Vikas SarojSaudi Arabia's Personal Data Protection Law (PDPL) - issued in 2021, fully enforced from September 2023 - has reshaped how Saudi businesses collect, store, and process personal data. If you handle any data from individuals in KSA, you're in scope.
What PDPL Requires - The 6 Pillars
1. Lawful Basis
Every personal data processing activity must rest on a defined lawful basis: explicit consent, contractual necessity, legal obligation, vital interest, public interest, or legitimate interest. Document which basis applies for each data flow.
2. Data Minimisation
Collect only what you need for the stated purpose. The CRM field "favorite color" without a marketing purpose? Out.
3. Purpose Limitation
If you collected data for "Quote Request", you can't repurpose it for "Marketing Campaign" without a new lawful basis (typically fresh consent).
4. Data Subject Rights
Individuals have the right to access, correct, delete, and port their data. You must respond within 30 days.
5. Cross-Border Transfer Restrictions
Personal data of Saudi residents generally must stay in Saudi Arabia. Cross-border transfer requires SDAIA approval and adequate-protection guarantees in the destination country.
6. Security and Breach Notification
Reasonable technical and organizational security measures, plus mandatory breach notification within 72 hours.
Configuring Zoho for PDPL
Consent Management in Zoho CRM
Zoho CRM has built-in consent management - capture, store, and timestamp every consent event with the source, IP address, and exact wording shown. When PDPL auditors ask "show me consent for John Doe's marketing email", you produce a record in seconds.
Creator Apps with Consent Checkpoints
For Zoho Creator-built apps (forms, portals, internal tools), we embed explicit consent checkpoints in every data-collection form. No data lands in the database without a recorded consent event.
Data Subject Request (DSR) Handling
Stand up a Zoho Creator app that:
- Accepts DSRs via a public-facing form (with identity verification)
- Routes the request to your Data Protection Officer (DPO)
- Pulls all data records from CRM, Books, People, and Creator apps
- Generates a portable export (JSON or PDF) or executes a deletion
- Logs the full handling chain for audit
Saudi Data Residency
Zoho operates data centers within Saudi Arabia. Configure new orgs to land directly on the KSA region. For existing orgs on non-Saudi regions, we manage migration.
The Most Common PDPL Mistakes Saudi Businesses Make
- Hardcoded consent assumptions - "they gave us their email, so they consented to marketing" - that's not how PDPL works
- No DPO appointment - mid-to-large businesses must appoint a Data Protection Officer
- Cross-border processing without approval - if your CRM data sits in a US region without SDAIA approval, you have a problem
- Missing breach response runbook - 72 hours is too short to write the playbook during the actual breach
- Vendor data flows undocumented - every Zoho integration, every API call, every export needs a documented data flow
PDPL Penalties
SDAIA can impose:
- Up to SAR 5 million for serious violations
- Public naming of non-compliant entities
- Suspension of cross-border data transfers
- Mandatory remediation under SDAIA supervision
Frequently Asked Questions
Is Zoho PDPL compliant?
Zoho provides the platform capabilities (consent management, data residency, audit logs, role-based access) needed to be PDPL compliant. Compliance is a function of how you configure and operate the platform - which is what your implementation partner makes happen.
Do I need a DPO under PDPL?
Yes, if you process high volumes of personal data, sensitive categories, or systematically monitor individuals.
Can my Zoho data sit outside Saudi Arabia?
Only with SDAIA approval and an adequate-protection assessment. Default to Saudi data residency.
PDPL assessment needed? Talk to Raqmiat about Zoho + PDPL.
