Enforcement of the Saudi Personal Data Protection Law is live: Are you ready?
The Personal Data Protection Law Compliance Verification Form | What steps should organisations take?
-
Market Insight 07 July 2026 07 July 2026
-
Middle East
-
Regulatory movement
-
Technology, Outsourcing & Data
The Saudi Data and Artificial Intelligence Authority (SDAIA) has begun circulating the Personal Data Protection Law (PDPL) Compliance Verification Form to registered controllers.
The form sets out the information and evidence organisations must provide to demonstrate compliance with Saudi Arabia’s Personal Data Protection Law. It covers all key areas of data governance, from how personal data is collected, processed and stored, to the policies, systems and controls in place to protect it.
The form requires organisations to evidence robust governance frameworks, clear legal bases for processing, effective management of third parties, defined retention and destruction practices, and mechanisms to uphold data subject rights. It also addresses cross-border data transfers, incident response, and the appointment of a data protection officer.
Completing this exercise entails a comprehensive assessment, as any identified gaps may expose the business to potential enforcement action, including penalties of up to SAR5 million (approx.1.3 million USD), and in certain cases, criminal liability.
This is why we recommend taking a proactive approach to ensure alignment with regulatory expectations, including organising all records so that they are easily accessible and preparing the responses to the form at an early stage, allowing sufficient time to address any gaps and prepare the necessary documentation to meet applicable deadlines.
If you would like to understand what this means for your organisation, or would benefit from a walk through of the requirements, we would be pleased to arrange a discussion or answer any questions you may have.
For more information about the requirements and the enforcement landscape please check:
End
