Signify Insights
Signify Insights
Spotlights
A publishing & interactive-learning property · Philadelphia · est. 2019
Back to Spotlights
VOL. II  ·  Data Privacy  ·  Saudi PDPL

Five Things the PDPL Guide Tells You That the Law Doesn’t

SDAIA's Personal Data Protection Guide is where the PDPL gets practical. Five takeaways that move real boundaries in how you define, map and protect data.

By the Signify Insights deskMay 20267 min read

A law tells you what is required. A guide tells you how the regulator thinks — and that is often where compliance is really won or lost. SDAIA's Personal Data Protection Guide, released in late 2023, is exactly that kind of document: the practical foundation for anyone navigating PDPL. Five takeaways from it change how you scope a programme.

1. Personal data is broader than a name

The most common misconception we see is that personal data means direct identifiers — name, ID number, email. Under PDPL, as under GDPR, it means any data that can identify a person directly or indirectly, alone or combined with other information. A privacy programme built only around protecting direct identifiers is already non-compliant. The practical response is to build a Critical Data Element repository and map how data actually flows, transforms and is used across the organisation — in close partnership with data-management leadership, who have to own that responsibility.

2. Sensitive data has its own, stricter rules

Within personal data sits a sharply defined subset: data revealing racial or ethnic origin, religious or philosophical belief, political opinion, criminal record, biometric or genetic identifiers, health and parentage. And here PDPL diverges hard from GDPR.

Under Article 26, processing sensitive data for marketing is prohibited outright — regardless of consent. Violations can carry fines and imprisonment.

That is not a setting you can configure your way around with a consent checkbox. It is a categorical rule, and the penalties give it teeth.

3. The law applies more broadly than teams expect

PDPL reaches across data forms and business types. Teams that assume their sector or their data format puts them outside scope tend to discover otherwise late and expensively. The safe assumption is that you are in scope until a careful reading proves you are not.

4. Pseudonymisation is not anonymisation

The two are routinely conflated, and the difference is consequential. Anonymised data — genuinely irreversible — falls outside much of the regime. Pseudonymised data, which can still be re-linked to an individual, does not. Mislabel one as the other and you build your compliance posture on a fault line.

5. The reach is global

PDPL's protections follow the data, not the passport or the postcode — covering personal data regardless of where it sits or whose it is. For any organisation operating across borders, that closes the comfortable assumption that data handled elsewhere is someone else's problem.

What this means for scoping
  • Inventory data by identifiability, not by whether it looks like an obvious identifier.
  • Flag sensitive-data processing for separate, stricter treatment — especially anything touching marketing.
  • Test your "anonymised" claims honestly before relying on them to exit scope.

None of these takeaways is theoretical. Each one moves a real boundary in how you define, map and protect data — which is why the guide, not just the law, belongs on the desk of anyone running a PDPL programme.

Companion piece — play itRemediation Board: Saudi PDPL
Keep readingFive Ways a PDPL Program Goes WrongData PrivacyA Privacy Program Is an Operating ModelData PrivacyRemediation Board: Saudi PDPLSimulation