Saudi Privacy Law Shows Progress Toward Robust Protections, Consultant Says
The first year of Saudi Arabia's Personal Data Protection Law (PDPL) showed "significant progress" in "establishing a robust data protection framework," data management consultant Abdulaziz Almanea wrote in an IAPP analysis.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Although fully in effect, the law's regulations are being implemented in stages, Almanea noted.
Until all the law's requirements "are finalized and publicly issued," Almanea said, "organizations and data handlers remain in a state of regulatory uncertainty."
However, refinement of the implementing regulations and recent clarifications on marketing, consent, recordkeeping and data protection officer responsibilities "show a clear commitment to balancing regulatory oversight with operational clarity for organizations."
There have been several early enforcement actions, but without fines, Almanea noted. Nevertheless, they signal that compliance is being taken seriously and the law's principle of progressive penalties will guide future enforcement. They also recognize that the regulatory framework and the market "are still maturing and that applying the principle of progressive penalties is a prudent approach."
The PDPL is a strategic foundation for Saudi Arabia's digital transformation and will align it with international data protection standards, Almanea wrote.
The measure became fully enforceable Sept. 14, 2024. It applies to all entities, whether inside or outside the kingdom, that process the personal data of Saudis, and it also extends to people who collect the personal data of others. "Uniquely, the law safeguards privacy not only during a person's lifetime but also after their death."