PDPL Saudi Arabia: The Full Compliance Guide

In early 2026, the Saudi Data and Artificial Intelligence Authority quietly announced something a lot of companies operating in the Kingdom missed: it had issued 48 enforcement decisions under the Personal Data Protection Law in roughly a year. Marketing without consent, processing without a lawful basis, failure to implement technical and organisational safeguards the violations are routine, the penalties are real, and the grace period is long over.

Saudi Arabia's PDPL is the Kingdom's analogue to the GDPR: a comprehensive data protection regime that governs how personal data of Saudi residents is collected, processed, stored, transferred, and protected. It came into full force on 14 September 2023, the compliance grace period expired on 14 September 2024, and as of 2026 it is in active enforcement administered by SDAIA, with fines of up to SAR 5 million per violation (doubled for repeats) and criminal penalties available for the most serious breaches involving sensitive data.

This guide is built to be the answer for any company operating in or selling into Saudi Arabia in 2026: what PDPL is, who it covers, what changed when enforcement went live, how it compares to GDPR, what your security programme must do to satisfy it, how it lands in fintech, healthcare, e-commerce, and AI, what penalties actually look like, and uniquely how to build PDPL compliance alongside the NCA's Essential Cybersecurity Controls and SAMA's framework rather than as a separate project. If you want the wider regulatory picture first, start with our guide to what the NCA is.

1. What PDPL Is and Who Must Comply
2. What Changed for PDPL in 2026
3. PDPL vs GDPR — Side by Side
4. What PDPL Requires From Your Security Programme
5. PDPL for Fintech, Healthcare, E-Commerce and AI
6. Penalties and How Enforcement Actually Works
7. Building PDPL Alongside NCA and SAMA
8. How SecurityWall Supports PDPL Compliance

What PDPL Is and Who Must Comply

PDPL — the Personal Data Protection Law was enacted in Saudi Arabia by Royal Decree No. M/19 in September 2021, amended in March 2023, and came into full force on 14 September 2023. The grace period ended on 14 September 2024, and the law has been in active enforcement ever since.

It applies broadly: every entity, public or private, domestic or international, that processes the personal data of individuals in Saudi Arabia must comply. The reach is explicitly extraterritorial if you are based outside the Kingdom but you process Saudi residents' personal data, you are inside PDPL's scope. The law protects living individuals, data of deceased persons in certain contexts, and family members where they can be identified. There are very few sectors it does not touch.

The competent authority is the Saudi Data and Artificial Intelligence Authority SDAIA which has powers broadly equivalent to those of supervisory authorities under GDPR Article 58: investigation, document production, monitoring of controllers, the imposition of fines, and the issuance of orders to remedy non-compliance. SDAIA maintains a National Register of Controllers, and certain categories of controller must be registered.

What Changed for PDPL in 2026

This is the most important section of this guide, because almost every other piece of PDPL content online still describes the law as if it were waiting to take effect. It is not. The 2026 change is not a legal amendment it is the move from awareness-building to operational enforcement.

The headline numbers from SDAIA's early-2026 announcement:

• 48 enforcement decisions issued through SDAIA's Committees for Reviewing Violations of the PDPL in roughly the past year
• Up to SAR 5 million per violation in administrative fines, with the figure doubled for repeat violations
• A diverse violation profile: collecting or processing personal data without a valid legal basis, unauthorised disclosure of personal data, failure to implement technical and organisational safeguards, and sending marketing or promotional communications without prior consent

The committee process matters as much as the numbers. SDAIA's Rules of Procedure give the Committees wide powers to issue warnings, impose fines, and order publication of final penalties and the proceedings are formal, electronic, and run to short statutory deadlines. Organisations served with notice are often caught unprepared by how quickly things move and by the expectation that internal records, decisions, and evidence will be produced on demand.

The practical takeaway is the one the brief headlines: enforcement is no longer about whether you have policy documents on paper. It is about whether you can demonstrate that your controls actually operate that consent was obtained, that the lawful basis is documented, that technical safeguards are in place and working, that breach handling is real. Operational proof has replaced paper compliance as the bar.

PDPL vs GDPR — Side by Side

If your organisation already operates a GDPR programme, PDPL will feel familiar in shape. The principles overlap, the rights overlap, and SDAIA's powers map closely to those of European data protection authorities. The differences are in the details that matter operationally.

A GDPR programme is a strong head start but it is not automatic compliance. The narrower lawful bases mean consent does more work under PDPL, and the cross-border regime requires Saudi-specific risk assessments and SDAIA processes that GDPR's transfer toolkit does not satisfy on its own.

What PDPL Requires From Your Security Programme

This is where most PDPL guidance falls thin, because it is written by lawyers focused on the legal side rather than security practitioners who implement the controls. PDPL is explicit that controllers and processors must implement appropriate technical and organisational measures to protect personal data and SDAIA's recent enforcement decisions confirm that failure to implement those safeguards is a common, sanctioned violation in its own right.

The practical security baseline PDPL demands looks like this:

• Identity and access management with multi-factor authentication on systems holding personal data, and documented periodic access reviews
• Encryption of personal data in transit and at rest, with managed keys and clear rotation
• Logging and monitoring of access to personal data, with alerting that fires in time to be useful
• Vulnerability management and patching on a defined cadence
• Penetration testing to validate that controls actually work not just exist
• Backup and recovery that has been tested, not assumed
• Breach detection and response, including notification within the statutory timeframe
• Vendor and processor oversight, including security assessments and contractual obligations
• Data classification aligned to SDAIA's framework, so the most sensitive personal data attracts the strongest controls

Notice how closely this maps to the NCA's Essential Cybersecurity Controls and to NCNICC's technical baseline. That is not coincidence it is the reason the unified approach in the final section works. The technical controls that satisfy the NCA's frameworks also evidence the technical safeguards PDPL requires; you do not build them twice.

Penetration testing sits at the intersection of these regimes for a reason it is the most direct way to demonstrate that the technical safeguards PDPL expects actually function, and the most defensible evidence to produce when a Committee asks you to prove your controls work.

PDPL for Fintech, Healthcare, E-Commerce and AI

PDPL is sector-blind in its scope but sector-specific in how it lands.

Fintech. Customer identity, transaction, and credit data all sit at the top of the sensitivity scale. PDPL stacks on top of SAMA's framework and the NCA's controls covered in detail in our NCA and SAMA dual compliance guide and our fintech and BNPL compliance guide. Cross-border transfers and consent flows are the most frequent PDPL exposure points for fintechs.

Healthcare. Health data is among the most sensitive categories under PDPL, with heightened controls and serious penalties for breaches. Healthcare operators also navigate sector-specific frameworks alongside PDPL, which makes structured data classification and access control non-negotiable from day one.

E-commerce. PDPL is biting hard in retail and e-commerce, particularly on marketing communications sent without prior consent one of the most common violations in SDAIA's enforcement decisions. Consent management, preference centres, and clean unsubscribe paths are not a nice-to-have here; they are a direct enforcement risk.

AI companies. AI training and inference on personal data is squarely in PDPL's scope, including PDPL's rules on automated decision-making and profiling. We cover the AI-specific stack SDAIA plus PDPL plus NCA in our NCA compliance for AI companies guide.

Penalties and How Enforcement Actually Works

PDPL enforcement runs through specialised Committees for Reviewing Violations under SDAIA's Rules of Procedure. The Committees have quasi-judicial powers and can:

• Issue warnings
• Impose fines of up to SAR 5 million per violation, doubled for repeat violations
• Order remediation of non-compliant practices
• Require publication of final penalties

Beyond administrative fines, PDPL also provides for criminal penalties in the most serious cases particularly involving sensitive data and unauthorised disclosure intended to cause harm. The enforcement profile from SDAIA's first wave is now public: collecting or processing without a valid legal basis, unauthorised disclosure, failure to implement technical and organisational safeguards, and marketing without consent. None of those are obscure failure modes they are the routine compliance items most organisations get wrong.

Two operational realities that catch businesses off guard: proceedings are fast and largely electronic, with short statutory deadlines for responses; and the Committees expect organisations to produce records, decisions, and evidence on demand. If your policies, consent records, processing logs, and security evidence are not assembled and accessible before a notice arrives, the time pressure of the process itself becomes a major risk.

Building PDPL Alongside NCA and SAMA

Here is the strategic point most PDPL guides miss because they treat data protection in isolation. For a Saudi organisation, PDPL almost never arrives alone. It arrives alongside the NCA's ECC or NCNICC-1:2025, and for financial firms, alongside SAMA's Cyber Security Framework. The smart move is to build one unified control environment that satisfies all of them at once.

The overlaps are substantial. PDPL's technical-safeguards requirements map directly onto NCA cybersecurity controls; PDPL's vendor-oversight obligations map onto third-party requirements in both NCA and SAMA frameworks; data classification underpins all three; access control and monitoring satisfy all three; penetration testing produces evidence for all three. The unified programme model:

1. Map the regulators that apply to you is PDPL plus NCA (ECC or NCNICC) plus SAMA if you are financial sector.
2. Build one control environment to the union of their requirements, not three separate stacks.
3. Produce evidence once, mapped across the regulators that will look at it.
4. Conduct testing that serves all of them a single penetration test scoped to do the job for each.
5. Coordinate documentation privacy notices, processor agreements, security policies, and breach playbooks all writeable once and referenced by each programme.

That is the operating model SecurityWall builds for clients across the cluster, and it is the single most effective way to keep cost and effort proportionate when three regulators sit on top of you.

How SecurityWall Supports PDPL Compliance

SecurityWall is an NCA-registered cybersecurity firm that delivers the technical and organisational security measures PDPL requires alongside the privacy specialists and DPOs handling its legal aspects. We do not write your privacy notices; we make sure the controls that PDPL demands actually exist, operate, and produce the evidence SDAIA's Committees will ask to see. Our team holds OSCP, OSWE, CREST, CRT, CISM, and CISSP credentials.

PDPL Security Gap Assessment

• Assessment of your current security posture against PDPL's technical and organisational requirements
• Mapping to NCA controls and, where relevant, SAMA so you find out what already counts and what still needs work
• A prioritised remediation plan focused on the controls SDAIA actually checks

Technical Safeguards Implementation

• Access management with MFA, encryption, logging and monitoring, vulnerability management
• Data classification aligned to SDAIA's framework
• Backup and recovery you can prove works under test

Penetration Testing and Evidence

• Penetration testing that demonstrates the technical safeguards PDPL requires are operational, not theoretical
• Reports formatted to support PDPL evidence requirements alongside NCA and SAMA assessments
• Retesting included, so findings are demonstrably closed

Unified With NCA and SAMA Compliance

• One programme, one set of evidence, three regulators handled
• Coordinated with our NCA compliance and SAMA compliance work
• See our Saudi cybersecurity services for the full picture

Related reading:

• What Is the NCA? Saudi Arabia's Cybersecurity Authority
• NCA ECC 2:2024 Requirements: Every Control Domain Explained
• NCNICC-1:2025: Every Saudi Private Company Now in Scope
• NCA and SAMA Dual Compliance for Banks and Fintech
• NCA Compliance for Fintech and BNPL in Saudi Arabia
• NCA Compliance for AI Companies in Saudi Arabia
• NCA Penetration Testing Requirements in Saudi Arabia

Frequently Asked Questions

What is PDPL Saudi Arabia?

PDPL is the Kingdom of Saudi Arabia's Personal Data Protection Law, enacted by Royal Decree M/19 in September 2021 and amended in March 2023. It came into full force on 14 September 2023, with the compliance grace period ending on 14 September 2024. It is administered by SDAIA the Saudi Data and Artificial Intelligence Authority and governs how personal data of individuals in Saudi Arabia is collected, processed, stored, transferred, and protected.

Who must comply with PDPL?

Every entity, public or private, domestic or international, that processes personal data of individuals in Saudi Arabia. PDPL applies extraterritorially, so foreign companies handling Saudi residents' data are in scope even if they have no Saudi establishment.

What are the penalties for PDPL violations?

Administrative fines of up to SAR 5 million per violation, doubled for repeat violations. Sensitive-data violations and unauthorised disclosure intended to cause harm can attract criminal penalties. SDAIA's Committees can also issue warnings, order remediation, and require publication of final penalties.

How is PDPL different from GDPR?

PDPL covers Saudi residents and is administered by SDAIA, with maximum administrative fines of SAR 5 million per violation (doubled for repeats). GDPR covers EU residents with maximum fines of €20 million or 4% of global turnover. PDPL has narrower lawful bases for processing and a more prescriptive cross-border transfer regime that requires SDAIA authorisation and risk assessment.

What security measures does PDPL require?

PDPL requires appropriate technical and organisational safeguards including identity and access management with MFA, encryption, logging and monitoring, vulnerability management, penetration testing, breach detection and response, vendor oversight, and data classification. Failure to implement these safeguards is itself a sanctioned violation.

How does PDPL fit alongside NCA and SAMA compliance?

PDPL, the NCA's frameworks, and SAMA's CSF share substantial overlap in technical controls, vendor oversight, and data classification. The efficient approach is one unified control environment built to the union of the regulators that apply to your organisation, with evidence mapped across all of them rather than running three separate programmes.