Saudi Arabia New Draft Data Protection Amendments: Overview and Business Implications

Saudi Arabia is advancing its data protection regime through two complementary drafts: amendments to the PDPL Implementing Regulations and new controls for service providers in the data sector. Together, these frameworks aim to enhance compliance, professionalize support services, and strengthen accountability across the data economy.

Saudi Arabia is accelerating its transformation into a data-driven economy, and regulatory developments are keeping pace. In late April 2025, the Saudi Data and Artificial Intelligence Authority (SDAIA) released two significant draft documents that, together, signal a shift toward a more structured and expansive data protection framework. These are: proposed amendments to the Implementing Regulations of the Personal Data Protection Law (hereinafter, the “Implementing Regulations”) and a new set of Draft Controls Governing Commercial, Professional, and Non-Profit Activities Related to Personal Data Protection (hereinafter, the “Draft Controls” or “Controls”).

Both drafts are currently open for public consultation and reflect SDAIA’s intention to refine compliance requirements while expanding regulatory oversight across the Kingdom’s digital landscape. While the amendments aim to clarify internal data processing obligations for businesses, the newly introduced Controls focus on regulating external actors, such as consultants, training providers, and event organizers, who operate within the data protection sector.

Taken together, these developments not only elevate the importance of data protection compliance but also broaden the regulatory perimeter to include those shaping and supporting the ecosystem. As the Kingdom positions itself as a regional hub for digital innovation under Vision 2030, companies—whether data processors or service providers—must now prepare for more rigorous oversight and rapidly evolving standards.

Key amendments to the Implementing Regulations

The proposed amendments to the Implementing Regulations introduce a series of revisions that are both structural and substantive. While the draft maintains the core principles of the PDPL, it introduces clarifications, omissions, and procedural refinements that organizations operating in the Kingdom must closely examine.

The changes reflect SDAIA’s intent to align domestic regulations more closely with global data protection standards while also addressing practical challenges encountered since the law’s enactment.

Revisions to definitions

Two notable deletions stand out: the removal of the definitions for Direct Marketing and Personal Data Breach. These omissions introduce a degree of legal ambiguity that may complicate compliance in the short term. For example, without a codified definition of direct marketing, companies must now interpret the term in light of broader legal principles and evolving enforcement guidance. This could expose organizations to compliance risks if their marketing practices are later found to fall within undefined regulatory boundaries.

Similarly, the removal of a clear definition of personal data breaches, coupled with edited references throughout the regulation, may require companies to adopt more conservative incident response protocols. While the existing Personal Data Breach Incidents Procedural Guide remains a useful reference, its lack of definitional clarity means that organizations will need to make judgment calls on what constitutes a reportable breach until further guidance is issued.

Enhanced data subject rights and communication standards

The amendments strengthen the framework around data subject rights, with a particular focus on accessibility and clarity. For instance, Article 4 has been amended to require that information be provided in simplified language when data subjects lack full or partial legal capacity. This underscores the law’s commitment to inclusive data practices and obliges businesses to tailor communications accordingly.

In addition, Article 6 now explicitly guarantees the right to receive personal data in a readable format. This change, while seemingly technical, has operational implications: businesses must ensure that their systems can export personal data in accessible formats, potentially requiring new data structuring processes and interface adjustments.

A new article, Article 18 Repeated, further mandates that privacy policies must be clear and comprehensible, moving beyond formality and placing a substantive burden on companies to draft policies that are not only compliant but also user-centric.

Consent and marketing

Amendments to Articles 28 and 29 tighten the requirements for obtaining and managing consent related to marketing communications. In particular, they mandate that consent for receiving advertising or awareness materials must be documented and that data subjects must be able to withdraw consent easily.

The regulation also introduces mechanisms for halting the receipt of direct marketing content. These additions reinforce the principle of data subject control and signal SDAIA’s increasing scrutiny of marketing practices, especially where automated or digital outreach is concerned.

A more defined role for the Personal Data Protection Officer (PDPO)

Article 32 now includes detailed responsibilities for the PDPO, aligning the position more closely with global counterparts such as the Data Protection Officer (DPO) role under the EU GDPR. The PDPO is tasked with monitoring internal compliance, acting as a point of contact with the authority, handling data breach incidents, and overseeing data protection impact assessments (DPIAs).

These clarifications are expected to elevate the strategic importance of the PDPO role within organizations. Companies will need to ensure that appointed individuals possess the requisite expertise and authority to meet these expanded duties, reinforcing internal accountability for data protection.

Record-keeping, registration, and complaint handling streamlined

Article 33 introduces revisions on record-keeping practices, including clearer expectations around the retention period for processing records and the accuracy of such documentation. Meanwhile, Article 34 outlines new mandatory registration requirements for entities listed in the National Register of Controllers, particularly those transferring data outside the Kingdom or processing data on behalf of public entities.

Complaint handling procedures, detailed in Articles 36 and 37, have also been refined to improve efficiency. Revisions include streamlined submission processes and stricter timelines for official responses.

Enforcement and legal certainty

Lastly, Article 38 now specifies that the amended regulations will enter into force upon publication in the Official Gazette and on SDAIA’s website. This adjustment helps ensure legal certainty by anchoring the effective date to clearly defined publication channels, enabling businesses to plan implementation timelines with greater confidence. 

New Controls for service providers in the Saudi Arabian data sector

In tandem with the proposed amendments to the Implementing Regulations, SDAIA has released a second draft document that targets an adjacent but distinct regulatory gap: the oversight of commercial, professional, and non-profit entities offering services related to personal data protection. These new Controls aim to formalize participation in the data compliance ecosystem, ensuring that those who support or profit from the data protection landscape operate within a regulated framework.

This development reflects a maturing data governance environment in Saudi Arabia—one where not only data controllers and processors are subject to oversight, but also the broader constellation of actors facilitating compliance, education, and awareness.

Definitions and scope

The draft introduces clear definitions for key actors, including Licensees, Permit Holders, Supervising Entities, and the National Data Governance Platform. The Controls apply to entities engaged in:

• Consultancy services on data protection;
• Technical and vocational training;
• Provision of technical solutions;
• Organization of events such as seminars, conferences, and workshops.

General requirements

All service providers must register on the National Data Governance Platform, creating a centralized point of oversight. This requirement promotes transparency, enables auditability, and ensures that SDAIA maintains visibility over actors shaping the regulatory landscape.

Additionally, providers must disclose any history of violations or investigations related to data protection. This measure seeks to weed out bad actors and reinforce trust in the ecosystem, particularly for organizations seeking reliable compliance partners.

Sector-specific conditions

Each category of service is subject to specific requirements:

• Consultancy services: Firms must demonstrate alignment with PDPL standards and retain records of their processes and practices. This ensures that advice offered to clients is grounded in legally compliant procedures.
• Training and certification: Providers must employ qualified trainers, submit relevant documentation, and obtain prior approval from SDAIA. This marks a significant step toward standardizing educational offerings in the data protection space.
• Technical services: Vendors offering tools or platforms must show that their solutions meet PDPL requirements. They must also conduct self-assessments, indicating a proactive approach to compliance and risk management.
• Public awareness events: Organizers of events must ensure that content complies with applicable laws and that all speakers are appropriately qualified. Prior approval from SDAIA is also required, signaling tighter control over public-facing discourse on data issues.

Oversight, suspension, and review

The draft empowers SDAIA to suspend any activities if violations are identified or if investigations are pending. This reinforces SDAIA’s role not only as a regulator but also as an enforcer capable of quickly responding to emerging risks.

Additionally, all registered entities will be listed in a National Register, fostering both transparency and reputational accountability.

Notably, the Controls are not static. SDAIA has committed to periodic reviews and updates, taking into account stakeholder feedback and sectoral developments. This approach ensures that the regulatory framework remains responsive and future-proof.

Effective date and implications

The Controls will come into effect upon publication in the Official Gazette, providing legal certainty for all covered entities. Organizations intending to operate in this space—whether as advisors, trainers, vendors, or event hosts—should begin reviewing the draft requirements and preparing for compliance as early as possible.

Interplay between the two drafts

The two draft documents released by SDAIA should not be viewed in isolation. Rather, they form complementary components of a broader compliance architecture that reflects the Kingdom’s evolving regulatory priorities.

The Implementing Regulations focus inward, refining how organizations manage personal data within their own operations. These changes affect a company’s internal governance, obligations to data subjects, and appointment of key roles such as the PDPO.

Conversely, the newly proposed Controls expand the regulatory perimeter outward, capturing businesses and professionals whose activities support, advise, or promote personal data protection. From consultants and training providers to vendors of technical solutions and organizers of awareness events, a wide array of actors must now meet SDAIA-defined standards before engaging with the data sector.

Taken together, these two instruments represent a dual-pronged approach: bolstering internal compliance within organizations while simultaneously imposing external oversight on the ecosystem of service providers that enable compliance. The result is a more comprehensive, layered, and accountable data protection framework, raising the bar for operational readiness, sectoral competence, and market trust.

Strategic recommendations for stakeholders

With both drafts now open for public consultation, stakeholders across the Kingdom’s digital and data economy should take immediate action. The window for shaping these regulations remains open—but not for long. Below are recommended steps for organizations aiming to remain ahead of the regulatory curve:

• Engage with public consultations: Participating in the consultation process offers an opportunity to shape the final regulations.
• Conduct an internal readiness assessment: Organizations should review and update their data handling policies, consent mechanisms, and incident response protocols in line with the proposed amendments.
• Evaluate external service provider compliance: Firms that rely on external advisors, technical tools, or trainers should verify that these providers are qualified, registered, and in compliance with the proposed Controls. Risk exposure increases if partners operate outside the forthcoming legal framework.
• Strengthen PDPO functions and training: The expanded role of the PDPO necessitates greater internal expertise, clearer reporting lines, and increased operational independence. Organizations should invest in building robust capabilities around this position—ensuring that the PDPO is equipped to manage compliance, liaise with the Competent Authority, and oversee risk assessments.
• Prepare for immediate enforcement: Both draft documents specify that they will take effect upon publication in the Official Gazette. This means enforcement may begin with little lead time, making early compliance planning essential.

Also read:

• Navigating Saudi Arabia’s Personal Data Protection Law and Regulatory Framework

• Previous Article Saudi Arabia Introduces Comprehensive Amendments to VAT Implementing Regulations
• Next Article Saudi Arabia Invites Global Feedback on Draft Global AI Hub Law