KSA: SDAIA Opens Consultation for New Data Protection Rules
Written By
Partner
United Arab Emirates
I am a Partner working in Tech & Comms and Privacy & Data Protection. I have been based in the Middle East for most of the last 18 years, assisting local and international clients by providing specialist legal support on diverse matters in the broader technology, media and telecommunications space.
Associate
United Arab Emirates
I am an associate at our Dubai office, where I assist clients with commercial, technology, and data-related issues across the Middle East, with a primary focus on the UAE and Saudi Arabia
Related
Practices
Sectors
Regions
As part of Saudi Arabia’s continued efforts to strengthen its personal data protection landscape, the Saudi Data and Artificial Intelligence Authority (SDAIA) has launched a public consultation on the Draft Rules Governing Commercial, Professional, and Non-Profit Activities Related to Personal Data Protection (“Rules”). This important development seeks to introduce a regulatory framework governing entities involved in providing services or activities relating to personal data protection, whether for commercial, professional, or non-profit purposes.
The consultation marks another key milestone in the evolution of Saudi Arabia’s data governance environment, following the entry into force of the Personal Data Protection Law (PDPL) and its Implementing Regulations.
Below, we summarise the key proposals outlined in the draft Rules. If you would like to contribute to the discussion, the Public Consultation opened on 23 April 2025 and closes on 14 May 2025. Further details are available here and here.
Scope of the Draft Rules
The draft Rules apply to a wide range of activities related to personal data protection, including:
- Consultancy services on personal data protection;
- Technical solutions and services to support compliance with the PDPL;
- Technical and vocational training in personal data protection;
- Organisation of conferences, workshops, and seminars addressing personal data protection topics.
The draft Rules cover both commercial and non-profit sectors and would apply regardless of the means by which activities are conducted (e.g., physically or digitally). Notably, the draft Rules are intended to complement, rather than replace, any additional licensing or regulatory requirements imposed by other supervising authorities.
Key Requirements for Entities
Entities wishing to engage in personal data protection activities will need to meet a range of baseline requirements, including:
- Registration: All entities must register via the National Data Governance Platform maintained by SDAIA.
- Compliance Commitments: Entities must acknowledge compliance with the PDPL, its Implementing Regulations, and relevant guidelines issued by SDAIA.
- Disclosure Obligations: Entities must disclose any prior complaints or recorded violations relating to personal data protection law.
- Additional Requirements: SDAIA may impose further requirements as deemed necessary to safeguard compliance.
Importantly, entities may not commence operations until they have fully satisfied these conditions.
Specific Requirements Based on Activity Type
The draft Rules also introduce specific requirements based on the type of activity being undertaken. For example, consultants must ensure their advice complies fully with the PDPL and maintain documented internal compliance measures. Whereas, training providers must be appropriately qualified, ensure that training content aligns with the PDPL without offering unauthorised interpretations, and obtain SDAIA’s approval at least 90 days before delivering any program. Technical compliance service providers are required to demonstrate technical competence, maintain detailed compliance documentation, and conduct self-assessments of their operations, with results submitted to SDAIA. Similarly, event organisers must ensure that speakers are suitably qualified, that event content strictly adheres to the PDPL, and that SDAIA approval is secured at least 90 days before the event takes place.
Enforcement and Oversight
The draft Rules grant SDAIA significant oversight powers, including the ability to:
- Suspend activities where there are investigations or confirmed violations;
- Maintain a National Register of all activities related to personal data protection;
- Periodically review and update the draft Rules to ensure they remain fit for purpose.
Next Steps
It’s clear that some of the requirements in the Rules require further scrutiny. At a glance, some of the points mentioned could be overburdensome or pose some practical difficulties.
Organisations operating, or planning to operate, in Saudi Arabia’s personal data protection ecosystem should closely monitor this consultation and prepare to align their operations with the upcoming regulatory requirements.
For any further information on developments or current requirements in this space, please contact Nick O’Connell or Charlie Christie.
