Browse Skills

Saudi PDPL — Personal Data Protection Assessment

    Saudi Arabia PDPL SDAIA Privacy Data protection
    Get Started with This Skill

    Overview

    Draft and validate data protection compliance documentation under Saudi Arabia’s Personal Data Protection Law (Royal Decree M/19 of 2021, amended 2023) and its Implementing Regulations. Covers data inventory, consent, cross-border transfers, and 72-hour breach notification.

    Example Conversation

    You: We need Saudi PDPL compliance documentation. We have to document lawful basis per processing, cross-border transfers (SDAIA), 72-hour breach notification, data subject rights, retention, and DPO. Can you draft it and run the checker?

    Agent: I’ll draft the compliance document with data inventory, lawful basis per activity, cross-border transfer mechanism (SDAIA adequacy or safeguards), data subject rights (know, access, correct, destroy, object, portability), 72-hour breach notification to SDAIA, retention periods, and DPO/privacy responsible designation. Then I’ll run sa_pdpl_compliance_checker.

    Agent: Created sa-pdpl-compliance.md. Running sa_pdpl_compliance_checker

    Agent: Check PASS — lawful basis per processing is documented, cross-border transfer mechanism is in place, data subject rights are addressed, 72-hour breach notification to SDAIA is documented, retention periods are specified, and DPO is designated. Ready for legal review.

    What the Tools Validate

    sa_pdpl_compliance_checker scans the compliance document for:

    • Lawful basis — Each processing activity must have a specified lawful basis under the PDPL (e.g. consent, contract, legal obligation).
    • Cross-border transfer mechanism — SDAIA adequacy list or permitted exemptions/safeguards must be documented.
    • Data subject rights — Right to know, access, correct, destroy, object, and portability must be addressed.
    • Breach notification — Procedure for notifying SDAIA within 72 hours (and affected individuals where required) must be documented.
    • Data retention periods — Retention periods for personal data must be specified.
    • DPO / privacy responsible — Designation of a DPO or privacy responsible must be documented where required.

    Output: PASS if all are present; otherwise FAIL with a line per missing element. Fix gaps and re-run until the check passes.

    Output Excerpt

    Compliance document (excerpt):

    ## Lawful basis
- Customer onboarding and KYC: consent and legal obligation (AML).
- HR and payroll: contract performance and legal obligation.
- Marketing: consent; opt-out mechanism available.

## Breach notification
- Breaches that pose a risk to rights are reported to SDAIA within **72 hours** of becoming aware. Affected individuals are notified in accordance with the PDPL and Implementing Regulations. Internal incident register maintained.

## Retention
- Customer data: 5 years after relationship end (legal requirement); then deleted or anonymised.
- HR data: per labour law and internal retention schedule.

    sa_pdpl_compliance_checker report (excerpt):

    === SAUDI PDPL COMPLIANCE CHECK ===
Result: PASS
Document: sa-pdpl-compliance.md
Lawful basis is specified per processing activity.
Cross-border transfer mechanism (SDAIA adequacy or safeguards) is documented.
Breach notification procedure (72 hours to SDAIA) is documented.
Data retention periods are specified.
Document meets Saudi PDPL compliance expectations.

    Getting Started

    Add your source materials to the project workspace (e.g. data inventory or transfer list), then activate the Saudi PDPL — Personal Data Protection Assessment skill. The agent will guide you through drafting the compliance document and running sa_pdpl_compliance_checker until the check passes.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started