The Personal Data Protection Law (issued pursuant to Royal Decree No. M/19 of 9/2/1443 H (corresponding to 16 September 2021), as amended by Royal Decree No. M/148 dated 5/9/1444H (corresponding to 27 March 2023)) ("PDPL") came into effect on 14 September 2023, but data controllers have a further year in which to comply (although that period may be further extended for certain entities). Accordingly, businesses within the scope of the PDPL will have until 14 September 2024 to adjust their status to become compliant with the PDPL.

The Implementing Regulations are also now in force, and provide further detail and guidance on various requirements in the PDPL. It comprises of two connected regulations, with the first being the 'Implementing Regulations to the PDPL', and the second being the 'Regulations on Personal Data Transfers outside the Kingdom' ("Transfer Regulations").

The PDPL is a law that applies on a national level and will apply to all sectors, with certain limited exceptions. For this reason, the PDPL will need to be considered in the broader legal and regulatory framework of the Kingdom of Saudi Arabia ("KSA"), with other sector specific frameworks such as those issued by the Saudi Central Bank, National Cybersecurity Authority or Communication, Space and Technology Commission ("CST").