Saudi Arabia’s data governance framework, developed by the National Data Management Office under SDAIA, represents one of the most comprehensive national data governance architectures in the world. The framework addresses data classification, localization, sharing, quality, monetization, and cross-border transfer in an integrated regulatory structure.
Data Classification System
The framework establishes four classification levels: Top Secret (national security data), Secret (sensitive government data), Confidential (personal data and commercial secrets), and Public (open data). Each classification carries specific handling requirements for storage, transmission, access control, and retention.
All government entities are required to classify their data holdings according to this framework and implement corresponding technical controls. The classification system extends to private sector entities through the Personal Data Protection Law, which mandates comparable protections for personal data.
Data Localization Requirements
Saudi data localization policy employs a tiered approach. Top Secret and Secret data must be stored and processed exclusively within Saudi sovereign data centers. Confidential data may be processed in foreign-owned data centers located within Saudi Arabia (such as hyperscaler regions). Public data may be stored and processed anywhere, though Saudi-based storage is preferred.
These requirements have been a significant driver of hyperscaler investment in Saudi data center regions, as international cloud providers must offer local data residency to serve government and regulated industry clients.
National Data Sharing Platform
The government has established a National Data Sharing Platform (Tabadul) that enables secure data exchange between government entities under standardized protocols. Tabadul has processed over 2.8 billion data sharing transactions since launch, reducing inter-agency data requests from an average of 14 days to real-time.
Personal Data Protection
The Personal Data Protection Law (PDPL), enforced since September 2023, provides individual rights comparable to the EU’s GDPR, including rights to access, rectification, deletion, and data portability. The law applies to all entities processing personal data of Saudi residents, regardless of where the processing occurs.
Enforcement has been progressive, with the first year focused on awareness and compliance assistance, transitioning to active enforcement with penalties of up to SAR 5 million per violation beginning in 2025.