Organizations should prioritize compliance efforts in light of mounting regulatory scrutiny and potential fines.

By Brian A. Meenagh, Danielle van der Merwe, and Faisal Imam*

The Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) is now firmly in its active enforcement phase. The one-year grace period granted to organizations to achieve compliance ended on September 14, 2024, and the Saudi Data and Artificial Intelligence Authority (SDAIA) has moved from awareness-building and guidance to regulatory action. Businesses operating in, or processing personal data of individuals in, Saudi Arabia must treat PDPL compliance as a top priority.

Enforcement Is Here: 48 Decisions and Counting

In early 2026, SDAIA announced via its official channels that it had issued 48 decisions over the past year against organizations found in violation of the PDPL. PDPL violations are pursued through the Committees for Reviewing Violations of the Provisions of the Personal Data Protection Law and Its Implementing Regulations (the Committees), which are formed under the PDPL and governed by separate rules of procedure.

The Committees are appointed by the president of SDAIA and include both legal and technical members. They operate independently but are organizationally linked to SDAIA. The Committees have the authority to: (i) issue warnings; (ii) impose fines of up to SAR 5 million (approximately $1.33 million), which may be doubled for repeat violations; and (iii) order publication of final penalties.

Proceedings are largely electronic and rule-bound: Once an indictment is registered, the respondent has only five days from notification to respond, the Secretariat must notify parties of the Committees’ decision within 15 days of its approval, and parties then have 60 days from notification to appeal. In practice, these short deadlines leave little room for internal approval delays, unclear authority, or missing records, and failures to respond or cooperate within prescribed timeframes may be formally recorded and may adversely affect the organization’s position.

What Enforcement Looks Like in Practice

Proceedings are conducted through an electronic platform, and access to the statement of claim is not automatic. A duly authorized representative must first upload proof of authority (such as a power of attorney for lawyers acting on the company’s behalf), and access is only granted once this is approved. The Committees may also request information and internal records within strict deadlines, require written responses or attendance at hearings, and review confidential data.

International Reach: SDAIA Looking Beyond KSA Borders

Beyond formal enforcement actions, SDAIA is also taking an active interest in international companies that process personal data of individuals in Saudi Arabia. The PDPL applies extraterritorially to any entity processing personal data of individuals in Saudi Arabia, regardless of where that entity is based.

What Businesses Should Do Now

With 48 enforcement decisions already on record, PDPL readiness needs to be both substantive and procedural.

On the substantive side, organizations should map all personal data processing relating to individuals in the Kingdom (including cross-border transfers); implement PDPL controls on collection, legal bases, consent, data minimization, security measures, and retention; and put in place procedures to meet data subject rights within statutory timeframes. Where required, organizations need to register as data controllers, and a data protection officer should be appointed and registered. Breach-response plans must be designed and tested, bearing in mind that the 72-hour notification deadline runs continuously, including over weekends and holidays.

On the procedural side, given the tight timelines for responding to enforcement actions, organizations should put in place enforcement-readiness infrastructure. This means identifying who will act as the organization’s authorized representative in PDPL proceedings, preparing a PDPL-specific power of attorney that covers representation before SDAIA and the Committees, testing access to SDAIA’s electronic platforms, and establishing internal escalation paths so that any notification from SDAIA is immediately routed to the right decision-makers. For international businesses in particular, inboxes and contact points listed in privacy notices must be actively monitored by staff trained to recognize and triage communications from the regulator within the prescribed timelines.

A combination of robust privacy compliance and advance enforcement planning is now a baseline risk-management requirement for any business processing the personal data of individuals in Saudi Arabia.

*Admitted to practice in England and Wales only.