Compliance Briefing — September 7, 2023

Executive briefing: On September 7, 2023, the Saudi Data & Artificial Intelligence Authority (SDAIA) released the Implementing Regulations for the Kingdom’s Personal Data Protection Law (PDPL). The regulations clarify consent requirements, data subject rights, cross-border transfer conditions, breach reporting, and Significant Data Controller obligations in advance of the PDPL’s full enforcement in September 2024.

Immediate compliance priorities

Consent governance. Align consent collection, withdrawal, and record-keeping with the regulations’ explicit requirements, including parental approvals for minors.
Data localization and transfers. Assess whether personal data must remain in the Kingdom or qualifies for approved cross-border transfer mechanisms, documenting risk assessments submitted to SDAIA when necessary.
Breach notification. Update incident response plans to notify SDAIA and impacted individuals within the mandated timelines and formats.

Control alignment

Governance. Designate data protection officers for Significant Data Controllers and establish oversight committees to monitor compliance programmes.
Third-party management. Refresh service agreements to address sub-processing approvals, localization obligations, and audit rights aligned to the regulations.
Rights operations. Implement workflows for access, correction, deletion, and complaints, including verification procedures and response logs.

Enablement moves

Conduct readiness assessments mapping regulatory clauses to existing PDPL control inventories and remediation actions.
Deploy data-mapping tools capturing systems, locations, and transfer routes affecting Saudi personal data.
Engage industry associations to track SDAIA guidance on certification schemes and cross-border permit applications.

Sources

Zeph Tech assists Gulf-based organisations with PDPL compliance programmes spanning consent architecture, localization strategies, and regulator engagement.