Privacy and data protection is becoming one of the most critical issues of an era that is characterized by the technological revolution and a paradigm shift in our interaction with each other and the digital world in general. Data protection is an essential element in protecting the rights of individuals, which is intrinsically tied to the Human Rights of Individuals. Privacy and data protection are not just the responsibility of a nation state, but the onus to have a robust privacy structure is the responsibility of organizations too. Several national laws to safeguard citizens’ privacy ights and the practical application of data protection rules in day-to-day businesses have been modelled after the European regime of data protection and privacy regulations. So, it is crucial to consider the Kingdom of Saudi Arabia’s new rules in light of the General Data Protection Regulation (GDPR). The cornerstone for the law’s effective implementation and operation in Saudi Arabia will be its main considerations, principles, and requirements.


The KSA’s New Personal Data Protection Law designed to systematically protect “personal data” of individuals. After a period of 180 from the date of publication, the law will come into effect on 23 March 2022., and thus data controllers would have to ensure compliance to the law. Vision 2030 programme in the Kingdom of Saudi Arabia brought about significant changes in the telecommunication, media and technology regulatory landscape. Saudi Data & Artificial Intelligence Authority (“SDAIA”) will be coordinating with the Central bank and other Information Technology ministries for the implementation of PDPL.On September 24, 2021, the PDPL was released in the Saudi Arabian Official Gazette. It goes into effect in full on March 23, 2022. After that, Data Controllers have an additional year to comply with the PDPL, though this time frame may be extended. The PDPL will be supplemented by rules, which must be published by 23 March 2022 and will probably give more context and direction for the PDPL’s actual use.

The Kingdom of Saudi Arabia (KSA) passed its Personal Data Protection Law (PDPL) in 2019, which came into effect on March 4, 2020. The PDPL is designed to protect the privacy and personal data of individuals within the country, and it applies to any person or organization that processes personal data in KSA, regardless of where they are located.

Some of the key provisions of the PDPL include:

Definition of Personal Data: The PDPL defines personal data as any information that can be used to identify a natural person, directly or indirectly.

Lawful Basis for Processing: Personal data can only be processed if there is a lawful basis for doing so, such as with the individual’s consent or for the performance of a contract.

Data Subject Rights: Individuals have the right to access, rectify, erase, and object to the processing of their personal data, as well as the right to data portability.

Data Protection Officer (DPO): Organizations that process personal data on a large scale or process sensitive personal data must appoint a DPO to oversee data protection.

Data Breach Notification: Organizations must notify the Saudi Data and Artificial Intelligence Authority (SDAIA) of any data breaches within 72 hours.

Click Here : KSA’s Personal Data Protection Law