VeltrixairPrivacy Unit Schedule a call
Resource · Self-Assessment Tool · KSA PDPL

KSA PDPL self-assessment — enforcement is here, not coming.

Fifty questions covering eight categories of the Personal Data Protection Law — the same eight categories SDAIA enforcement actions have concentrated on. Each item scores Yes / Partial / No against the obligations the law imposes on Controllers and Processors. Scoring runs live as you work through the items; results persist locally so you can return to them. Unlike DPDP's still-implementing posture, KSA PDPL is fully enforced and SDAIA is actively imposing penalties. The output is a current readiness percentage, category-level gap analysis, and a maturity band that tells you where you actually stand against an enforcement regime that is already operating.

48
Enforcement reality · 2025-2026 SDAIA enforcement committees have already issued 48 violation decisions.

Common violations: processing without lawful basis · unauthorised disclosure · inadequate safeguards · marketing without explicit consent. This is not a future risk — it is happening now.

SAR 5M Civil penalty per breach 2 yrs Criminal prison risk
Live score · KSA PDPL readiness

Your readiness right now.

0 of 50 answered
0%
Compliance Not started
Saved locally
01

Governance, DPO & NDGP registration

7 items · weight 14%
0 / 7 · 0%

SDAIA's National Data Governance Platform (NDGP) is the operational mechanism through which the regulator monitors compliance. DPO obligation determination and NDGP registration are typically the first questions enforcement officers ask. Get these wrong and the rest of the assessment becomes academic.

01
DPO obligation has been formally evaluated using SDAIA's NDGP assessment tool. SDAIA provides a self-assessment tool on the National Data Governance Platform. DPO mandatory for: public entities · controllers processing sensitive data at scale · controllers conducting cross-border transfers · controllers processing children's or vulnerable individuals' data. Documented determination required either way. PDPL Art. 32 · Implementing Regulation SDAIA enforcement priority
2 points
02
Where required, DPO has been appointed and registered with SDAIA via the NDGP. DPO contact details registered through the National Data Governance Platform. DPO must be independent, easily reachable by data subjects, and able to liaise with SDAIA. If not required, mark Yes. PDPL Art. 32 · NDGP registration SDAIA enforcement priority
2 points
03
Controller registration on the National Data Governance Platform is complete. Controllers handling sensitive data, conducting cross-border transfers, processing data of children or vulnerable individuals, or operating as public entities must register on the NDGP. Registration is the baseline for SDAIA monitoring. Implementing Regulation · NDGP SDAIA enforcement priority
2 points
04
A PDPL-specific privacy policy has been adopted at executive level. Distinct from a generic privacy policy. Sets organisational position on lawful basis, data subject rights, transfers, breach response, third-party processors. Available in Arabic plus English where international operations exist. PDPL · accountability principle
2 points
05
PDPL roles & responsibilities have been documented for every business function processing personal data. Function-level role mapping: HR, Sales, Marketing, Engineering, Finance, Customer Service. Not just "the privacy team." Particularly important for SDAIA enforcement — they ask who is accountable for specific processing activities. PDPL · proportionate measures
2 points
06
A PDPL risk register exists and is reviewed at least quarterly. Should track regulatory exposure, control gaps, third-party risks, breach scenarios, cross-border transfer risks. SDAIA increasingly probes risk assessment evidence in enforcement investigations. PDPL Art. 19 · reasonable security
2 points
07
PDPL awareness training has been rolled out to all employees handling personal data. Role-specific content. Annual refresh minimum. Evidence retained — completion records, content versioning, comprehension checks. Arabic-language delivery for KSA-resident workforce. PDPL · accountability operationalisation
2 points
02

Data inventory & SDAIA 4-tier classification

6 items · weight 11%
0 / 6 · 0%

SDAIA publishes a four-tier data classification framework that drives the protection requirements applied to each data category. Applying that classification to your inventory is not optional — it is the foundational step that determines which assets require the most rigorous protections and structures every subsequent compliance decision.

08
A complete inventory of personal data systems exists and is maintained. All applications, databases, cloud services, file shares, SaaS tools, third-party integrations holding personal data. Updated at least quarterly; ideally driven by automated discovery. PDPL · accountability evidence
2 points
09
SDAIA's 4-tier data classification has been applied to the entire data inventory. Tier 1 (public) · Tier 2 (general use) · Tier 3 (confidential) · Tier 4 (highly confidential / sensitive). Tier 4 data carries enhanced obligations: explicit consent, enhanced security, DPO oversight, mandatory risk assessments for cross-border transfer. SDAIA Data Classification Framework
2 points
10
Sensitive personal data is identified and handled under enhanced controls. Sensitive data under PDPL: religious beliefs, criminal records, biometric data, genetic data, health data, racial/ethnic origin, political opinions. Enhanced obligations: explicit consent, restricted processing, additional security safeguards, DPO oversight. PDPL Art. 1 · sensitive data definition
2 points
11
Data flows have been mapped end-to-end across the personal data lifecycle. Collection → use → storage → sharing → retention → deletion. Per-process, not just at organisation level. Vendor and cross-border flows explicit. Required input for cross-border transfer governance. PDPL · purpose limitation
2 points
12
Records of Processing Activities (ROPA) document is current and complete. Per-purpose records: lawful basis, categories of data, data subjects, recipients, retention periods, security measures, cross-border transfer mechanism. The auditor's first reference document; SDAIA expects this to exist. PDPL Art. 31 · ROPA obligation
2 points
13
Data minimisation is enforced at point of collection. Forms, applications, customer onboarding, employee onboarding. PDPL purpose limitation principle requires only necessary data be collected for the specific declared purpose. Common SDAIA enforcement target. PDPL Arts. 11, 13
2 points
03

Lawful basis & consent

7 items · weight 17%
0 / 7 · 0%

"Processing without lawful basis" is the single most common SDAIA violation finding among the 48 enforcement decisions issued in 2025-2026. Lawful basis quality is the most heavily weighted category — failure here typically means the entire processing operation lacks legal foundation.

14
Lawful basis is documented for every processing activity. PDPL recognises: consent · contract necessity · legal obligation · vital interests · public interest. Documentation must show the specific provision relied on per processing activity. SDAIA's most common enforcement finding is failure here. PDPL Arts. 5, 6 SDAIA enforcement priority
2.4 points
15
Privacy notices are clear, accessible, and provided in Arabic. Plain Arabic language. Specifies data collected, purposes, recipients, retention, data subject rights, DPO contact. Available at point of collection. English provided alongside for international audiences but Arabic is the regulatory baseline. PDPL Art. 12 · Implementing Regulation SDAIA enforcement priority
2.4 points
16
Consent is collected via affirmative action — explicit, informed, freely given. Active opt-in. Granular per purpose where multiple purposes exist. Pre-checked checkboxes are a per se violation. Audit trail of consent events retained — timestamp, version, channel. PDPL Art. 5(2) SDAIA enforcement priority
2.4 points
17
Marketing consent is collected as a separate, explicit opt-in. PDPL is unambiguous: no marketing or promotional communication without explicit opt-in. Consent for service delivery does not authorise marketing. Frequent SDAIA enforcement target — including penalties for unsolicited marketing communications. PDPL · Implementing Regulation marketing rules SDAIA enforcement priority
2.4 points
18
Consent withdrawal is as easy as consent giving. Same channel, same friction level. A user who consents in one click should be able to withdraw in one click. Hidden withdrawal mechanisms are a violation of the principle. PDPL Art. 5(4)
2.4 points
19
Consent records are retained with full audit trail. Timestamp, version of notice consented to, channel, IP / device. Retained for the longer of: duration of consent, plus statute-of-limitations period for any related dispute. PDPL · accountability evidence
2.4 points
20
Children's data — verifiable parental consent obtained for under-18 processing. Heightened consent requirement. Verifiable parental consent process. Restrictions on profiling and targeting. Aligned with broader GCC posture (UAE Federal Decree 26/2025 sets similar high bar). PDPL · Implementing Regulation
2.4 points
04

Data subject rights

6 items · weight 12%
0 / 6 · 0%

Data subject rights are operational obligations with strict timelines. PDPL grants rights to access, correct, delete, restrict processing, and withdraw consent. Default response window is 30 days; SDAIA may require response within 10 business days for specific cases. Failure to honour rights triggers enforcement.

21
A clear, accessible channel exists for data subjects to exercise their rights. Online form, dedicated email, in-app mechanism — at least one. Cannot be hidden behind login walls or buried in policy documents. DPO contact prominent where DPO is required. PDPL Art. 4 · 9
2 points
22
Right of access — workflow exists to provide data subjects a summary of processing. Categories of data, summary of processing activities, identities of recipients, retention periods. Operational workflow exists; not just policy text. Within 30-day default response window. PDPL Art. 4(2)
2 points
23
Right to correction & deletion — workflows exist and respond within timeline. Both rectification of inaccurate data and deletion when no longer required ("right to be forgotten" added in updated regulations). Backup and downstream-system propagation included in workflow scope. PDPL Art. 4 · 9-10
2 points
24
Response timelines are tracked — overdue requests escalated. 30-day default tracked. SLA dashboard. Overdue threshold triggers escalation. Audit-ready evidence of timeliness. SDAIA may require shorter 10-business-day responses for specific request types. PDPL · Implementing Regulation
2 points
25
Right to withdraw consent operationalised end-to-end. Withdrawal request triggers deletion or restriction across primary systems, backups, vendor processors. Documented workflow. Withdrawal is not just policy text — it is an operational discipline. PDPL Art. 5(4)
2 points
26
Complaint & grievance mechanism is published with SDAIA escalation path. Distinct from rights handling. Channel for complaints about processing. Acknowledged escalation path to SDAIA where complaint cannot be resolved internally. Required disclosure in privacy notice. PDPL · Art. 9
2 points
05

Security safeguards

6 items · weight 14%
0 / 6 · 0%

PDPL Article 19 requires "reasonable security safeguards" — interpreted in practice against ISO 27001 / CIS Controls / NCA Essential Cybersecurity Controls baselines. SDAIA enforcement findings have repeatedly cited "failure to implement proper technical and organisational safeguards" as a primary violation.

27
Encryption is in place for personal data at rest and in transit. TLS for transit; AES-256 or equivalent for at-rest. Key management discipline — keys not stored alongside encrypted data. Cloud KMS or equivalent. Tier 4 sensitive data requires enhanced encryption. PDPL Art. 19
2.33 points
28
Access controls follow least-privilege with role-based access & MFA. Per-system access reviews. MFA on all administrative access. Privileged access management for high-risk systems. Quarterly access recertification. Aligned with NCA Essential Cybersecurity Controls. PDPL Art. 19 · NCA ECC alignment
2.33 points
29
Vulnerability management is operational with defined remediation SLAs. Continuous scanning. Critical vulnerabilities patched within 72 hours. High within 7 days. SLAs tracked; overdue patches escalated. PDPL Art. 19
2.33 points
30
Logging & monitoring covers personal data systems with retention discipline. Audit logs of access, modifications, exports. Retention sufficient for forensics (typically 1 year minimum). Monitoring with alerting on anomalous patterns. SIEM/SOC for organisations of meaningful size. PDPL Art. 19
2.33 points
31
Data residency — personal data is hosted in KSA where regulatory or sectoral requirements apply. SAMA-regulated banking data must be KSA-resident. NCA-regulated critical infrastructure data must be KSA-resident. Healthcare and public-sector workloads frequently require KSA residency. Microsoft Saudi datacenter region (live Q4 2026), Google Cloud, STC Cloud, AWS Riyadh provide compliant options. SAMA · NCA · sectoral overlay
2.33 points
32
Backup and recovery infrastructure is in place and tested. RPO defined per data category. Regular restore tests — not just backup verification. Ransomware-resistant patterns (offline / immutable copies). Backup retention aligned to primary retention schedule. PDPL Art. 19 · breach prevention
2.33 points
06

Breach response & SDAIA notification

5 items · weight 13%
0 / 5 · 0%

PDPL Art. 20 imposes strict breach notification obligations: 72-hour notification to SDAIA. Failure to notify is itself a violation — separately penalisable from the underlying breach. SDAIA's enforcement priorities have repeatedly emphasised breach notification compliance.

33
A documented breach response plan exists with defined activation triggers. Written plan. Activation criteria. Defined roles (IR commander, legal lead, communications lead, SDAIA liaison). Tested on cadence. See Breach Response. PDPL Art. 20 SDAIA enforcement priority
2.6 points
34
Breach detection capability is in place with defined alerting. SIEM, UEBA, EDR — capability proportionate to organisation size. Alert thresholds calibrated. 24/7 monitoring or on-call rotation for critical systems. PDPL Art. 19 · 20
2.6 points
35
SDAIA notification workflow is operational and tested — 72-hour deadline. Initial notification template. NDGP-based notification channel established. Designated notifier identified. 72-hour clock starts on awareness, not on confirmation. Practice run conducted at least once. PDPL Art. 20 · NDGP notification channel SDAIA enforcement priority
2.6 points
36
Data subject notification process exists for affected individuals. Channel established. Pre-prepared message templates in Arabic. Mass-notification capability for breach affecting many individuals. Cannot wait until breach to design this. PDPL Art. 20
2.6 points
37
Tabletop exercises run at least annually testing the breach response. Realistic scenarios. Cross-functional participation including legal, comms, technical, executive, DPO. Lessons learned captured and actioned. Documented evidence retained. PDPL · operational discipline
2.6 points
07

Cross-border transfers

5 items · weight 13%
0 / 5 · 0%

PDPL Art. 29 governs cross-border data transfers and is materially stricter than equivalent international frameworks. SDAIA has not published an adequacy country list — meaning all transfers outside KSA require explicit transfer mechanisms or specific exceptions. Cross-border governance is one of the most operationally complex PDPL areas.

38
All cross-border transfers of personal data are inventoried. Inventory of every flow leaving KSA: cloud providers, SaaS platforms, vendors, intra-group transfers, support and analytics functions. Per-flow: destination country, data categories, lawful basis for transfer, mechanism relied on. PDPL Art. 29
2.6 points
39
Transfer mechanism is in place for each cross-border flow. Standard Contractual Clauses (SDAIA-approved templates) or Binding Corporate Rules (SDAIA-approved). Adequacy decisions: SDAIA has not published an adequacy list, so transfers cannot rely on adequacy alone. Article 29 exceptions strictly construed. PDPL Art. 29 · SDAIA SCCs SDAIA enforcement priority
2.6 points
40
Transfer Impact Assessment (TIA) conducted for sensitive data transfers. Tier 4 / sensitive data transfers require risk assessment. Documents the destination country's legal framework, recipient's safeguards, and the residual risk. Required for SDAIA authorisation requests. PDPL Art. 29 · sensitive data overlay
2.6 points
41
SDAIA authorisation has been obtained where required. Specific transfer scenarios require explicit SDAIA authorisation — particularly large-volume sensitive data transfers and transfers to jurisdictions with weak data protection regimes. Authorisation evidence retained. PDPL Art. 29
2.6 points
42
Cross-border transfer log is maintained with monitoring discipline. Per-transfer log: date, volume, destination, lawful basis, mechanism. Periodically reviewed. Used to support SDAIA disclosure requests during enforcement investigations. PDPL Art. 29 · accountability
2.6 points
08

Vendor governance & retention

8 items · weight 6%
0 / 8 · 0%

Under PDPL the Controller remains accountable for processor actions. Combined with retention discipline, this category covers the operational backbone of compliance — the things that frequently break first when programmes lose discipline. Lower weighted because gaps here are typically remediable; higher-weighted categories represent more existential failures.

43
A complete inventory of Data Processors exists. All vendors processing personal data on behalf of the organisation — cloud providers, SaaS tools, analytics platforms, marketing vendors, payroll, recruitment, customer support tools. PDPL · Implementing Regulation
0.75 points
44
Data Processing Agreements are in place with every processor. DPA terms specifying processor obligations, audit rights, sub-processor consent, breach notification, return / deletion at engagement end. Standard contractual control. See Vendor Risk Management. PDPL · accountability principle
0.75 points
45
Vendor due diligence process exists with risk-based depth. Onboarding security questionnaire. Tier-based assessment depth. Refresh cadence. Documented evidence retained. Particularly important for processors handling Tier 4 sensitive data. PDPL · proportionate oversight
0.75 points
46
Sub-processor consent and notification mechanism is operational. Authorisation regime — general or specific. Notification of changes. Right to object. Cascade flow-down to sub-processors documented. Particular focus where sub-processors host outside KSA. PDPL · processor obligations
0.75 points
47
Retention schedules exist per data category and per purpose. Documented retention period per data type. Justification linked to original purpose or statutory obligation. Reviewed annually for currency. PDPL Art. 18 · storage limitation
0.75 points
48
Automated deletion workflows enforce retention schedules. Time-based deletion automation. Manual deletion as exception, not norm. Evidence retained that deletion actually occurred. PDPL Art. 18
0.75 points
49
Backup retention follows the same retention schedule as primary data. Most common PDPL retention gap. Backups frequently outlive their primary data — and those backups remain in scope. Backup retention windows must align with primary retention. PDPL Art. 18 · operational discipline
0.75 points
50
Erasure rights from data subjects propagate to backups, archives, and processors. End-to-end deletion workflow. Vendor processor cooperation contractually required. Evidence of full propagation retained. Most challenging integration in practice. PDPL Art. 4 · 18
0.75 points
Your verdict

Where you actually stand.

The composite score below weights each category by SDAIA enforcement focus — not all 50 items count equally. Lawful-basis and consent failures carry the highest weight because SDAIA's 48 enforcement decisions concentrated heavily there. Cross-border transfer failures and SDAIA notification failures are next. Vendor and retention items are weighted lower not because they don't matter, but because they are typically remediable with focused effort.

Composite readiness 0% Awaiting input

Start working through the items above.

Your composite score will appear here as you answer items. PDPL is fully enforced and SDAIA is actively imposing penalties — under-scoring is more useful than over-scoring; the goal is an honest baseline, not a flattering one.

Governance & DPO
Inventory
Lawful basis
Rights
Security
Breach
Cross-border
Vendors & retention
Scoring methodology

How the score works.

Each item scores Yes (full credit) / Partial (half credit) / No (zero). Items within a category sum to the category's weighted contribution. The maturity bands below reflect active enforcement reality — not a future deadline. Items flagged as "SDAIA enforcement priority" represent areas where SDAIA's 48 enforcement decisions have most consistently focused.

Band Score Interpretation in active enforcement context
Acute exposure Below 30% Substantial PDPL gaps across most categories with material enforcement risk. Civil penalties up to SAR 5 million per breach are real, not theoretical. Treat as urgent — not a build over months but a focused 60 — 90 day remediation sprint on enforcement-priority items first.
Catching up 30 — 55% Foundation visible, core gaps remain. Typical state for organisations that started PDPL work after the September 2024 enforcement deadline rather than before. Realistic 6-month focused remediation; concentrate first on lawful basis, NDGP registration, marketing consent.
Operationally compliant 55 — 75% Most obligations operational; specific gaps remain. Typical state for organisations with mature data protection programmes. The gap-closing work is targeted; the core programme exists. SDAIA inspection would identify specific findings rather than systemic failures.
Audit-ready 75 — 90% Programme operating at near-full coverage. Remaining gaps are usually specific high-effort items: full backup-retention alignment, end-to-end erasure propagation, sophisticated cross-border transfer mechanisms. Stands up to SDAIA inspection scrutiny.
PDPL-mature Above 90% Comprehensive operational compliance. Maintenance discipline rather than build effort. Honest 90%+ self-assessments are uncommon — under-scoring is more useful than over-scoring. Most KSA organisations on this band are also pursuing ISO 27701 certification.

This tool is a working baseline, not a regulatory determination. SDAIA determines compliance through formal investigation; nothing here substitutes for that. The tool's value is in honest internal assessment — identifying where remediation effort should concentrate before the next enforcement decision affects you. For substantive review of your PDPL posture or response to active SDAIA scrutiny, a Readiness Review or DPO-as-a-Service engagement is the natural next step.

Enforcement is here. Be ready.

SDAIA has issued 48 violation decisions in the past year. The question is no longer whether enforcement will happen — it is whether your organisation is positioned to withstand it. If your score reveals gaps you cannot close internally, a 30-minute scoping call costs nothing — we will tell you honestly whether the gap is closeable with focused effort or requires a substantial programme, and what realistic remediation looks like for your specific situation.

Schedule a call