Saudi Personal Data Protection Law
SDAIA is actively enforcing the Saudi PDPL with penalties up to SAR 5 million per violation—non-compliance directly jeopardises your licence to operate in the Kingdom.
The Saudi Personal Data Protection Law (Royal Decree No. M/19 of 2021) is the Kingdom of Saudi Arabia's comprehensive data protection legislation. Enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA), the law establishes consent-based processing, data subject rights, cross-border transfer restrictions, and breach notification requirements.
The grace period ended on 14 September 2024, and SDAIA has been actively enforcing the law - issuing 48 violation decisions in 2025-2026. Penalties range up to SAR 5 million, with doubling for repeat violations and potential criminal charges including imprisonment for unauthorised disclosure.
For organisations operating in Saudi Arabia, compliance requires technical controls for explicit consent management, data localisation (Saudi Arabia Azure regions where available, or approved transfer mechanisms), DPO appointment, and 72-hour breach notification. StremarControl engineers and operates the Microsoft-native controls required for Saudi PDPL mandates, translating obligations into enforceable Microsoft-native controls, structured evidence, and ongoing assurance discipline aligned with SDAIA requirements.
Why This Matters Now
Saudi Arabia's Personal Data Protection Law is a cornerstone of the Kingdom's Vision 2030 digital transformation agenda. As the largest economy in the GCC, Saudi Arabia's data protection framework directly impacts any multinational organisation doing business in the Kingdom. The PDPL's requirements for explicit consent, data localisation, and cross-border transfer restrictions create specific M365 configuration challenges: data residency must be addressed (Saudi Arabia has limited Azure region availability), consent mechanisms must be integrated into M365 workflows, and DLP policies must prevent unauthorised data transfers outside the Kingdom without proper authorisation from SDAIA.
Framework Metadata
Scope & Applicability
The Saudi PDPL applies to any processing of personal data carried out in Saudi Arabia, including by organisations established outside the Kingdom if the processing relates to individuals residing in Saudi Arabia. The law covers both the public and private sectors. Personal data is broadly defined to include any data that can identify an individual directly or indirectly. Sensitive data - including health, financial, genetic, biometric, ethnic, and religious data - receives additional protection. For M365 environments, the data localisation provisions require careful assessment of where Exchange, SharePoint, Teams, and OneDrive data is physically stored and processed.
Core Obligations
Explicit Consent
Obtain clear, explicit, and documented consent before collecting or processing personal data, unless another lawful basis applies. Consent must be specific to the processing activity.
Data Subject Rights
Provide rights of access, correction, deletion (right to be forgotten), and the right to request data in a portable format.
Cross-Border Data Transfers
Data leaving Saudi Arabia requires SDAIA approval or transfers to countries with adequate protection levels. Strict data localisation requirements for certain categories.
Data Protection Officer
Organisations handling large volumes of sensitive data or involved in automated decision-making must designate a DPO responsible for monitoring compliance and liaising with SDAIA.
Breach Notification
Report unauthorised access or personal data breaches to SDAIA within 72 hours. Take immediate measures to contain the breach and prevent recurrence.
Record Keeping
Maintain detailed records of all processing activities, including purposes, data categories, recipients, retention periods, and security measures implemented.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
Data Localisation
Azure tenant configuration for Saudi Arabia regions where available. Multi-Geo for Saudi-specific data residency. DLP policies preventing personal data egress from designated Saudi storage locations.
Azure region configuration, Multi-Geo assignment reports, DLP cross-border incident logs.
72-Hour Breach Notification
Sentinel rigorous incident detection and classification against PDPL severity criteria. Playbooks for precision SDAIA notification generation within 24 hours. Immutable evidence chain for regulatory submission.
Forensic incident timeline reports, verified notification generation logs, strict evidence integrity verification.
Consent and Processing Records
Purview Data Map for deep processing activity inventory. Systematic ROPA generation from data classification and label metadata. Retention labels strictly aligned to stated processing purposes.
Rigorously maintained processing activity register, data classification scan results, robust retention label inventory.
Data Subject Rights
Purview eDiscovery for access and portability requests. Content Search with exact Saudi-specific data scope filters. Managed DSAR response workflows with strict SLA tracking.
Manually-verified DSAR completion logs, precise response time reports, verified data scope records.
Implementation Timeline
Related Frameworks
The UAE PDPL imposes fines up to AED 5 million and processing suspensions—management must demonstrate compliant data handling across mainland and free zone operations.
With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.
Post-Brexit divergence means UK organisations must now navigate two parallel GDPR regimes, with the ICO imposing fines up to GBP 17.5 million or 4% of global turnover.
Ready to get Saudi PDPL-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against Saudi PDPL requirements, close gaps, and produce audit-ready evidence.