Recent Amendments to Saudi Arabia’s PDPL: What Businesses Need to Know

Latest Amendments to PDPL Saudi Arabia: What Your Business Should Watch for

The Saudi Data & AI Authority (SDAIA) has recently proposed amendments to the Kingdom of Saudi Arabia’s (KSA) Personal Data Protection Law (PDPL). The third public consultation, held on April 27, 2025, included draft amendments focused on securing personal data through a balanced process. This helps to preserve the rights of data subjects and enhances confidence in services that process personal data. 

The proposed amendments to PDPL Saudi Arabia emphasize providing better oversight of the processes and controls in the existing PDPL regulation versions for effective enforcement. The blog outlines the key characteristics of these recent draft amendments and the significant changes introduced in the new draft. 

Let’s take a look at the major shifts and the operational changes the amendments would bring to the businesses operating in Saudi Arabia.

Why do the PDPL Saudi Arabia Amendments Matter?

Before talking about the amendments in detail, here are the core objectives that the PDPL Saudi Arabia Amendments aim to achieve:

• Clear grounds on the processes, procedures, and controls laid out to implement the Saudi PDPL regulations in place.

• Supporting enforcement procedures and bodies, and contributing to the primary objectives that secure personal data.

• To ensure the preservation of the core rights of data subjects and improve confidence in services that include personal data processing activities.

With an emphasis on the significant challenges organizations have faced after the launch of PDPL, amendments have been implemented to address the uncertainty in applying specific obligations in practice.

These include privacy policies, controller registration, process recording, data breach management, and direct marketing. The changes focus on providing practical guidance that enables organizations to clearly and straightforwardly understand expectations. 

Saudi Arabia PDPL Amendments: Major Changes and Key Proposals 

PDPL imposes specific responsibilities on the data administrators, who are the regulatory authorities. Before personal data processing, organizations, i.e., data administrators, should ensure data relevance and accuracy. 

Controlling authorities are also responsible for adhering to data protection principles, such as limited usage, limited collection, data accountability, data security, and limited retention. Let us go through the proposed PDPL amendments that organizations need to fulfill and stay compliant: 

Streamlined Language Requirements As a Privacy Policy Standard

Presently, data controllers are necessary to customize communications to individuals who lack complete legal capability by offering data in an ‘appropriate language.’ After revision, the new requirement simply states that the Controller shall provide the necessary information in a simplified and appropriate language. It brings more clarity to the data subjects, including minors and those who need privacy information to be easily understandable and suitable, but not simply translated. Data Controllers should make sure that:

• An explicit privacy policy exists and is written in comprehensive yet simple language, incorporating different ways of understanding various subject groups. 

• The language used goes well with the customary language used to provide products and services to the target audience.  

This amendment is significant because it would clarify the ambiguity regarding whether the privacy policy should be translated into various languages in Saudi Arabia. 

Also Read : Why Do UAE Businesses Need OWASP Web Application Penetration Testing in 2025?

Elimination of Direct Marketing Provisions

Many provisions specific to direct marketing will be removed from the existing regulations as follows:

• Direct marketing definition (physical and electronic communications like promotions, advertising, etc.)

• A necessity to disclose the sender’s identity while sharing direct marketing material. 

Organizations focusing on direct outreach should not consider this a license to proceed without consent, as the consent requirement still applies. 

The Saudi PDPL Implementing Regulations shall remove the definition of ‘Personal Data Breach.’ The definition earlier referred to every incident involving unauthorized access to, breach of, or corruption of personal data. 

This could be automated, manual, purposeful, or accidental. The revised regulations would now depend on the breach notification obligations under:

• PDPL Article 20
• KSA PDPL Implementing Regulations Article 24 
• Personal Data Breach Regulations Procedural Guide

The article requires data controllers to inform the competent Authority and the data subjects in the event of a finding of damage or breach. 

Controllers should report to the relevant Authority within 72 hours of the meeting, including valid information and mitigation methods, regarding any breach. Data subjects must be notified without delay in a clear and accessible language whenever the breach poses a risk to their rights. 

Minimization in Record-Keeping Needs

The following requirements around ROPAs (Records of Processing Activities) are expected to be eliminated: 

• Processing records should be in writing.
• Minimum information to be included in a specific list, like:
• DPO/ Controller contact information
• Data purposes and categories
• Retention duration
• Recipients & transfers
• Security policies

Eliminating the granular list helps to make the compliance framework more flexible. 

Removal of Complaint Timeframe Restrictions 

The mandate of setting a 90-day deadline enabling data subjects to make complaints to the Competent body would also be deleted. The Authority has the discretion to accept late complaints under the current regime, provided the individual has valid reasons for submitting them late. 

• Responding to Compliance Requests

The proposed PDPL amendments require controllers to respond to SDAIA inquiries that question Saudi PDPL compliance and related Implementing Regulations within 10 business days. 

The clause deletion is a result of the expectation to remove unnecessary restrictions on recourse. This gives individuals a high degree of freedom to process complaints without the burden of a typical timeframe. 

Also Read : How Industry-Specific VAPT Solutions Secured Payment App For A Financial Enterprise

DPO: Role Clarification & Expansion

Specific changes are also applicable to the obligations or structure of the Personal Data Protection Officers. A prescriptive framework would come in place of rules for appointing the Data Protection Officer (DPO): 

• Controllers should document the DPO appointment formally. 

• DPO’s contact information should be provided through the Authority’s platform, and modified as the changes arise.

DPO’s responsibilities will not be confined to compliance monitoring. As per the new Article 34, the role includes:

• Being the primary liaison with the Competent Authority and following the instructions
• Offering required support to the Controller and facilitating awareness on PDPL
• Ensuring data subject rights and managing related complaints or requests
• Informing the Authority of personal data breaches
• Managing and updating the Controllers’ processing records
• Managing the remediation efforts when controllers go against data protection standards.
• Monitoring audits, Data Protection Impact Assessments (DPIAs), and regulatory reports, and delivering the mandate’s recommendations. 

Centralized Enforcement: Introduction of New Platform

The new paragraph also describes an e-platform that is to be monitored by the Competent Authority. The platform intends to act as a hub for:

• Support services and compliance tools
• Managing the National Register of Controllers
• Implementing PDPL requirements.

This practical process could help centralize oversight and digital compliance systems. When fully operational, it can help make registration, communication, and submission streamlined with the help of the regulator.

If the amendment is passed, the rules governing the National Register of Controllers in KSA will be replaced with a new article that defines mandatory registration norms.

Registration via the platform will now be necessary in case the Controller:

• Acts as a public entity;
• Has the core activity of personal data processing;
• Engages in personal data transfer outside the Kingdom or discloses internationally;
• Processes personal data without partial to complete legal capacity;
• Processes sensitive information.

Also Read : Network Security Testing: Understanding Types, Tools, and Techniques

This necessity doesn’t just apply to legal entities but also to individuals who fulfill the definition of a Controller and process personal information for purposes other than personal or family use. 

Every Controller will hold a specific record in the platform, complete with documentation as per PDPL Article 31, as well as any additional processing-oriented information required by the Authority.

What’s Next– Core Business Takeaways For You

The Saudi PDPL law amendments aren’t just tweaks but a precise shift to ensure simplicity and flexibility in the existing framework. 

That said, controllers and processors must act cautiously to adhere to the specific rules and provide for the relaxation of obligations. As a right practice, your business should take the steps as follows: 

• Keep tracking the SDAIA rules, particularly those that define the purpose and implementation of the new enforcement standard.

• Keep an eye on the internal processing records to be prepared for audits or any incidents.

• Always obtain consent and disclose the sender’s identity during direct marketing.

• Monitor data breach response protocols to escalate incidents as required by law, even if a formal breach definition doesn’t exist. 

With the continuous evolution of PDPL certification, organizations operating in Saudi Arabia should review their compliance processes and ensure their data governance frameworks remain aligned with the law. 

However, to ensure compliance with cybersecurity norms, your organization will need the expert assistance of a cybersecurity services company. That’s where Wattlecorp can help you to stay vigilant, informed, and super-compliant. 

As a leading cybersecurity services and solutions provider, Wattlecorp offers the latest PDPL compliance services in KSA, helping you maintain highly secure processes. To learn more about how we help, let’s connect!

PDPL Saudi Arabia FAQs