HomeBlogThe KSA Announces Changes to Data Protection Laws
Back
BACK TO BLOG LIST
The KSA Announces Changes to Data Protection Laws
14.05.2025

Big news is coming from the Kingdom of Saudi Arabia. The Saudi Data and Artificial Intelligence Authority (SDAIA) started public discussion on two draft documents in the field of data protection.

The Regulator published amendments to the Implementing Regulations of the Personal Data Protection Law and the new set of Draft Controls Governing Commercial, Professional, and Non-Profit Activities Related to Personal Data Protection. Both documents could have a significant impact on the legal framework of information security. Let’s dive in and review proposed changes.

List of proposed changes to the Regulations.

  • Amendments to The term "personal data breach" has been removed. This may lead to a more conservative approach towards information security planning, as companies will need to make their own decisions about what constitutes a reportable breach until further clarification and guidance is provided.
  • Updated communication standards. Amendments require data controllers to provide information to data subjects in clear and simple language. At the same time, 'privacy policies' must be written in a clear and comprehensive manner. The proposed changes also state that the language used should be consistent with the language of the data subjects, which is important for both Arabic and English speakers.

In addition, there is one more change regarding communication policies. Data Controllers must provide data subjects with personal data in a readable format. This change can have a significant impact on many businesses because companies potentially could have to restructure data processes and make software adjustments to fulfill this legal demand.

  • Marketing materials. There are two proposed changes to marketing activities. Firstly, consent for receiving advertisements and awareness materials must be documented. Also, data controllers must provide data subjects with a mechanism for halting the receipt of direct marketing materials. This capability should be implemented in a clear and easy way.

Secondly, amendments also remove the wording that consent must be obtained only in cases where there was no prior interaction between data subject and data controller.

  • DPO changes. The amendments now clearly state that data controllers must document the appointment of the DPO. Moreover, the Regulator has to be notified about any changes to the DPO position, such as replacing the DPO.

Companies have to ensure that appointed persons have the required expertise and authority to meet their duties. The DPO is tasked with monitoring internal compliance, acting as a point of contact with the Competent Authority, handling data security incidents, and performing data protection impact assessments.

  • Complaint submission and handling. There are two major developments. The changes remove a 90-day timeframe within which complaints by data subjects had to be submitted to the Regulator. At the same time, data controllers now have to respond to requests from the regulator within a 10-business-day timeframe from the moment of receipt. As a result of such changes, data controllers face a stricter legal boundary and have to put more effort into ensuring their legal compliance.
  • Addition of a clear list of conditions for registration in the National Register of Controllers. Data controllers are provided with a complete checklist of conditions for registration in the National Register of Controllers. The list includes the following conditions:
  1. If the Controller is a public entity.
  2. If the Controller’s primary activity is based on the processing of Personal Data.
  3. If the Controller transfers Personal Data outside the Kingdom or discloses it to entities outside the Kingdom
  4. If the Controllers processes sensitive data.
  5. If the Controller processes the Personal Data of individuals lacking partial or full legal capacity.

It is worth noting that the same legal demands apply to individuals in cases where they process Personal Data for purposes that go beyond personal or family use.

To summarize the proposed changes, it can be concluded that the majority of amendments aim to clarify the language and provide clear definitions for certain articles. However, some of the new legal articles could have a serious impact on the field of data protection. Removal of the 90-day timeframe for data subjects to submit a complaint could lead to an increase in the number of complaints. The absence of a clear definition for “personal data breach” also could have significant consequences. Companies would have to rely on their own expertise to determine the scale of an incident.

The Saudi Data and Artificial Intelligence Authority also released a new amendment to Draft Controls Governing Commercial, Professional, and Non-Profit Activities Related to Personal Data Protection. However, this document is more aimed at providing a legal framework for legal entities participating in the data compliance field.

The Controls apply to organizations engaged in:

  • Consultancy services on data protection,
  • Technical and vocational training,
  • Provision of technical solutions,
  • Organization of events such as seminars, conferences, and workshops.

Such legal bodies must register on the National Data Governance Platform. This service will provide transparency and ensure that SDAIA maintains oversight over involved entities. Moreover, providers must disclose any history of violations or investigations related to data protection. In such a way, the Regulator will have the capability to sort out bad actors and reliable organizations.

Even more, the draft empowers SDAIA to suspend any activities if violations are detected or if there is an ongoing investigation. This allows the regulator to act as an enforcer and swiftly respond to rising challenges.

Thus, SDAIA will ensure that a range of consultants, solution vendors, and other data protection providers meet SDAIA standards before engaging in information security work.

Regulatory compliance is an essential aspect for businesses. In addition to organizing a reliable and robust information security system, organizations must ensure that their security measures comply with the regulatory requirements and that reporting is done in an appropriate manner.

One can find it challenging to pay constant attention to a developing legal field. We made a set of educational materials for the Kingdom of Saudi Arabia and the United Arab Emirates markets. Learn how to enhance cyber resilience and meet the regulator’s requirements with the help of SearchInform’s solutions.

BACK TO BLOG LIST
Letter Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyber incidents.
FileAuditor
DLP
Risk Monitor
ProfileCenter
SIEM
MSS
MSSP
Cloud Deployment
Contact
About Our Company
Our Clients
Press About Us
Press Kit
White Papers
Third-party integration
Research
Practices and use cases
Videos
Company News
Product News
Events
Blog
Compliance
Data Loss Prevention
Investigation
Data at Rest Discovery
Data Encryption
Data Visibility
Data Classification and Protection
Time Tracking and Employee
Monitoring
Corporate Fraud Mitigation
C-level executive
Risk manager
Internal audit officer
Compliance manager
Information security analyst
Chief Human Resources Officer
Business Services
Education
Financial Services
Government
Insurance
Manufacturing
Healthcare
Retail
Energy
Hospitality
Construction
SearchInform partners
Become a partner
Partner login
SearchInform products are recognized by
Gartner The Radicati Group
Follow us:
© 2025 SearchInform LTD All rights reserved.
Terms of Use
Licence
Privacy&Cookies
Cookie settings