Saudi PDPL Compliance Guide for Small Businesses (2026)

1. What is the Saudi PDPL?

The Personal Data Protection Law (نظام حماية البيانات الشخصية, "PDPL") is Saudi Arabia's comprehensive privacy law, issued under Royal Decree M/19 on 09/02/1443H (September 16, 2021). It came into effect on September 17, 2023, after a two-year implementation period.

The PDPL is enforced by the Saudi Data & AI Authority (SDAIA — الهيئة السعودية للبيانات والذكاء الاصطناعي). As of 2025, SDAIA has taken enforcement action against 48 organizations for PDPL violations, with fines reaching into the millions of Saudi riyals.

The PDPL is modeled partly on the European Union's GDPR but has several Saudi-specific elements, including Arabic-language requirements, data residency preferences, and different deadline timelines. If your business is familiar with GDPR, PDPL will feel similar — but do not assume they are identical.

2. Who does it apply to?

The PDPL applies to any entity that processes personal data of Saudi residents, regardless of where the entity is based. This means:

• Saudi businesses of all sizes (no SME exemption)
• Foreign businesses with customers in Saudi Arabia
• Entities that process personal data on behalf of others (data processors)
• Government agencies and private sector alike

If your business does any of the following, PDPL applies to you:

• Collects customer names, emails, or phone numbers
• Tracks customer purchase history
• Processes employee personal data
• Sends marketing messages via WhatsApp, SMS, or email
• Uses CCTV in your premises
• Has a website with analytics or contact forms
• Processes any health, financial, or location data

In short: if you have customers or employees in Saudi Arabia, PDPL applies to you.

3. Key definitions

Understanding PDPL requires knowing some key terms:

• Personal data: Any information that identifies or can identify a natural person — names, national IDs, phone numbers, emails, IP addresses, photos, and more
• Sensitive data: A special category requiring stricter protection — includes health data, financial data, biometric data, location data, and religious/political beliefs
• Data controller: The entity that determines how and why personal data is processed (usually your business)
• Data processor: An entity that processes data on behalf of a controller (e.g., a cloud provider, payroll service)
• Data subject: The individual whose personal data is being processed (your customers, employees)
• Processing: Any operation on personal data — collection, storage, use, disclosure, deletion
• Consent: A freely given, specific, informed, and unambiguous indication of agreement to data processing

4. Your obligations as a data controller

As a data controller under PDPL, you must:

• Establish a lawful basis: Every processing activity must have a valid basis — usually consent, contract performance, legal obligation, or legitimate interests
• Create an Arabic privacy policy: Published on your website, clearly explaining what data you collect, why, and how long you keep it
• Obtain consent for marketing: Explicit opt-in required before sending marketing communications via WhatsApp, SMS, or email
• Apply data minimization: Only collect data you actually need for a specific, stated purpose
• Implement security measures: Technical and organizational measures appropriate to the risk
• Report data breaches: Notify SDAIA within 72 hours of becoming aware of a breach that risks individuals' rights
• Handle data subject requests: Respond to access, correction, deletion, and portability requests within 30 days
• Maintain processing records: Keep a Record of Processing Activities (RoPA) documenting all data processing activities
• Manage data processors: Ensure any third parties processing data on your behalf comply with PDPL requirements
• Cross-border transfers: Additional approval required for transferring personal data outside Saudi Arabia

5. Data subject rights

Saudi residents whose data you process have the following rights under PDPL:

• Right of access: Request a copy of all personal data you hold about them, plus information about how it's used
• Right of correction: Request correction of inaccurate or incomplete personal data
• Right of deletion: Request deletion of their personal data, subject to legal retention requirements
• Right of portability: Receive their data in a machine-readable format to transfer to another provider
• Right to object: Object to processing based on legitimate interests or direct marketing
• Right to restrict processing: Request that processing be limited in certain circumstances

Response deadline: You must respond to data subject requests within 30 days. Failure to respond within this timeframe is a PDPL violation.

This is one of the most operationally demanding aspects of PDPL. You need a system to receive, track, and respond to these requests within the legal deadline. Imtisal's DSR portal handles this automatically.

6. Penalties for non-compliance

PDPL enforcement follows a graduated penalty structure:

• Formal warning: For minor or first-time violations
• Up to SAR 1,000,000: For disclosure of sensitive personal data without consent
• Up to SAR 3,000,000: For cross-border data transfers without authorization
• Up to SAR 5,000,000: For severe or repeated violations; violations involving sensitive data categories
• Criminal prosecution: For intentional breaches involving sensitive data — up to 2 years imprisonment and SAR 3,000,000 fine

In practice, SDAIA has been escalating enforcement. After a relatively quiet 2023, 48 enforcement actions were taken in 2025, with fines averaging SAR 200,000 per case. Large enterprises are the primary targets, but SMEs are increasingly receiving warnings and fines.

The cost of non-compliance is vastly higher than the cost of a compliance platform. One enforcement action can cost more than years of Imtisal subscription fees.

7. Step-by-step compliance checklist

Here is a practical 10-step PDPL compliance checklist for Saudi SMEs:

• Map your data: List all personal data you collect (customer names, emails, phones, purchase history, employee data)
• Establish lawful basis: Document the legal basis for each processing activity (consent, contract, legal obligation, legitimate interest)
• Create an Arabic privacy policy: Write a clear, accessible privacy policy in Arabic and publish it on your website
• Set up consent flows: Add opt-in checkboxes to contact forms, WhatsApp marketing lists, and email sign-ups
• Create a DSR process: Set up a system to receive and respond to data access, deletion, and correction requests within 30 days
• Appoint a DPO (if needed): Businesses processing large volumes of sensitive data should appoint a Data Protection Officer
• Build a breach response plan: Document what you will do if a data breach occurs, including SDAIA notification within 72 hours
• Create a Record of Processing Activities (RoPA): Document all data processing activities, their purposes, and retention periods
• Audit third-party processors: Ensure your cloud providers, payment processors, and CRM platforms comply with PDPL
• Train your team: Ensure staff who handle personal data understand their PDPL obligations

8. How Imtisal handles PDPL for you

Each obligation above corresponds to a feature in Imtisal's PDPL module:

• Privacy policy generator: AI generates a customized Arabic privacy policy based on 10 questions about your business — ready to publish immediately
• Consent management: Embeddable consent forms and consent record-keeping, tracking who agreed to what and when
• DSR portal: Automated data subject request intake, assignment, tracking, and 30-day deadline countdown
• Breach notification workflow: Step-by-step guided process with 72-hour SDAIA countdown timer and notification template
• RoPA generation: Auto-generated Record of Processing Activities based on your business profile
• Marketing compliance checker: Upload your WhatsApp/SMS/email marketing list — Imtisal identifies contacts without valid consent

9. Frequently asked questions

I'm a small business. Does PDPL really apply to me?

Yes. PDPL has no SME exemption. If you collect customer data — even just names and phone numbers — you are subject to PDPL. The law applies to all entities, regardless of size.

My business is a physical store. Do I need to worry about PDPL?

If you collect customer contact details, use loyalty programs, have a WhatsApp business number, or use CCTV — yes, PDPL applies to you.

We use a Saudi cloud provider. Are we automatically compliant?

No. Using a Saudi cloud provider satisfies the data residency aspect, but you still need to comply with all other PDPL requirements (privacy policy, consent, breach notification, DSR handling, etc.).

Do I need to translate my privacy policy into Arabic?

Yes. PDPL requires that privacy notices be in Arabic. You may also provide an English version, but Arabic is the legally binding language.

What is a Data Protection Officer (DPO) and do I need one?

A DPO is responsible for overseeing PDPL compliance. PDPL requires appointing a DPO if you process large volumes of personal data or process sensitive data categories. Most SMEs do not need a full-time DPO, but should designate a responsible person. Imtisal can serve as your compliance system of record.

How do I handle a customer asking to delete their data?

You must respond within 30 days. You can refuse deletion only if there is a legal obligation to retain the data (e.g., ZATCA invoice records). Imtisal's DSR portal guides you through the process.

Does PDPL apply to employee data?

Yes. Employee personal data is subject to PDPL. Employment contracts, payroll data, HR records — all must be processed in compliance with PDPL principles.

Can I use international cloud providers like AWS or Google Cloud?

PDPL requires a Saudi authority approval for cross-border data transfers. Some international providers with Saudi data centers (like Google Cloud me-central2 in Dammam) can satisfy data residency requirements.

What should I do if I receive an SDAIA inspection notice?

Do not panic. Gather your privacy policy, consent records, processing activities log, and breach response plan. With Imtisal, all of these are available instantly as a downloadable audit package. Contact legal counsel for support.