SDAIA's 48 PDPL Enforcement Decisions: Saudi Financial Institutions Now Face Real Legal Exposure

Saudi Arabia's Personal Data Protection Law has moved decisively from awareness phase to enforcement phase. As of early 2026, the Saudi Data and Artificial Intelligence Authority (SDAIA) has formally issued 48 enforcement decisions — covering violations ranging from unlawful data collection to the failure to implement adequate security safeguards. For CISOs and compliance officers at SAMA-regulated institutions, this is no longer a theoretical risk.

What the 48 Enforcement Decisions Tell Us About SDAIA's Priorities

The enforcement decisions issued so far reveal a clear pattern in how SDAIA is prioritizing its investigations. The most common violations fall into three categories: processing personal data without a valid legal basis, disclosing personal data to third parties without lawful justification, and failing to implement appropriate technical and organizational safeguards. Notably, enforcement is not limited to high-profile breaches — SDAIA has pursued organizations for systemic compliance failures even in the absence of a confirmed data leak. The breadth of enforcement signals that SDAIA is conducting proactive reviews, not simply reacting to incidents. For financial institutions that assumed enforcement would focus on egregious breaches, this is a wake-up call.

The Shift from Documentation to Operational Proof

The most consequential change in 2026 PDPL enforcement is the standard of evidence required. Policy documents, privacy notices, and data mapping spreadsheets are no longer sufficient to demonstrate compliance. SDAIA is now evaluating organizations against operational readiness — meaning auditors want to see functioning data subject request workflows, live records of processing activities, documented transfer impact assessments for cross-border data flows, and technical controls that can be tested in real time. This mirrors the trajectory of Europe's GDPR enforcement maturity, where regulators moved from accepting privacy policies as proof to demanding live demonstrations of data minimization, consent management, and breach response capabilities. Saudi institutions that built compliance programmes around documentation rather than controls are now structurally exposed.

Why This Is a SAMA Compliance Issue, Not Just a Privacy Issue

SAMA's Cyber Security Controls (CSCC Version 2) and the NCA's Essential Cybersecurity Controls (ECC-2: 2024) both contain requirements that directly intersect with PDPL obligations. CSCC Control Domain 3 covers data and information asset classification, while Domain 5 mandates access control and identity governance for systems holding personal data. NCA ECC-2 Article 2-13 requires organizations to document and enforce data handling procedures aligned with applicable privacy legislation — explicitly referencing PDPL compliance. This means a PDPL violation that stems from weak access controls or an undocumented third-party sharing arrangement is simultaneously a potential finding under a SAMA or NCA examination. Financial institutions can no longer treat PDPL compliance as a separate legal workstream managed only by the DPO; it must be integrated into the security operations programme.

The Cross-Border Transfer Trap

One of the highest-risk areas currently under SDAIA scrutiny is cross-border data transfer. Saudi financial institutions routinely share customer and transaction data with correspondent banks, international card networks, cloud service providers, and third-party software vendors domiciled outside the Kingdom. Under the amended PDPL, any transfer of personal data outside Saudi Arabia requires either the recipient country to meet an adequacy standard determined by SDAIA, or the existence of a contractual mechanism (such as standard contractual clauses approved by SDAIA), or documented explicit consent from data subjects. Many institutions have not mapped these flows in sufficient detail to demonstrate compliance. A common gap is the implicit transfer of data to cloud infrastructure located in non-adequate jurisdictions — for instance, SaaS platforms where data residency settings were never configured, resulting in personal data replicating to US or European data centres without a lawful transfer mechanism in place.

Priority Actions for Saudi Financial CISOs in Q2 2026

1. Complete your SDAIA registration without delay. Controllers processing sensitive financial data are required to register on SDAIA's National Data Governance Platform. Non-registration is itself an enforceable violation. If your institution has not confirmed registration status, treat this as an immediate priority.
2. Conduct a cross-border transfer audit. Map every system and third-party integration that touches personal data, identify the jurisdiction where data resides or transits, and confirm that a compliant transfer mechanism exists. Pay particular attention to cloud SaaS tools deployed by business units without formal security review.
3. Operationalize your data subject request process. SDAIA has specifically cited failures to respond to data access, correction, and deletion requests as a violation category. Build a ticketed workflow with defined SLAs, assign ownership, and document responses.
4. Align your DPO with your CISO programme. The DPO should be directly involved in vendor security assessments, incident response planning, and access control reviews — not operating as a standalone legal function producing documentation.
5. Simulate a SDAIA examination. Commission a gap assessment against PDPL operational requirements using an independent third party. Document findings and remediation plans to demonstrate good-faith compliance effort, which regulators typically factor into penalty decisions.

The Penalty Structure Is Material

PDPL penalties are substantial enough to constitute a reportable risk event for listed entities. Maximum fines reach SAR 5 million for first offences, rising to SAR 10 million for repeated violations. Where a breach involves sensitive personal data — which in the financial sector typically includes income data, credit history, and national ID numbers — the regulatory threshold for investigation is lower and the enforcement timeline is faster. Beyond fines, SDAIA retains the authority to order processing restrictions, which in a financial institution context could mean operational disruptions to customer onboarding, credit decisioning, or marketing functions pending compliance remediation.

Conclusion

The issuance of 48 enforcement decisions is not a warning shot — it is confirmation that PDPL enforcement is operational and accelerating. Saudi financial institutions that have treated the PDPL as a compliance checkbox exercise rather than an integrated operational requirement now face material legal, reputational, and regulatory exposure. The convergence of PDPL, SAMA CSCC, and NCA ECC obligations means that closing these gaps requires a coordinated security and governance programme, not a documentation refresh. The institutions that act now will be in a demonstrably stronger position when SDAIA examinations reach their sector.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that maps your current posture across PDPL, SAMA CSCC, and NCA ECC requirements.