions Removed

Several provisions related to direct marketing may be removed from the Regulations, including:

  • The definition of “Direct Marketing” (which includes both physical and electronic communications, such as advertisements or promotions).
  • A requirement to disclose the sender’s identity when sending direct marketing material.

Organizations engaging in direct outreach should not interpret this as a license to proceed without consent, as the consent requirement still persists.

Personal Data Breach Definition Removed

The definition of a "Personal Data Breach" may also be removed from the Implementing Regulations. Previously, this definition referred to any incident involving the breach, corruption, or unauthorized access to personal data, whether intentional or accidental, automated or manual.

Instead of retaining a rigid definition, the revised regulations rely on the breach notification obligations already set out under Article 20 of the PDPL, Article 24 of the Implementing Regulations and the Personal Data Breach Incidents Procedural Guide. That article requires data controllers to notify both the Competent Authority and affected data subjects upon knowing of any breach, damage, or illegal access. Controllers must report to the Authority within 72 hours of becoming aware of the breach and include relevant details and mitigation measures. Where the breach poses a risk to the data subject’s rights or interests, the data subject must also be notified without undue delay and in clear, accessible language.

IV. Reduction in Record-Keeping Requirements

Key obligations around maintaining Records of Processing Activities (ROPAs) are also potentially being repealed. The following requirements are expected to be deleted:

  • The mandate that processing records must be in writing,
  • The specific list of minimum information to be included, such as:
    • Controller and DPO contact details
    • Purposes and categories of data
    • Retention periods
    • Recipients and transfers
    • Security measures

While the obligation to maintain records is still present, the removal of this granular list suggests a more flexible compliance framework.

V. Complaint Timeframe Restrictions Removed

It seems as if the requirement setting the 90-day deadline for data subjects to submit complaints to the Competent Authority may also be deleted. In the current regime, the Authority has discretion to accept late complaints if the individual had valid reasons for the delay.

A. Responding to Compliance Requests

A newly proposed provision requires controllers to respond to inquiries from SDAIA concerning their compliance with the PDPL and its Implementing Regulations within 10 business days.

The deletion of this clause reflects a desire to remove unnecessary barriers to recourse, allowing individuals greater freedom to pursue complaints regardless of procedural timing.

VI. Expansion and Clarification of the DPO Role

Significant changes are also expected to the structure and obligations surrounding Personal Data Protection Officers (DPOs). The Rules for Appointing Personal Data Protection Officer will be repealed if this amendment comes into force and replaced with a more prescriptive framework:

  • Controllers must formally document the appointment of a DPO.
  • Upon appointment, the DPO’s contact information must be submitted via the Competent Authority’s platform, and updated whenever a change occurs.

The DPO’s role will no longer be limited to compliance monitoring. Under the new Article 34, their responsibilities may now explicitly include:

  • Acting as the main liaison with the Competent Authority and implementing its instructions.
  • Providing internal support to the controller and promoting awareness of the PDPL.
  • Enabling data subject rights and handling related requests or complaints.
  • Notifying the Authority of any personal data breach.
  • Maintaining and updating the controller’s processing records.
  • Overseeing remediation efforts when the controller violates data protection requirements.
  • Supervising DPIAs, audits, and control reports and issuing necessary recommendations.

VII. Centralized Enforcement: New Platform Introduced

A new paragraph in Article (1) is potentially being introduced, describing an electronic platform under the supervision of the Competent Authority. This platform is intended to serve as a hub for:

  • Support services and compliance tools
  • Implementation of the PDPL’s requirements
  • Management of the National Register of Controllers

This will mark a practical step towards centralizing oversight and facilitating digital compliance mechanisms for regulated entities. Once operational, the platform is expected to play a key role in simplifying registration, submissions, and communication with the regulator.

In a related move, The Rules Governing the National Register of Controllers Within the Kingdom will be repealed and replaced with a new article detailing mandatory registration criteria if this amendment is passed. Registration through the platform will now be required if any of the following apply:

  • The controller is a public entity.
  • The controller’s core activity involves processing personal data.
  • The controller transfers personal data outside the Kingdom or discloses it internationally.
  • The controller processes sensitive data.
  • The controller processes data about individuals lacking full or partial legal capacity.

This requirement extends not only to legal entities but also to individuals who meet the controller definition and process personal data beyond personal or family use.

Each controller will have a dedicated record within the platform, containing documentation referred to in Article 31 of the PDPL as well as any additional processing-related information required by the Authority.

VIII. Key Takeaways for Businesses

These regulatory changes are more than editorial tweaks; they signal a clear shift toward simplification and flexibility. However, controllers and processors should be cautious not to interpret the removal of specific rules as a relaxation of obligations. Your organization, as best practice, should observe the following steps:

  • Monitor further guidance from the SDAIA, especially around the launch and scope of the new enforcement platform.
  • Maintain internal records of processing as a safeguard in the event of audits or incidents.
  • Continue to obtain consent and disclose sender identity (as best practice) in direct marketing activities.
  • Review data breach response protocols to ensure incidents are still escalated appropriately despite the absence of a formal breach definition.

As the PDPL continues to evolve, organizations operating in Saudi Arabia should take this opportunity to revisit their compliance programs and ensure their data governance frameworks remain aligned with the law’s intent.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 11:29

Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like

Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18

Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh

Watch Now View
Spotlight 13:38

Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines

Sanofi Thumbnail
Watch Now View
Spotlight 10:35

There’s Been a Material Shift in the Data Center of Gravity

Watch Now View
Spotlight 14:21

AI Governance Is Much More than Technology Risk Mitigation

AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3

You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge

Watch Now View
Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 27:29

Building Safe AI with Databricks and Gencore

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View

Latest

Inside Echoleak View More

Inside Echoleak

How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...

The Overprivileged Access Crisis: A CISO’s Guide to Data Access Governance View More

The Overprivileged Access Crisis: A CISO’s Guide to Data Access Governance

Overprivileged data access has quietly become a systemic risk, where users, groups, and machines routinely hold far broader permissions than their jobs require. Approximately...

What is SSPM? (SaaS Security Posture Management) View More

What is SSPM? (SaaS Security Posture Management)

This blog covers all the important details related to SSPM, including why it matters, how it works, and how organizations can choose the best...

View More

“Scraping Almost Always Illegal”, Netherlands DPA Declares

Explore the Dutch Data Protection Authority's guidelines on web scraping, its legal complexities, privacy risks, and other relevant details important to your organization.

Beyond DLP: Guide to Modern Data Protection with DSPM View More

Beyond DLP: Guide to Modern Data Protection with DSPM

Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.

Mastering Cookie Consent: Global Compliance & Customer Trust View More

Mastering Cookie Consent: Global Compliance & Customer Trust

Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.

ROI of Data Minimization: Save Millions in Cost, Risk & AI With DSPM View More

ROI of Data Minimization: Save Millions in Cost, Risk & AI With DSPM

ROT data is a costly liability. Discover how DSPM-powered data minimization reduces risk and how Securiti’s two-phase framework helps.

From AI Risk to AI Readiness: Why Enterprises Need DSPM Now View More

From AI Risk to AI Readiness: Why Enterprises Need DSPM Now

Discover why shifting focus from AI risk to AI readiness is critical for enterprises. Learn how Data Security Posture Management (DSPM) empowers organizations to...

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New