Saudi Arabia has issued its first data protection law to safeguard individuals’ privacy and regulate the collection and processing of personal data. Organizations are granted one year from September 14, 2023, to comply, with enforcement becoming mandatory on September 14, 2024.
The law applies to organizations processing the data of individuals residing in the Kingdom, including foreign entities. The Saudi Data and Artificial Intelligence Authority (SDAIA) is responsible for enforcement until 2025, when the responsibility will transfer to the National Data Management Office.
Penalties include fines of up to 5 million Saudi riyals or imprisonment of up to two years for violations involving sensitive data. The law requires organizations to obtain personal data consent, implement privacy policies and security controls, and report data breaches within 72 hours.
It also mandates that organizations appoint a Data Protection Officer and conduct Data Protection Impact Assessments. Data transfers outside the Kingdom are permitted if the receiving country provides adequate protection laws.
SDAIA and the National Data Management Office provide reference tools and self-assessment resources to ensure compliance. Protecting personal data fosters trust and supports successful partnerships.
