Enforcement of the Saudi Personal Data Protection Law is live: Are you ready?

Saudi Arabia has entered an active enforcement phase for data protection. Dozens of PDPL enforcement decisions have issued across multiple sectors. Businesses now have as little as five days to respond once notified of an indictment. Procedural missteps, lack of authorisation, or incomplete records can materially increase exposure. Early PDPL enforcement readiness is now a commercial necessity, not a compliance exercise.

Introduction

Saudi Arabia’s Personal Data Protection Law (PDPL) has been fully enforceable since 14 September 2024, with enforcement activity currently accelerating. Enforcement is no longer theoretical. 

As of mid January 2026, the Saudi Data and Artificial Intelligence Authority (SDAIA) has announced that 48 enforcement decisions have issued, and businesses across multiple sectors are now receiving formal notifications, investigations, and indictments. 

If your organisation operates in, or targets, Saudi Arabia, proactive PDPL enforcement readiness is now essential, and early preparation is critical to protecting your regulatory and commercial position.

What is happening now

Most PDPL violations are reviewed by specialised the Committees for Reviewing Violations of the Provisions of the Personal Data Protection Law and its Implementing Regulations. These Committees are governed by Rules of Procedure issued by the Saudi Data and Artificial Intelligence Authority (SDAIA), which set out the powers of the Committee, and the procedures for their receipt of complaints, administration of meetings, the issuance and enforcement of their decisions. 

Under the Rules, the Committees have wide powers and may:

• issue warnings;
• impose fines of up to SAR 5 million (which may be doubled for repeat violations); and
• require publication of final penalties.

Saudi PDPL enforcement has clearly shifted from guidance to active regulatory action, with strict procedural expectations placed on organisations from the moment they are notified.

Why businesses underestimate PDPL enforcement

Many organisations assume PDPL enforcement will begin with informal engagement or extended correspondence. In practice, SDAIA investigations are conducted through a formal, committee led process with short statutory deadlines, electronic proceedings, and broad powers to obtain documents, data, and explanations.

Businesses are often caught unprepared by the speed of proceedings, the need for immediate authorised representation, and the expectation that internal records and decisions can be produced on demand. By the time legal advisors are engaged, critical procedural opportunities may already have been missed.

Why PDPL enforcement preparation matters

Committee proceedings are managed through an electronic platform, meaning internal delays or approval bottlenecks are immediately visible and recorded.

Once an entity is notified of an alleged violation, it has only five (5) days to submit its response.

Access to the statement of claim is not automatic. A duly authorised representative must first upload proof of authority through the platform, and access is only granted once approved. Any delay, unclear internal authority, or incomplete records can materially weaken a business’s position.

What may be required by the Committees

Under the Rules, PDPL enforcement is conducted by independent, multi disciplinary Committees appointed for fixed terms with both technical and legal expertise. 

Committees have wide powers, and may summon parties, request information from any person or entity, access confidential data and records, and appoint technical or legal experts where necessary. Proceedings are conducted primarily through an electronic platform, and failures to respond or cooperate within prescribed timeframes are formally recorded and may adversely affect a business’s position.

During the proceedings, Committees may:

• request information, documents, and internal records within strict deadlines;
• require written responses or attendance at hearings (including virtually); and 
• review confidential data and obtain expert input where necessary. 

Strict deadlines apply throughout the process, including:

• Response to notification from SDAIA: 5 days
• Notification of Committee decision: within 15 days of issuance
• Appeal before the competent court: 60 days from notification

How businesses should prepare for PDPL enforcement

Given the above, businesses must proactively focus on advance preparation rather than reactive response, including by focusing on five key areas:

• PDPL compliance reviews: Regularly assess processing activities, security measures, and governance arrangements to identify and close compliance gaps. See some key essential insights on PDPL compliance here.
• Breach response: Maintain and test a personal data breach response plan, including statutory notification obligations to SDAIA and data subjects.
• Data subject requests: Implement clear procedures to handle data subject requests and meet statutory deadlines, to mitigate the risk of complaints.
• Enforcement readiness: Establish internal protocols for responding to investigations, complaints, and indictments under the PDPL framework.
• Authorisation and platform access: Ensure a valid power of attorney is in place and that authorised representatives have platform access before any notification is received.

Why legal support is critical

While many readiness steps are operational, early legal involvement is essential to assess exposure, manage deadlines, engage effectively with SDAIA and the Committees, and reduce enforcement and reputational risk.

If you would like to discuss PDPL compliance reviews, enforcement preparedness, or responding to SDAIA communications, please contact Lamisse Bajunaid.

Our dedicated Doing Business in Saudi Arabia Hub helps businesses stay informed and understand the latest developments and opportunities.