TemplatesVerified 26 June 2026

Compliance checklists you can actually use.

Practical, sourced checklists for Saudi data compliance — open and free. The heavier fill-in working documents come as an email-gated Pro Pack. Everything is informational, not legal advice.

Open checklists

Free to read, copy, and print. Each ends with its sources.

PDPL Readiness Checklist

Informational, not legal advice. Enforcement is active — fines up to SAR 5M. Verified 26 June 2026.

1. Lawful basis & notice

Identify a lawful basis for every processing activity.
Publish a PDPL-aligned privacy notice (purpose, data, retention, rights, contact).
Cookie/consent banner is decline-by-default (no pre-ticked boxes).

2. Consent & rights

Consent is specific, informed, and withdrawable.
No marketing communications without consent (top enforcement trigger).
A working process to handle data-subject requests (access, correction, deletion).

3. Records & governance

Maintain a Record of Processing Activities (RoPA).
Appoint/document a data protection function (watch the new DPO rules — proposed).
Ability to respond to SDAIA inquiries within the statutory window.

4. Security

Technical + organizational safeguards proportionate to risk.
Data classification applied before storage/hosting.
Breach detection + an incident response plan with notification steps.

5. Cross-border transfers

No reliance on an adequacy list (none published).
SCCs or Binding Common Rules in place for transfers abroad.
Transfer risk assessment for sensitive or large-scale transfers.

6. Vendors

Processor agreements with PDPL clauses.
Sub-processor controls and locations documented.

Sources: SDAIA PDPL enforcement (Clyde & Co, 2026); cross-border framework (HFW). Not legal advice — verify with primary sources and counsel.

NCNICC-1:2025 Applicability Checklist

Informational, not legal advice. In force since Jan 2026 — mandatory for non-CNI private entities. Verified 26 June 2026.

Step 1 — Are you CNI?

Designated Critical National Infrastructure? → If YES, you're under the full NCA stack (ECC-2:2024 + CCC-2:2024 + DCC-1:2022), not NCNICC. Stop here.
Not CNI? → continue.

Step 2 — Which category?

Category A — 250+ full-time staff OR annual revenue over SAR 200,000,000.
Category B — 6–249 staff OR revenue SAR 3,000,000–200,000,000.
Under 6 staff AND under SAR 3M → likely below threshold (re-check as you grow).

Step 3 — Category A: Governance

Cybersecurity governance + defined roles.
Periodic risk assessments.
Policies reviewed and approved.

Step 3 — Category A: Cybersecurity Defense

Access management.
Endpoint protection.
Data classification.
Backup management.
Monitoring + logging.
Incident response procedures.
Periodic penetration testing.

Step 3 — Category A: Third-party & Cloud

Third-party/vendor cybersecurity requirements.
Cloud computing cybersecurity controls.
Employee awareness training.

Step 4 — Category B

Implement the reduced control set scoped to your size (governance + core defense basics).

Sources: NCNICC-1:2025 (CMS Law, 2026; CyberArrow). Not legal advice — confirm your designation and exact control set with NCA documents and counsel.

Cross-border Transfer (SCC) Checklist

Informational, not legal advice. No SDAIA adequacy list exists — safeguards are required. Verified 26 June 2026.

Before any transfer abroad

Define the purpose of the transfer.
List the data categories involved.
Identify the destination and legal basis (SCCs or Binding Common Rules).
Check the risk-assessment trigger (sensitive or large-scale data).
Document the safeguards in place.
Obtain internal sign-off before the first transfer.

Sources: cross-border framework (HFW). Not legal advice — verify with primary sources and counsel.

The Pro Pack — working documents

The fill-in templates for teams that are implementing. One email unlocks all three when they ship.

Coming soon

RoPA (Records of Processing Activities) starter

controller/processor · processing purpose · data categories · subjects · recipients · retention · transfers · security measures

Coming soon

Data classification worksheet (NDMO/DCC 4-tier)

asset · NDMO level (Top Secret/Secret/Restricted/Public) · reconcile to NCA/CCC label · impact assessment · handling rule · hosting location

Coming soon

Vendor / data-processor agreement checklist

PDPL processor clauses · sub-processor consent · breach notice SLA · location of processing · audit rights · deletion on termination

Get the Pro Pack

Drop your email and we’ll send the RoPA starter, the data-classification worksheet, and the vendor-agreement checklist as soon as they’re ready.

These templates are a regulatory reference, not legal advice. Verify each item against its primary source and qualified counsel before relying on it. Last verified 26 June 2026.

Open checklists

Free to read, copy, and print. Each ends with its sources.

PDPL Readiness Checklist

Informational, not legal advice. Enforcement is active — fines up to SAR 5M. Verified 26 June 2026.

1. Lawful basis & notice

Identify a lawful basis for every processing activity.
Publish a PDPL-aligned privacy notice (purpose, data, retention, rights, contact).
Cookie/consent banner is decline-by-default (no pre-ticked boxes).

2. Consent & rights

Consent is specific, informed, and withdrawable.
No marketing communications without consent (top enforcement trigger).
A working process to handle data-subject requests (access, correction, deletion).

3. Records & governance

Maintain a Record of Processing Activities (RoPA).
Appoint/document a data protection function (watch the new DPO rules — proposed).
Ability to respond to SDAIA inquiries within the statutory window.

4. Security

Technical + organizational safeguards proportionate to risk.
Data classification applied before storage/hosting.
Breach detection + an incident response plan with notification steps.

5. Cross-border transfers

No reliance on an adequacy list (none published).
SCCs or Binding Common Rules in place for transfers abroad.
Transfer risk assessment for sensitive or large-scale transfers.

6. Vendors

Processor agreements with PDPL clauses.
Sub-processor controls and locations documented.

Sources: SDAIA PDPL enforcement (Clyde & Co, 2026); cross-border framework (HFW). Not legal advice — verify with primary sources and counsel.

NCNICC-1:2025 Applicability Checklist

Informational, not legal advice. In force since Jan 2026 — mandatory for non-CNI private entities. Verified 26 June 2026.

Step 1 — Are you CNI?

Designated Critical National Infrastructure? → If YES, you're under the full NCA stack (ECC-2:2024 + CCC-2:2024 + DCC-1:2022), not NCNICC. Stop here.
Not CNI? → continue.

Step 2 — Which category?

Category A — 250+ full-time staff OR annual revenue over SAR 200,000,000.
Category B — 6–249 staff OR revenue SAR 3,000,000–200,000,000.
Under 6 staff AND under SAR 3M → likely below threshold (re-check as you grow).

Step 3 — Category A: Governance

Cybersecurity governance + defined roles.
Periodic risk assessments.
Policies reviewed and approved.

Step 3 — Category A: Cybersecurity Defense

Access management.
Endpoint protection.
Data classification.
Backup management.
Monitoring + logging.
Incident response procedures.
Periodic penetration testing.

Step 3 — Category A: Third-party & Cloud

Third-party/vendor cybersecurity requirements.
Cloud computing cybersecurity controls.
Employee awareness training.

Step 4 — Category B

Implement the reduced control set scoped to your size (governance + core defense basics).

Sources: NCNICC-1:2025 (CMS Law, 2026; CyberArrow). Not legal advice — confirm your designation and exact control set with NCA documents and counsel.

Cross-border Transfer (SCC) Checklist

Informational, not legal advice. No SDAIA adequacy list exists — safeguards are required. Verified 26 June 2026.

Before any transfer abroad

Define the purpose of the transfer.
List the data categories involved.
Identify the destination and legal basis (SCCs or Binding Common Rules).
Check the risk-assessment trigger (sensitive or large-scale data).
Document the safeguards in place.
Obtain internal sign-off before the first transfer.

Sources: cross-border framework (HFW). Not legal advice — verify with primary sources and counsel.

The Pro Pack — working documents

The fill-in templates for teams that are implementing. One email unlocks all three when they ship.

Coming soon

RoPA (Records of Processing Activities) starter

controller/processor · processing purpose · data categories · subjects · recipients · retention · transfers · security measures

Coming soon

Data classification worksheet (NDMO/DCC 4-tier)

asset · NDMO level (Top Secret/Secret/Restricted/Public) · reconcile to NCA/CCC label · impact assessment · handling rule · hosting location

Coming soon

Vendor / data-processor agreement checklist

PDPL processor clauses · sub-processor consent · breach notice SLA · location of processing · audit rights · deletion on termination

Get the Pro Pack

Drop your email and we’ll send the RoPA starter, the data-classification worksheet, and the vendor-agreement checklist as soon as they’re ready.