A Case for Early Compliance with KSA’s Personal Data Protection Law

Written by James Beriker, Founder & CEO at Pyxos

GDPR teaches us that Saudi companies that comply early will avoid business disruption, reputational damage, and fines

Introduction: A Law You Can’t Ignore

The Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) is now fully enforceable—and the more than 1.6M registered companies in KSA must now comply with the law or be subject to its penalties, including up to 5M SAR in fines and up to 2 years imprisonment. Companies that take steps to comply with PDPL before enforcement begins will insulate themselves from early penalties and reputational damage, reduce operational risk, avoid the cost of last-minute remediation, and strengthen customer trust and brand reputation—and enable the ongoing use of customer data to drive engagement and growth.

SDAIA Is Ready. Are You?

After a one-year grace period following its enactment on September 14, 2023, PDPL became fully enforceable on September 14, 2024. The Saudi Data & Artificial Intelligence Authority (SDAIA), the PDPL enforcement authority, is expected to fully enforce the law in order to meet the Vision 2030 goal of full compliance. Although no penalties have been issued as of this writing, SDAIA has clearly signaled its readiness to enforce the law by publishing a comprehensive set of regulatory updates clarifying the law—mirroring the approach taken in the EU in the 12 months prior to enforcement. These updates from SDAIA include the Executive Regulations, also known as the “Implementing Regulations”, the Regulation on Personal Data Transfer Outside the Kingdom, the Standard Contractual Clauses (SCCs) for Personal Data Transfers, the Guidelines for Binding Corporate Rules (BCRs), the Rules for Appointing a Personal Data Protection Officer (DPO), and the Rules Governing the National Register of Controllers. Together, these regulations establish the legal, technical, and operational framework necessary for organizations to comply— and for SDAIA to begin regulatory action.

PDPL, modeled on the EU’s General Data Protection Regulation (GDPR), establishes rights for individuals (“data subjects”) and obligations for organizations (“data controllers” and “data processors”) relating to the collection and processing of the personal data of Saudi citizens. Like the GDPR, the law has extraterritorial reach, covering the processing of personal data of Saudi citizens by entities located outside the Kingdom. In practice, any public or private company anywhere in the world that processes the personal data of Saudi citizens must comply with PDPL.

Why PDPL Matters to Saudi Arabia’s Future

The Kingdom enacted PDPL as part of its Vision 2030 strategy to transform the country into a digital, trust-based economy. Unlike all other developed economies, the Kingdom has never had any comprehensive regulatory framework to ensure the privacy of personal information. By establishing clear rules for how personal data is collected, used, and protected, PDPL builds public trust in digital services, aligns Saudi Arabia with global data protection standards, and promotes foreign investment. It also empowers individuals with greater control over their data, supports innovation in sectors like AI and cloud computing, and strengthens both public and private sector accountability. Ultimately, PDPL lays the legal and ethical foundation for a modern, data-driven society at the heart of Vision 2030.

Waiting Can Be Risky

I frequently speak with digital transformation experts, consultants, and company compliance leaders and executives in the Kingdom. I can say with confidence that there is little to no understanding of the requirements of PDPL; and, six months after the law became enforceable, the vast majority of enterprises in KSA have not started the process of becoming compliant with the new law. This is somewhat puzzling to me, perhaps because I am a business attorney by training and understand the importance of companies complying with national laws—but also because I know Saudi Arabia to be a country that is relatively risk averse and respects the role of government and the rule of law. Notwithstanding this, I hear, over and over again, how companies will only work towards compliance “once it becomes a problem” or “once the government starts enforcing the law.” For me, this is tantamount to “playing chicken” with the government; not something that any of us should do, especially not in Saudi Arabia.

The lack of understanding of the objectives and requirements of the law, combined with this “wait and see” posture, is putting the majority of Saudi businesses at significant legal and financial risk.

A Lesson From The GDPR Rollout

In the European Union, the enforcement of GDPR offers important lessons to Saudi business leaders: a period of leniency will be followed by very aggressive enforcement within one year following the expiration of the grace period. Even if SDAIA’s initial posture is cooperative, there is now little confusion as to the requirements of the law and a robust penalty framework is in place. Companies that willfully ignore PDPL or significantly violate individuals’ privacy rights can expect SDAIA to eventually make use of its punitive powers to drive compliance much as European regulators did under GDPR.

GDPR Enforcement: A Cautionary Tale

To understand what lies ahead under PDPL, Saudi business leaders need only look at the history of GDPR enforcement. When GDPR took effect in 2018, many companies were unprepared—surveys found that only about 20% of EU enterprises were fully compliant in the first year. Regulators initially gave warnings and issued smaller fines but then ramped up enforcement activities to make examples of non-compliant firms and force broad based compliance. By 2021, GDPR penalties had accelerated dramatically, with authorities issuing frequent and heavy fines to small and large enterprises to drive compliance with the law.

The figure below illustrates how the number of GDPR fines per month climbed aggressively after mid-2019, peaking in 2021–2022 as European regulators grew more confident and aggressive in its enforcement activities. Companies that assumed regulators would remain lenient were caught off guard and scrambled to become compliant.

This trajectory—a slow start followed by a sharp rise in enforcement—provides a cautionary tale for Saudi Arabia. Saudi regulators are likely to follow a similar trajectory. While its early stance may seem collaborative and focused on education, businesses should not mistake this for long-term leniency. SDAIA has provided more than adequate notice and comprehensive guidance to companies. The PDPL’s legal and regulatory framework already includes a comprehensive and robust penalty structure, enabling SDAIA to impose significant fines and sanctions for violations at any time.

The lesson from Europe is clear: Companies that willfully neglect their obligations under PDPL, or that engage in egregious breaches of individuals’ privacy rights, can reasonably expect that SDAIA will—eventually and decisively—exercise its full enforcement powers.

The Time to Act is Now

PDPL is a foundational pillar of Saudi Arabia’s transformation into a modern, digital economy. For companies operating in the Kingdom, compliance is not optional—it is a legal and strategic imperative. Those that delay will face not only legal and financial consequences, but also risk losing customer trust, damaging their reputations, and falling behind in an increasingly competitive and accelerating market. Companies cannot ignore the lessons from GDPR. By moving quickly to align with PDPL, companies will position themselves as trusted organizations that are ready for the future—able to innovate and thrive in a data-driven economy. The message is clear: PDPL is here to stay, enforcement is coming, waiting is not an option.

James is the co-founder and CEO of pyxos.ai, a data privacy compliance software platform incubated by the TONOMUS Venture Studio at NEOM. Pyxos provides hands-on services to help KSA entities develop and implement the policies, systems, and operating processes to achieve initial compliance with PDPL and provides a gen-ai enabled solution to streamline and automate ongoing data privacy compliance. The company is based in Riyadh, Saudi Arabia. James can be reached at james@pyxos.ai