The Personal Data Protection Law (PDPL) will be formally effective starting 14 September 2023. With a one-year grace period, granted by the presiding Saudi Data & Artificial Intelligence Authority (SDAIA), this means that businesses will have until 14 September 2024 to fully comply with the provisions of the new law.

This data privacy law is a welcome development as businesses face a growing number of threats and vulnerabilities. In order to protect themselves and their customers, businesses must adhere to the PDPL when collecting, storing, processing, using, and disposing of personal identifiable information. The PDPL will also require businesses to disclose incidents where PII was compromised within a certain timeframe.

This paper aims to provide insight into what businesses in Saudi Arabia can expect over the coming months and years through the observation of the introduction of personal protection laws in other jurisdictions, and in particular GDPR in the European Union in 2018. We hope to help businesses in Saudi Arabia avoid the same pitfalls, penalties and reputational damage they have experienced elsewhere. Furthermore, we will investigate and predict the likely developments in this area over the next three years and more.


Contact us