Regulators, Enforcement Priorities and Penalties | Saudi Arabia | Global Data and Cyber Handbook | Baker McKenzie Resource Hub

Start Comparison

Regulators, Enforcement Priorities and Penalties

Jump to

Regulators, Enforcement Priorities and Penalties Start Comparison

Who are the main data privacy, non-personal data and/or cybersecurity regulator(s) in the jurisdiction?

Last review date: 31 December 2024

The Personal Data Protection Law ("PDPL") provides that the Saudi Data and Artificial Intelligence Authority ("SDAIA") will operate as the competent authority to enforce its provisions for the first two years after the legislation comes into force. Thereafter, this responsibility may be passed to the National Data Management Office ("NDMO") depending on its impact and the level of maturity of the data sector in Saudi Arabia.

As the competent authority under the PDPL, SDAIA has powers to supervise the application of the PDPL, including powers to fine, investigate and monitor compliance in a manner that is equivalent to the powers granted to supervisory authorities under Article 58 of the GDPR.

In addition, there are number of other regulators that regulate certain aspects of data privacy and security in their respective sectors, including the National Cybersecurity Authority, , the Communications, Space and Technology Commission, and the Saudi Central Bank (“SAMA”).

How active is each of the regulator(s)?

Last review date: 31 December 2024

☒ Moderately active

It remains to be seen how active the SDAIA will be in Saudi Arabia, as the PDPL’s enforcement period only started in September 2024. However, it has been increasingly active in publishing guidance and rules since the end of the grace period. Other regulators are also moderately active when it comes to data privacy and security in their respective sectors.

What are each of the regulator's anticipated enforcement priorities for the next 12 months?

Last review date: 31 December 2024

SDAIA has not formally announced its priorities for enforcement, but given the recent enactment of the PDPL it is likely to prioritize awareness-raising and ensuring basic compliance with key data protection controls.

Cybersecurity will continue to be a hot topic in light of regional geopolitical uncertainty and the risk of state-sponsored cyber-attacks. At the same time, the Kingdom has a clear focus on developing its non-oil economy, enhancing the digital sector, and plans to become a world-leading AI hub.

What trends are you seeing in regulatory investigations relating to data & cyber?

Last review date: 31 December 2024

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

☒ Increasing

Class actions/group actions under data or cyber regulation are:

☒ Rare

What are the potential penalties/remedies for non-compliance with the key data and cybersecurity laws in the jurisdiction?

Last review date: 31 December 2024

There are:

☒ administrative remedies from regulators and law enforcement

☒ criminal penalties from regulators and law enforcement

☒ private remedies

If data subjects have private remedies, what form can these remedies take?

Last review date: 31 December 2024

☒ individual personal actions