Brief Takeaway
SDAIA has issued 48 PDPL compliance enforcement decisions since the grace period ended in September 2024. The violations share a pattern: unlawful data processing, missing security controls, undocumented practices, and marketing sent without consent. For organisations operating in Saudi Arabia, these decisions make one thing clear, PDPL compliance is no longer theoretical. For CIOs, legal teams, and compliance officers, the enforcement data is not a warning. It is a roadmap of exactly where to focus before the next decision is issued.
PDPL Compliance Is No Longer a Risk You Can Defer
Saudi Arabia’s Personal Data Protection Law (PDPL), enacted by Royal Decree No. M/19 in 2021 and amended in March 2023, came into full force on 14 September 2023. The compliance grace period expired exactly one year later. Since then, SDAIA’s enforcement committees have been fully operational and active.
As of mid-January 2026, 48 enforcement decisions confirming PDPL violations have been issued against organisations across multiple sectors. Businesses are receiving formal notifications, investigations, and indictments. PDPL compliance is no longer a future obligation sitting in a legal team’s backlog. It is a live regulatory exposure with fines reaching SAR 5 million per breach (a figure that doubles for repeat offences) and criminal penalties of up to two years imprisonment for violations involving sensitive personal data.
For CIOs and compliance officers, the practical question is not whether SDAIA is enforcing. It is whether your organisation is among those that will receive the next notification.
What the 48 Decisions Actually Show
The IAPP’s analysis of SDAIA’s enforcement announcement confirms that the 48 decisions were not concentrated in one industry or one type of organisation. They spanned sectors, entity sizes, and a range of data processing activities. This is significant. It means enforcement is not following a narrow compliance checklist. It reflects a broad regulatory posture aimed at institutions that have failed to operationalise PDPL principles across their data lifecycle.
The violations covered four recurring categories.
What the 48 Decisions Have in Common: 4 Core PDPL Compliance Gaps
- Collecting or processing personal data without a valid legal basis
This remains the most fundamental failure. Organisations are processing data (for analytics, CRM, operational reporting, and third-party integrations) without documented legal grounds under PDPL Article 14. In many cases, the data processing simply predates the law and was never reviewed.
- Unauthorised disclosure of personal data
Data shared with vendors, shared across internal business units, or exposed through system integrations without lawful justification represents a direct PDPL compliance failure. Many organisations have no current map of where personal data flows after collection.
- Failure to implement technical and organisational safeguards
PDPL requires organisations to put in place security measures proportionate to the risk. Enforcement findings confirm that many entities have policies in place but no operational controls: no access governance, no data classification, no audit trails.
- Marketing communications sent without consent
SDAIA’s findings specifically highlighted the volume of promotional and marketing messages sent without prior consent from data subjects. This pattern is concentrated in retail, telecommunications, and financial services, sectors where legacy CRM data has been used for years without re-evaluation.
Why Organisations Keep Failing at PDPL Compliance
The enforcement data points to a structural problem, not a technical one. Three conditions appear consistently in organisations that remain exposed:
No clear internal PDPL owner. Accountability is distributed across legal, IT, and marketing without a single function responsible for PDPL compliance monitoring and decision-making. Where organisations are required to appoint a Data Protection Officer (DPO), many have not formalised the role or registered through the National Data Governance Platform.
Data processing is undocumented. Record of Processing Activities (RoPA) requirements under PDPL are frequently unmet. Organisations cannot demonstrate a valid legal basis for each processing activity because no one has systematically mapped what data exists, where it sits, and why it is being used.
Policies have not translated into controls. Privacy notices have been updated. Consent language has been revised. But downstream, in the CRM, the HR system, the marketing platform, the third-party data processor, the actual data flows have not changed.
What Closing the Gap Requires
PDPL compliance at the level SDAIA expects is a governance exercise, not a legal documentation exercise. The organisations that have successfully passed SDAIA scrutiny share three operational characteristics:
A documented data governance framework with accountable roles, including a registered DPO where required. A current RoPA that maps personal data by category, processing purpose, legal basis, and retention period. And implemented technical controls: access management, audit logging, and data minimisation mechanisms that can be demonstrated to an investigator on demand.
Note that once SDAIA notifies an organisation of an alleged violation, there are only five working days to submit a formal response through the electronic proceedings platform. Organisations without internal readiness lose that window before they engage external advisors.
How Alnafitha Supports PDPL Compliance Readiness
Alnafitha has been working with Saudi enterprises and government entities on data governance, IT governance, and risk and compliance frameworks for over 30 years. The PDPL advisory work Alnafitha delivers is grounded in operational implementation, not generic guidance.
This includes structured PDPL gap assessments that map current data processing against SDAIA’s requirements, data governance consulting that establishes internal accountability structures and RoPA documentation, and IT governance advisory that aligns technical controls with PDPL’s security obligations.
Alnafitha’s risk and compliance solutions are built around Saudi regulatory requirements, including PDPL, NCA ECC, and SAMA frameworks. For organisations navigating overlapping obligations, this cross-framework approach reduces duplication and accelerates readiness, as covered in Alnafitha’s guide to SAMA cybersecurity audit compliance.
The Decision You Make Now Determines What Happens Next
Forty-eight enforcement decisions have been issued. The enforcement committees are processing additional complaints. SDAIA has built a formal, committee-led investigation process with short deadlines and broad documentation powers.
Organisations that conduct a structured PDPL compliance review now, before a notification arrives, retain the ability to remediate, document, and demonstrate good-faith effort. That option closes the moment a formal investigation begins.
Request a Free PDPL Gap Review with Alnafitha’s advisory team
Frequently Asked Questions About PDPL Compliance in Saudi Arabia
What are the mandatory PDPL requirements for data processing in Saudi Arabia?
PDPL requires organisations to process personal data only on a valid legal basis, maintain documented records of processing activities, implement appropriate technical and organisational safeguards, obtain consent for marketing communications, and appoint a Data Protection Officer where required. All processing must meet SDAIA’s standards as set out in the PDPL and its implementing regulations.
What are the penalties for non-compliance with Saudi PDPL?
Financial penalties reach up to SAR 5 million per breach, with repeat offences subject to doubled fines. Violations involving the unauthorised disclosure of sensitive personal data can result in criminal penalties, including imprisonment of up to two years. SDAIA also has authority to suspend data processing activities.
How do companies ensure ongoing PDPL compliance with monitoring tools?
Ongoing PDPL compliance requires continuous monitoring of data processing activities, regular access reviews, automated logging and audit trails, and periodic assessments against updated SDAIA guidance. Organisations in data-intensive sectors should implement dedicated data governance platforms and establish internal review cycles, typically quarterly.
Which consulting firms specialise in PDPL compliance services in Saudi Arabia?
Alnafitha is among the established IT advisory and consulting firms in Saudi Arabia with direct experience in data governance, IT governance, and regulatory compliance. With operations in the Kingdom since 1993 and deep familiarity with SDAIA’s regulatory posture, Alnafitha advises both private sector enterprises and public entities on PDPL readiness and advisory services.
Can I get a PDPL compliance checklist for my organisation?
A generic checklist rarely reflects the specific risks of your data environment. A gap review conducted against SDAIA’s requirements, covering your actual processing activities, legal bases, security controls, and consent mechanisms, gives you an accurate picture of where your exposure sits. Alnafitha offers a structured gap review that maps your current state against PDPL requirements and produces a prioritised action plan.