PDPL enforcement is live: what it changes for your CRM, HR, and AI tools

Saudi Arabia's Personal Data Protection Law (PDPL) has moved from a grace period into active enforcement. SDAIA's committees issued 48 decisions in the past year against organizations that broke the law, and one of the most common violations was sending marketing messages without consent. If you run a CRM, an HR system, or any tool that touches customer or employee data, this is now an operational risk you can see in your own software, not a future legal project.

What happened

The PDPL came into effect on 14 September 2023 and ran with a one-year transition period that ended on 14 September 2024. Since then the law has been fully enforceable, and 2025 was the year SDAIA started using that power.

In early 2026, SDAIA announced that its specialized committees had issued 48 decisions over the past year against organizations found in violation of the PDPL and its implementing regulations. These committees can investigate, weigh evidence, and impose warnings, fines, and orders to fix non-compliant practices. The reported violations were not exotic. They were ordinary operating habits: collecting or processing personal data without a lawful basis or beyond the stated purpose, weak technical and organizational security controls, and sending marketing or promotional messages without prior consent. That last one was described as widespread across retail, telecom, and financial services.

The penalties are set in the law. Under Article 36, the committees can issue a warning or a fine of up to SAR 5 million per violation, and a fine can be doubled for repeat offenses. Under Article 35, disclosing or publishing sensitive data with intent to harm someone or to gain personal benefit can carry up to two years in prison and a fine of up to SAR 3 million. Separately, moving personal data outside the Kingdom is regulated: SDAIA's transfer rules require purpose limits, risk assessment, and approved safeguards, and there is no published list of countries treated as adequate, so cross-border transfers generally need documented protections.

Why it matters for operators

The enforcement pattern maps directly onto systems most businesses already run.

Marketing consent lives in your CRM. The most common violation in SDAIA's decisions was promotional messaging without prior consent. That means consent has to be a real field in your customer data, captured at the moment it is given, tied to the channel it covers, and easy to honor when someone opts out. A CRM that blasts an offer to every phone number it holds is now a liability, not a campaign.

Employee data lives in your HR system. Personal and sensitive records, document scans, and salary data all fall under the PDPL. The recurring "weak security controls" finding is about exactly this: who can see a record, whether access is logged, and whether data is retained longer than the stated purpose needs.

The newest exposure is AI features. When you add an AI summary, chatbot, lead-scoring, or document-reading feature, you are usually sending real customer or employee data to a model or an external API. Under the PDPL that is processing, and it needs a lawful basis, data minimization, and security. If the model runs outside the Kingdom, that send is also a cross-border transfer that has to meet the transfer rules. Automation does not soften any of this. An AI tool that drafts and sends promotions still needs consent, and it can multiply the exposure by sending more messages, faster.

Cicada Tech view

This is where the build-vs-buy and self-host questions stop being theoretical. The safest pattern is to keep personal data inside systems you control, minimize what each tool can see, and be deliberate about anything that leaves the Kingdom.

For most operators, the practical steps are concrete. Make consent a first-class field in the CRM, recorded with a timestamp and scope, and wire opt-out so it actually stops messages. Put role-based access and logging on HR and customer records, and set retention rules so data is not kept past its purpose. Before turning on any AI feature, ask three questions: what personal data does it see, does that data leave the Kingdom, and is there a lawful basis and safeguard for both. Where data sensitivity or transfer rules make it the better call, run AI processing in-Kingdom or self-hosted, including Arabic-capable open models on your own infrastructure, rather than piping records to an overseas API by default.

A few things are worth not overstating. Not every business must appoint a Data Protection Officer or register on SDAIA's platform; that depends on what data you process and whether you transfer it abroad, so check whether you qualify rather than assuming. And none of this is legal advice. Cicada Tech builds software, not legal opinions; confirm your specific obligations with SDAIA or a qualified advisor. The point for an operator is simpler: enforcement is real now, the common violations are things your software either prevents or enables, and the cheapest time to fix consent, access, and data flow is before a complaint, not after a committee decision.

Sources

• SDAIA: Laws and Regulations (Personal Data Protection Law and implementing regulations) - accessed 2026-06-18.
• IAPP: Saudi Arabia's data protection authority steps up enforcement - published 2026-02-25, accessed 2026-06-18.
• Morgan Lewis: Saudi Arabia Personal Data Protection Law - Transition Period Ends September 14 - published 2024-09, accessed 2026-06-18.
• DLA Piper: Data Protection Laws of the World - Saudi Arabia (Enforcement) - accessed 2026-06-18.
• trade.gov: Saudi Arabia ICT Cross-Border Data Transfer Rules Now Under Enforcement - published 2025-08-04, accessed 2026-06-18.