Regulatory movement
10 Legal Updates in Saudi Arabia’s Technology and Data Laws
Click each term to find out more
Middle East
Corporate & Advisory - Technology Risk
Data Protection & Privacy
In February 2025, the Saudi Data & AI Authority (SDAIA) introduced a Risk Assessment Guideline for transferring personal data outside the Kingdom of Saudi Arabia (KSA). This new guideline provides businesses with a structured methodology for assessing risks and implementing safeguards to enable cross border personal data transfers in compliance with the Personal Data Protection Law (PDPL), its Implementing Regulations and the Regulation on Personal Data Transfer Outside the Kingdom (Transfer Regulations). While the guideline itself is not legally binding, it serves as an essential reference for businesses to ensure their data transfer strategies align with regulatory expectations.
Cross-border data flows have become a fundamental part of modern business, and questions on personal data transfers continue to remain a key concern for clients.
The PDPL and Transfer Regulations streamline cross border data transfer mechanisms to align them with international standards, such as the EU General Data Protection Regulation (GDPR). They generally follow an adequacy system, whereby data transfers are permitted outside of the KSA to countries that will be evaluated by SDAIA as providing an appropriate level of data protection. However, the adequacy list has not yet been issued. Until the adequacy list is available, or in cases where transfers are made to countries that SDAIA has not included in the list when it is published, organisations are required to implement appropriate safeguards, such as standard contractual clauses (SCCs), and binding corporate rules (BCRs) when transferring personal data.
In addition, the Transfer Regulations requires businesses to conduct a risk assessment before transferring or disclosing personal data outside of the KSA in the following cases:
The Risk Assessment Guideline supports businesses to meet this obligation by introducing a step-by-step risk assessment framework allowing businesses to identify, assess and mitigate risks before proceeding with data transfers.
The Data Transfer Regulations set out minimum elements for data transfer risk assessments, including:
The Risk Assessment Guideline outlines a four-phased approach to conducting a data transfer risk assessment, in a manner that assesses the required elements as follows:
It is worth noting that the triggers, minimum requirements and procedures for transfer risk assessments are distinct from those set out for data processing impact assessments (DPIAs) under the PDPL and its regulations.
SDAIA has provided supporting tools on its online platform to streamline the process of conducting data transfer risk assessments.
Navigating personal data exports out of the KSA can be challenging, as businesses must not only assess risks but also develop legally compliant mechanisms and defensible strategies to protect themselves from potential penalties and reputational harm.
Organisations should therefore consider taking the following actions in light of the publication of the Risk Assessment Guideline:
If you would like to discuss how we can proactively assist you in managing risk and ensuring compliance with the latest regulatory developments please contact Lamisse Bajunaid.
Our dedicated Doing Business in Saudi Arabia Hub helps businesses stay informed and understand the latest developments and opportunities.
End