THALES BLOG

Navigating Saudi Arabia's Personal Data Protection Law (PDPL): A Guide to Compliance

April 3, 2025

Ammar Faheem Ammar Faheem | Director Product Marketing (CIAM) More About This Author >

The Kingdom of Saudi Arabia (KSA) has taken a significant step towards bolstering data protection with its Personal Data Protection Law (PDPL), marking a pivotal moment in the region's digital landscape. The PDPL, enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA), applies to all entities processing personal data of individuals residing in the KSA, regardless of where the data processing takes place. With full enforcement that began on September 14, 2024, organizations must prioritize compliance to avoid substantial penalties.

Embracing Data Privacy in Saudi Arabia

The PDPL signifies Saudi Arabia's commitment to data privacy and its ambition to become a leader in the digital economy. By understanding the requirements of the PDPL and implementing solutions like Thales OneWelcome, organizations can confidently navigate the new data protection landscape, foster customer trust, and contribute to Saudi Arabia's Vision 2030.

Key Aspects of the PDPL

Broad Scope: The PDPL applies to data controllers and processors established in the KSA or who process personal data of individuals in the KSA, even if operating outside the country.

Comprehensive Requirements: The PDPL outlines comprehensive requirements related to processing principles, data subjects’ rights, organizations’ obligations, and cross-border data transfer mechanisms.

Principles: The PDPL is built upon principles of lawfulness, fairness, transparency, purpose and storage limitation, data minimization, and confidentiality.

Consent is Crucial: Data controllers and processors must obtain consent before collecting, using, transferring, or storing personal data. Explicit consent is needed to process sensitive data for marketing and advertising purposes. Controllers must also provide clear opt-out mechanisms.

Data Controller Registration: Data controllers must register with the National Data Governance Platform (NDGP) if they process sensitive data, or their main activity is processing personal data within the KSA.

Enforcement: The SDAIA is empowered to monitor data controllers’ adherence to the PDPL.

Preparing for PDPL Compliance

To comply with the PDPL, organizations must implement robust measures, including organizational, administrative, and technical safeguards, to protect personal data.

Some key steps include:

  • Implementing mechanisms for monitoring data controllers’ adherence to the new data protection law.
  • Establishing consumer-friendly rules regarding the collection, storage, and use of personal data.
  • Implementing a sensitive data discovery and classification service, a data loss prevention package, and a SIEM.
  • Outlining the purpose of PII collection and seeking and storing the data subject’s consent on interfaces that collect data, such as websites.

PDPL vs. GDPR

The PDPL shares similarities with the GDPR, but key differences exist. As an example, the PDPL imposes stricter restrictions on organizations transferring personal data out of Saudi Arabia and places a greater emphasis on consent as a precondition for lawful data processing.

Thales OneWelcome: Streamlining PDPL Compliance

Thales OneWelcome Identity Platform offers a comprehensive solution for managing customer identity and access, including consent and preference management, that can significantly aid organizations in achieving PDPL compliance. Modular capabilities of the platform enable compliance with various regulatory requirements.

The Consent and Preference Management identity app manages end user’s consent and attribute preferences (i.e., current consent, tracking consent on policies and attributes, tracking consent on user data etc.), while processing their data in a compliant and secure way. As a result, businesses can focus on securely connecting consumers with their online services and apps, protecting their data, and analyzing identity behavior for better engaging customer experiences.

Privacy and consent diagram

Thales OneWelcome allows clients to support the entire consent lifecycle, giving end users a single view and control over all their consents, and assisting them in exercising their consumer rights regarding data privacy: the right to view, export and edit all their personal data stored within Thales OneWelcome Identity Platform at any time, as well as the right to request to freeze their accounts and delete their personal data.

How Thales OneWelcome Helps:

  • Consent Management: Thales OneWelcome helps introduce data privacy considerations as part of the user journey, explicitly seeking end-user consent.
  • End-User Empowerment: By allowing users to control their data storage and processing preferences, Thales OneWelcome helps build trust and transparency.
  • Compliance: Thales OneWelcome facilitates ongoing compliance with the PDPL and other global data privacy regulations.
  • Data Privacy by Design: Built with data privacy in mind from the ground up.

By leveraging the Thales OneWelcome Identity Platform, organizations can navigate the complexities of the PDPL and demonstrate a commitment to data privacy, building trust with customers and ensuring long-term success in the Saudi Arabian market.