The Saudi Data and Artificial Intelligence Authority (SDAIA) has published the Draft Controls Governing Commercial, Professional, and Non-Profit Activities Related to Personal Data Protection for public consultation, open from 23 April to 20 May 2025.
The draft aims to regulate the practices of personal data protection, including advisory services, technical solutions, training programs, and the organization of events, contributing to improving service quality and ensuring compliance with the Personal Data Protection Law (PDPL) and its implementing regulations.
Scope of the Draft Controls
The draft identifies four main categories of activities subject to regulation:
- Advisory Services: Providing legal and technical advice to support entities in applying best practices for protecting personal data.
- Technical Services: Developing digital solutions that promote compliance with the PDPL and its implementing regulations.
- Training and Capacity Building Programs: Preparing and qualifying professional talents to enhance organizational capabilities in the field of data protection.
- Organizing Conferences and Workshops: Raising awareness and promoting a culture of compliance with personal data protection principles.
Under the draft, service providers wishing to engage in these activities must register through the National Data Governance Platform and meet all required regulatory conditions before commencing their services.
Key Requirements for Practicing Activities
To ensure the practice of activities related to personal data protection within a clear regulatory framework, the draft outlines key requirements that must be fulfilled, including:
- Registration through the National Data Governance Platform
- Full compliance with the PDPL and its implementing regulations
- Transparent disclosure of previous complaints, breaches, or pending legal proceedings
- Provision of advisory services in alignment with the legal framework
- Obtaining prior approval for training programs and events at least 90 days before the scheduled date
- Provision of technical solutions that meet applicable regulatory standards
Oversight and Supervision of Activities
The Saudi Data and Artificial Intelligence Authority (SDAIA) exercises comprehensive oversight over the practice of activities related to personal data protection, ensuring compliance with applicable controls and regulatory conditions.
The powers granted to SDAIA under the draft include:
- Suspension or revocation of licenses or permits in the event of non-compliance.
- Periodic review and update of the controls to reflect technological and regulatory developments.
Expected Impact
It is expected that the implementation of the Draft Controls Governing Commercial, Professional, and Non-Profit Activities Related to Personal Data Protection will lead to a reorganization of how services related to data protection are delivered, by imposing additional requirements on entities wishing to offer advisory services or technical solutions, such as Privacy Enhancing Technologies (PET), or provide training programs, or organize events. Entities will be required to review their regulatory and procedural status to meet the specified requirements before commencing their activities, with new regulatory features shaping the practice of activities related to personal data protection.
With a team of expert Saudi professionals and trusted international partnerships, Privacy Professionals supports organizations seeking to comply with the Personal Data Protection Law (#PDPL) and its implementing regulations, by providing advisory and training services based on internationally recognized best practices, helping institutions build structured, compliant personal data protection programs.
You Might Also Like
