Reflective Piece (Using Driscoll’s Model): Comparing GDPR and PDPL

What?

This assignment required me to compare the GDPR’s data security rules with either UK ICO standards or compliance laws in my country of residence. I chose to compare the GDPR with Saudi Arabia’s Personal Data Protection Law (PDPL), as I currently work in the data team of an aviation college in the Kingdom. The task was directly relevant to my day-to-day responsibilities, and it pushed me to understand the legal obligations tied to how we manage and secure student and staff data.

So what?

While I was somewhat familiar with GDPR through academic reading, the PDPL had previously been more of a buzzword than a working guideline in my role. This discussion brought it to the forefront. The GDPR’s clarity on timelines and prescriptive controls—like 72-hour breach notifications—was something I had taken for granted. By contrast, the PDPL uses more general language and leaves much to interpretation. I realized that our college’s current systems may not be fully aligned with the new law’s expectations, especially in terms of breach response or clearly documented organizational controls. As someone overseeing data reporting and storage, this gap became personally concerning.

Now what?

Since completing this task, I have started re-evaluating our internal processes at my work from the lens of PDPL compliance. While we follow general best practices for data protection, I now see the need to formally assess our systems against Article 20’s requirements. This reflection also opened my eyes to how immature data privacy enforcement still is in the Kingdom. That presents both a challenge and an opportunity. With limited precedent, institutions like ours can take the lead in modeling PDPL-aligned data handling. Moving forward, I intend to engage with our internal compliance and IT teams to ensure that policies are reviewed, breach protocols are documented, and staff are made aware of evolving regulatory expectations.

References

• Alshammari, M. and Simpson, A., 2023. PDPL vs. GDPR: A Comparative Analysis of Data Protection Laws in Saudi Arabia. Journal of Information Policy, 13(1), pp.85–104.
• Altwaijri, R. and Alhussain, T., 2022. Compliance Framework for Personal Data Protection Law Standards. International Journal of Law and Information Technology, 30(4), pp.376–392.
• European Union, 2016. General Data Protection Regulation (GDPR). [online] Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
• Saudi Data and AI Authority (SDAIA), 2021. Personal Data Protection Law (PDPL). [online] Available at: https://sdaia.gov.sa
• Tikkinen-Piri, C., Rohunen, A. and Markkula, J., 2018. EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review, 34(1), pp.134–153.