The Saudi Personal Data Protection Law has been fully enforced since 14 September 2024. SDAIA is now actively auditing. 72-hour breach notification is mandatory. Cross-border transfer rules (issued August 2024) restrict offshoring without specific safeguards. We implement PDPL-aligned AWS architectures.
PDPL is active and enforced.
Saudi PDPL was issued by Royal Decree M/19 on 16 September 2021 and amended by Royal Decree M/148 in March 2023. It came into force on 14 September 2023, with a one-year grace period for organizations to achieve compliance.
The grace period ended on 14 September 2024. PDPL is now in full enforcement. SDAIA (Saudi Data and Artificial Intelligence Authority) is the supervisory authority and has issued the Implementing Regulations and the Transfer Regulations (August 2024) governing cross-border data flows.
Penalties: up to SAR 5 million for general violations; SAR 3 million plus imprisonment up to two years for sensitive personal data violations. Sensitive personal data includes health, genetic, biometric, and financial data.
AWS Cognito + custom consent management. Consent records as audit-defensible evidence.
AWS S3 Lifecycle policies, AWS Macie for sensitive data discovery, automated retention enforcement.
AWS region selection (me-south-1 vs me-central-1), Transfer Regulations safeguards, Transfer Impact Assessments.
AWS GuardDuty + EventBridge automated incident workflow. 72-hour SDAIA notification path documented and tested.
Right to access, correction, erasure, objection. AWS-native data export and deletion patterns. SLA-defensible workflows.
KMS-managed encryption, AWS Macie classification, additional access controls. Higher penalty exposure justifies extra rigor.
4 to 6 weeks. Current state mapped to PDPL Implementing Regulations + Transfer Regulations. Risk-prioritized gap list.
8 to 16 weeks. AWS architecture changes for lawful basis, transfer safeguards, breach response, data subject rights workflows.
Documentation, evidence pack, Transfer Impact Assessments, breach playbook, training materials.
The AWS-certified specialist on your discovery call leads the implementation team on your engagement. No bait-and-switch. No junior-led delivery. Six touchpoints I personally own: discovery call, architecture sign-off, weekly review, every material decision, every deliverable sign-off, and 30 days post-handoff.
30-minute call. Direct with the founder. One specific recommendation about your PDPL posture on AWS.
★ AWS Advanced Tier Services Partner · ISO 27001:2022 · ISO 9001:2015 · 5× AWS-Certified Founder
