Last week, I talked about India's privacy law, and the feedback was overwhelmingly positive. I found it interesting to bring practical aspects of privacy laws from emerging countries or those that are making significant efforts to strengthen their data protection frameworks.

Recently, we had a conversation with a Privacy Tools client in Saudi Arabia and noticed several similarities, especially with the GDPR. So, I decided to share some impressions of this client's reality with you. Well, impressions is the best I can do, since I've never actually been to Riyadh.

My earliest memory of the country? The Aladdin game on Super Nintendo. If you're Gen Z, you have no idea what you’re missing.

By the way, since these days a Super Nintendo game runs on just about any device, why not indulge in some nostalgia at the link below?

Play Aladdin on SNES

Alright, enough distractions—let’s get to the point.

Imagine a merchant in Aladdin’s world, carefully noting down his customers' names and preferences with quill and parchment. Now, fast-forward to 2025, where that data is no longer stored on scrolls but in cloud servers and high-tech data centers. What was once a relationship built on verbal trust has now evolved into a complex digital ecosystem that demands strict rules to ensure privacy and security. And that’s where Saudi Arabia’s Personal Data Protection Law (PDPL) comes in.

The PDPL1 was officially enacted in September 2023 and became fully enforceable2 in September 2024. It marks a turning point in data protection across the Arab world, setting strict guidelines for businesses and public entities handling personal information. Inspired by the GDPR (of course…), but with cultural and strategic adaptations, the law places heavy restrictions on cross-border data transfers, requiring clear justifications and safeguards equivalent to local standards.

But is the PDPL just a Saudi version of the GDPR? Not really—just like Brazil’s LGPD isn’t a simple Brazilian copy of the GDPR, there are always key differences.

One of the most critical aspects, in my opinion, is how sensitive data is handled. This includes religious beliefs, biometric data, and even a data subject’s parental identity. The unauthorized use or disclosure of such data can lead to penalties of up to two years in prison and fines of up to 3 million Saudi riyals (approximately $800,000).

Yes, up to two years in prison.

This is because the PDPL adopts a two-tier penalty system, differentiating violations involving sensitive data from general infractions. If sensitive data is deliberately disclosed with malicious intent, criminal penalties apply—including imprisonment and hefty fines. On the other hand, violations of general requirements, such as failure to implement proper security measures, may result in administrative fines, which can double in case of repeat offenses.

In short:

My client is in the financial sector and faces a major challenge in complying with the PDPL. As an international banking institution, they must ensure that all Saudi customer data is processed in accordance with the law without compromising their global operations. The biggest problem? Their credit analysis system runs on servers outside the Kingdom, requiring international data transfers. With the PDPL’s restrictions on transferring information abroad, they need to find a solution that does not violate the law. This means overhauling their technological infrastructure, creating a secure local storage environment, and at the same time, meeting transparency requirements and respecting data subject rights. The issue is not just technological but also strategic: how to balance compliance and innovation without harming the customer experience?

Another interesting aspect is the creation of the Regulatory Authority, which has the power to conduct audits, impose restrictions, and even order the suspension of data processing for companies that fail to comply. Additionally, the role of the Data Protection Officer (DPO) becomes essential for certain businesses, although with more flexible guidelines than those seen in Europe. The law also mandates that organizations respond to data subject requests within a specific timeframe and requires companies to report security incidents immediately when there is a significant risk to citizens' data.

The legislation applies to all entities processing Saudi citizens' data, regardless of their physical location, with exceptions for national security purposes and government statistical activities. Data controllers operating exclusively abroad must appoint a local representative in Saudi Arabia, reinforcing the law’s extraterritorial jurisdiction.

What does all this mean in practice? For companies doing business in Saudi Arabia, the PDPL requires a quick and strategic adaptation. Governments and large corporations will need to adjust their privacy policies, implement security measures, and ensure that their partners and suppliers are also aligned with the new law’s requirements. And for privacy and data protection professionals, this creates a booming market for consulting, audits, and the implementation of digital compliance programs.

Saudi Arabia, with its increasingly digital and globalized economy, is not just following a trend. With the PDPL, the Kingdom is making a strategic move to attract investments, strengthen consumer trust, and position itself as a technology hub in the Middle East.

I’ll leave a few links at the end because “PDPL” is the acronym for privacy laws in various regions—don’t get them mixed up.

And for those who still think privacy is just a bureaucratic detail, remember this: in the digital world, data is the new currency, and protecting it is the real passport to the future.