Saudi Arabia’s First Ever DP Law Comes into Force 

Today (14th September 2023), Saudi Arabia’s first ever data protection law comes into force. Organisations doing business in the Middle East need to carefully consider the impact of the new law on their personal data processing activities. They have until 13th September 2024 to prepare and become fully compliant. 


The Personal Data Protection Law (PDPL) of Saudi Arabia was implemented by Royal Decree on 14th September 2021. It aims to regulate the collection, handling, disclosure and use of personal data. It will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) which has published the aforementioned regulations. PDPL was originally going to come fully into force on 23rd March 2022. However, in November 2022, SDAIA published proposed amendments which were passed after public consultation.  

Following a consultation period, we also now have the final versions of the Implementing Regulations and the Personal Data Transfer Regulations; both expand on the general principles and obligations outlined in the PDPL (as amended in March 2023) and introduce new compliance requirements for data controllers. 

More Information  

Summary of the new law:  

Summary of the Regulations:  

Action Plan 

13th September 2024 is not far away. Work needs to start now to implement systems and processes to ensure compliance. Failure to do so could lead to enforcement action and also reputational damage. The following should be part of an action plan for compliance: 

  1. Training the organisation’s management team to understand the importance of PDPL, the main provisions and changes required to systems and processes.  
  1. Training staff at all levels to understand PDPL at how it will impact their role. 
  1. Carrying out a data audit to understand what personal data is held, where it sits and how it is processed. 
  1. Reviewing how records management and information risk  is addressed within the organisation. 
  1. Drafting Privacy Notices  to ensure they set out the minimum information that should be included. 
  1. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification. 
  1. Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure. 
  1. Appointing and training a Data Protection Officer. 

Act Now in Saudi Arabia 

Act Now Training can help your businesses prepare for the new law.
We have delivered training  extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. We have experience in helping organisations in territories where a new law of this type has been implemented.  

Now is the time to train your staff in the new law. Through our  KSA privacy programme, we offer comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses.  

To help deliver this and other courses, Suzanne Ballabás, an experienced middle-east based data protection specialist, recently joined our team of associates. We can deliver Online or Face to Face training. All of our training starts with a FREE analysis call to ensure you have the right level and most appropriate content for your organisations needs. Please get in touch to discuss your training or consultancy needs. 

Click on the Link Below to see our full Saudi Privacy Programme.

Middle East Data Protection Specialist Joins the Act Now Team

Suzanna Ballabas

Act Now Training is pleased to announce that Suzanne Ballabás, an experienced Dubai based data protection specialist, has joined its team of associates.  

Suzanne is a privacy professional with over ten years of practical experience in implementing privacy practices across various international organisations, in addition to acting as a compliance officer for multiple regulated entities within the UAE’s financial districts of DIFC and ADGM.  

Previously, Suzanne held the position of Head of Data Protection in the Middle East for Waystone, where she managed data protection infrastructure for over 100 firms and served as the Data Protection Officer for various organisations, including Michael Page, DP World Financial Services, and Waystone. She played a crucial role in establishing Waystone’s data privacy practice in the Middle East and possesses extensive knowledge of data protection laws and regulations in the UAE.

Before her time in Dubai, Suzanne was based in London, working with the GDPR, rolling out the international privacy programme for international accountancy practice Baker Tilly.  

Suzanne is a law graduate and holds multiple IAPP privacy qualifications including Certified Information Privacy Professional/Europe (CIPP/E), Certified Information Privacy Manager (CIPP/M), Certified Information Privacy Technologist (CIPP/T. She also specialises in ADGM Compliance (Financial Services), Money Laundering Reporting and International Human Resource Management. 

Suzanne said: 

“I am really pleased to be joining the Act Now team. I’m excited to start working with them to help deliver their excellent courses and training programmes particularly those targeted at the fast developing Middle East data protection landscape.” 

This is an exciting time for privacy law in the Middle East. Alongside the passing of the law, which is awaiting executive regulations,  Saudi Arabia and a number of other jurisdictions have passed DP laws similar to GDPR. 

Ibrahim Hasan said: 

Act Now’s reputation is growing in the UAE as a provider of practical training on all aspects of  data protection. With Suzanne’s appointment we will be able to service more clients through delivery of our flagship courses, such as the UAE DPO Certificate, as well as develop new courses tailored for the Middle East market and to help practitioners understand the latest trends and developments in data protection law in the UAE and the wider Middle East.”  

For the past five years, Act Now has been delivered training extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. Check out our UAE privacy programme. We can also deliver customised in house training both remotely and face to face. Please get in touch to discuss your training or consultancy needs.   

%d bloggers like this: