DATA GUARDCybersecurity & AI
Back to Home
Saudi Regulatory Alignment

PDPL Compliance

How Data Guard achieves and demonstrates compliance with the Saudi PDPL, NDMO and NCA frameworks.

Last updated: January 2026
PDPL NDMO NCA ECC-1:2018 NCA ECC-2:2018 ISO 27001 GDPR

On this page

  1. Overview
  2. PDPL principles
  3. PDPL article mapping
  4. NDMO framework
  5. NCA controls
  6. Data subject rights
  7. Breach notification
  8. DPO

1Overview

The Saudi PDPL (Royal Decree M/19, 2021), enforced by SDAIA, regulates personal data processing in KSA. We treat PDPL compliance as foundational — for our operations and as a built-in capability of our products (especially DataMind).

Two roles: Data Guard is Data Controller for our own visitors/customers, and Data Processor when customers use our platforms.

2The 8 PDPL principles we honour

01

Lawfulness

Processing only with a clear legal basis.

02

Purpose Limitation

Data used only for declared purposes.

03

Data Minimisation

Collect only what is strictly necessary.

04

Accuracy

Keep data current and correct.

05

Storage Limitation

Retain only as long as needed.

06

Integrity & Confidentiality

Encryption + access control.

07

Accountability

Documented processes & audits.

08

Transparency

Clear notices to data subjects.

3PDPL article mapping

Every Data Guard / DataMind capability is mapped to specific PDPL articles:

  • Article 5 — Consent: explicit opt-in flows + withdrawal mechanism.
  • Article 9 — Data Subject Rights: in-product DSR portal.
  • Article 19 — Security: AES-256, TLS 1.3, MFA, zero-trust.
  • Article 20 — Breach notification: ≤72h alerts.
  • Article 21 — Data protection by design and by default.
  • Article 29 — Cross-border transfers: SCC + residency controls.

4NDMO framework alignment

DataMind is fully aligned with the NDMO Data Management & Personal Data Protection Standards:

  • Data Governance — domains, roles, ownership.
  • Data Catalog & Metadata.
  • Data Classification — automated labelling.
  • Data Protection — DLP, encryption, masking.
  • Data Quality.
  • Data Sharing & Interoperability.

5NCA cybersecurity controls

We implement NCA Essential Cybersecurity Controls:

  • ECC-1:2018 — General controls (governance, defence, resilience).
  • ECC-2:2018 — Data protection extension.
  • CSCC — Cloud Cybersecurity Controls.
  • CCC — Critical Systems Cybersecurity Controls.

6Data subject rights

We honour data subject rights within the PDPL 30-day response window:

  1. Right to be informed.
  2. Right of access.
  3. Right to rectification.
  4. Right to erasure.
  5. Right to restrict or object.
  6. Right to data portability.
  7. Right to withdraw consent.

Submit any DSR via

contact@d-guard.tech

7Breach notification

In the event of a personal data breach, we will:

  • Notify SDAIA within 72 hours where feasible.
  • Notify affected data subjects when high risk likely.
  • Document the incident, root cause, impact, and remediation.
  • Coordinate with customers per contractual SLAs.

8Data Protection Officer (DPO)

We have appointed a DPO responsible for PDPL compliance monitoring, advice, training, and contact with SDAIA and data subjects.

Contact our DPO