Engineering for Saudi PDPL: What KSA Customers Now Demand

Compliance

Saudi Arabia's Personal Data Protection Law became enforceable in March 2023 with a one-year grace period that ended in 2024. For SaaS firms serving KSA, the engineering implications are concrete and immediate.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 19, 2024 · 7 min read

The Saudi Personal Data Protection Law (PDPL) took effect on 14 March 2023, with full enforcement starting 14 March 2024 after the one-year grace period. SDAIA, the Saudi Data and AI Authority, is the regulator. For any SaaS company with KSA customers, the law is no longer a sales objection to deflect. It is a procurement gate and a real engineering workstream.

Who PDPL applies to

The law applies to processing of personal data of Saudi residents, including by entities outside the Kingdom. The extraterritorial scope mirrors GDPR Article 3. If you sell to a Saudi bank, telecom, or government entity, you are in scope regardless of where your servers run. The 2023 Implementing Regulations narrowed some interpretations but kept the extraterritorial reach intact.

Data residency posture

PDPL does not impose absolute data localization, but Article 29 restricts cross-border transfers. Transfers are permitted to countries with an adequate level of protection as determined by SDAIA, or under standard contractual clauses, binding corporate rules, or explicit consent. SDAIA has not yet published a public adequacy list, which leaves SCCs as the practical mechanism for most cross-border processing.

Saudi enterprise buyers, especially in banking and government, increasingly demand Saudi region deployment regardless of legal adequacy. AWS Riyadh, Azure Saudi Arabia, Google Cloud Dammam, and Oracle Jeddah regions exist precisely because of this demand. If you are building for KSA enterprise, plan for a Saudi region deployment by end of 2024 or accept that you will lose deals.

Registration with SDAIA

Controllers of personal data must register with SDAIA through the National Data Governance Platform. The threshold for mandatory registration is being processed through guidance updates, but data controllers in sensitive sectors (financial, health, telecom, sensitive personal data at scale) should assume registration is required.

• Appoint a personal data protection officer for sensitive processing
• Maintain a Record of Processing Activities equivalent
• Conduct data protection impact assessments for high-risk processing
• Implement breach notification to SDAIA within 72 hours and affected data subjects without undue delay
• Establish data subject rights workflows for access, correction, deletion, and objection

Sensitive personal data

PDPL defines sensitive personal data more broadly than GDPR. The list includes racial or ethnic origin, religious or political beliefs, criminal records, financial data, health data, biometric data, genetic data, and crucially data revealing family origin. Family origin is a uniquely Saudi addition and matters for HRTech and recruitment platforms operating in the Kingdom.

Engineering checklist for SaaS serving KSA

1. Map every data flow that touches Saudi resident personal data
2. Implement a region tag at the customer account level to drive routing decisions
3. Stand up a Saudi region or a regional partner deployment with data residency guarantees
4. Update your DPA template with SDAIA-aligned controller-processor terms
5. Build a customer-facing data residency dashboard for procurement evidence
6. Establish breach response runbooks with 72-hour SDAIA notification timing

Penalties and enforcement appetite

Penalties under PDPL reach up to 5 million SAR, with criminal penalties for specific violations including unauthorized disclosure of sensitive personal data. SDAIA has been measured in public enforcement so far, but the regulator has been active in private engagements with operators in regulated sectors. Expect more visible enforcement actions through 2024 and 2025 as the grace period fades from memory.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.