![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 27 27" xmlns="http://www.w3.org/2000/svg"><path d="M 24 0 C 25.657 0 27 1.343 27 3 L 27 24 C 27 25.657 25.657 27 24 27 L 3 27 C 1.343 27 0 25.657 0 24 L 0 3 C 0 1.343 1.343 0 3 0 Z M 4.137 23.25 L 8.163 23.25 L 8.163 10.25 L 4.137 10.25 Z M 18.519 9.853 C 15.767 9.853 14.605 11.989 14.599 12.001 L 14.599 10.25 L 10.737 10.25 L 10.737 23.25 L 14.599 23.25 L 14.599 16.426 C 14.599 14.597 15.441 13.509 17.052 13.509 C 18.532 13.509 19.243 14.555 19.243 16.426 L 19.243 23.25 L 23.25 23.25 L 23.25 15.02 C 23.25 11.537 21.276 9.853 18.519 9.853 Z M 6.131 3.75 C 4.816 3.75 3.75 4.824 3.75 6.148 C 3.75 7.473 4.816 8.548 6.131 8.548 C 7.446 8.548 8.512 7.473 8.512 6.148 C 8.511 4.824 7.446 3.75 6.131 3.75 Z" fill="rgb(255, 255, 255)" height="27px" id="TmfUJaOY1" width="27px"/></svg>)
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 27 27" xmlns="http://www.w3.org/2000/svg"><path d="M 7.934 0.081 C 9.374 0.015 9.833 0 13.5 0 C 17.167 0 17.626 0.016 19.064 0.081 C 20.503 0.146 21.485 0.376 22.344 0.708 C 23.243 1.048 24.059 1.579 24.735 2.267 C 25.422 2.941 25.952 3.755 26.291 4.656 C 26.625 5.515 26.853 6.497 26.919 7.933 C 26.985 9.375 27 9.834 27 13.5 C 27 17.167 26.984 17.626 26.919 19.066 C 26.854 20.502 26.625 21.483 26.291 22.343 C 25.952 23.243 25.421 24.06 24.735 24.735 C 24.059 25.422 23.243 25.952 22.344 26.291 C 21.485 26.625 20.503 26.853 19.067 26.919 C 17.626 26.985 17.167 27 13.5 27 C 9.833 27 9.374 26.984 7.934 26.919 C 6.498 26.854 5.517 26.625 4.657 26.291 C 3.757 25.952 2.94 25.421 2.266 24.735 C 1.579 24.06 1.047 23.244 0.708 22.344 C 0.376 21.485 0.147 20.503 0.081 19.067 C 0.015 17.625 0 17.166 0 13.5 C 0 9.833 0.016 9.374 0.081 7.936 C 0.146 6.497 0.376 5.515 0.708 4.656 C 1.048 3.756 1.58 2.94 2.267 2.266 C 2.941 1.579 3.756 1.047 4.656 0.708 C 5.515 0.376 6.497 0.147 7.933 0.081 Z M 18.955 2.511 C 17.532 2.446 17.105 2.432 13.5 2.432 C 9.896 2.432 9.468 2.446 8.045 2.511 C 6.728 2.571 6.014 2.791 5.537 2.976 C 4.908 3.222 4.457 3.512 3.985 3.985 C 3.537 4.421 3.192 4.951 2.976 5.537 C 2.791 6.014 2.571 6.728 2.511 8.045 C 2.446 9.468 2.432 9.896 2.432 13.5 C 2.432 17.105 2.446 17.532 2.511 18.955 C 2.571 20.272 2.791 20.986 2.976 21.463 C 3.192 22.048 3.537 22.579 3.985 23.015 C 4.421 23.463 4.952 23.808 5.537 24.024 C 6.014 24.209 6.728 24.429 8.045 24.489 C 9.468 24.554 9.894 24.568 13.5 24.568 C 17.106 24.568 17.532 24.554 18.955 24.489 C 20.272 24.429 20.986 24.209 21.463 24.024 C 22.092 23.778 22.543 23.488 23.015 23.015 C 23.463 22.579 23.808 22.048 24.024 21.463 C 24.209 20.986 24.429 20.272 24.489 18.955 C 24.554 17.532 24.568 17.105 24.568 13.5 C 24.568 9.896 24.554 9.468 24.489 8.045 C 24.429 6.728 24.209 6.014 24.024 5.537 C 23.778 4.908 23.488 4.457 23.015 3.985 C 22.579 3.537 22.049 3.192 21.463 2.976 C 20.986 2.791 20.272 2.571 18.955 2.511 Z M 11.776 17.662 C 12.739 18.062 13.811 18.117 14.809 17.815 C 15.808 17.513 16.67 16.874 17.25 16.006 C 17.83 15.139 18.09 14.097 17.987 13.059 C 17.884 12.022 17.424 11.052 16.685 10.315 C 16.214 9.845 15.644 9.484 15.017 9.26 C 14.39 9.036 13.721 8.953 13.059 9.019 C 12.396 9.084 11.756 9.296 11.185 9.638 C 10.614 9.98 10.126 10.445 9.756 10.999 C 9.386 11.552 9.143 12.181 9.046 12.84 C 8.948 13.498 8.997 14.17 9.19 14.808 C 9.384 15.445 9.716 16.031 10.163 16.525 C 10.61 17.018 11.161 17.407 11.776 17.662 Z M 8.593 8.593 C 9.238 7.949 10.003 7.438 10.844 7.089 C 11.686 6.74 12.589 6.561 13.5 6.561 C 14.411 6.561 15.314 6.74 16.155 7.089 C 16.997 7.438 17.762 7.949 18.407 8.593 C 19.051 9.238 19.562 10.003 19.911 10.844 C 20.259 11.686 20.439 12.589 20.439 13.5 C 20.439 14.411 20.259 15.314 19.911 16.155 C 19.562 16.997 19.051 17.762 18.407 18.407 C 17.105 19.708 15.34 20.439 13.5 20.439 C 11.66 20.439 9.895 19.708 8.593 18.407 C 7.292 17.105 6.561 15.34 6.561 13.5 C 6.561 11.66 7.292 9.895 8.593 8.593 Z M 20.828 8.041 C 20.401 8.035 19.994 7.863 19.692 7.561 C 19.39 7.259 19.218 6.852 19.211 6.425 C 19.205 5.998 19.366 5.585 19.659 5.275 C 19.809 5.115 19.99 4.987 20.191 4.899 C 20.392 4.81 20.609 4.763 20.828 4.76 C 21.048 4.757 21.266 4.798 21.469 4.88 C 21.672 4.963 21.857 5.085 22.012 5.241 C 22.168 5.396 22.29 5.581 22.373 5.784 C 22.455 5.987 22.496 6.205 22.493 6.425 C 22.49 6.644 22.442 6.861 22.354 7.062 C 22.266 7.263 22.138 7.444 21.978 7.594 C 21.668 7.887 21.255 8.048 20.828 8.041 Z" fill="rgb(255, 255, 255)" height="27px" id="nRjU8rtQC" width="27px"/></svg>)
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 26 27" xmlns="http://www.w3.org/2000/svg"><path d="M 26 13.584 C 26 6.08 20.177 0 13 0 C 5.818 0 0 6.08 0 13.584 C 0 20.362 4.752 25.982 10.969 27 L 10.969 17.511 L 7.668 17.511 L 7.668 13.585 L 10.969 13.585 L 10.969 10.59 C 10.969 7.187 12.907 5.307 15.877 5.307 C 17.3 5.307 18.789 5.572 18.789 5.572 L 18.789 8.914 L 17.147 8.914 C 15.535 8.914 15.031 9.963 15.031 11.037 L 15.031 13.584 L 18.636 13.584 L 18.057 17.51 L 15.031 17.51 L 15.031 26.999 C 21.243 25.981 26 20.361 26 13.583 Z" fill="rgb(255, 255, 255)" height="27px" id="rDyl5ps1z" width="26px"/></svg>)
PDPL compliance and employee training: what Gulf organisations are getting wrong
Ervy Team
5 min read
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 40 40" xmlns="http://www.w3.org/2000/svg"><path d="M 0 0.549 L 14.701 16 L 29 0" fill="transparent" height="16px" id="gXlJV61ih" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="round" stroke-width="7.5" stroke="rgb(31, 31, 31)" transform="translate(5 12)" width="29px"/></svg>)
Saudi Arabia’s PDPL enforcement committees have issued 48 decisions in one year. Oman’s data protection law became fully enforceable in February 2026. And the UAE’s Signals Intelligence Agency (the authority that governs the Information Assurance Standards widely known as NESA compliance) mandates annual, structured, documented security awareness training for all staff. SIA auditors specifically look for evidence of it.
Most Gulf organisations are still treating employee training as a good-faith effort, but for regulators it’s an auditable obligation with specific expectations. This disconnect is where enforcement finds its easiest targets.
PDPL compliance is no longer theoretical – it’s enforced
Saudi Arabia’s PDPL has been fully enforceable since September 2024, and SDAIA is active. In one year, its enforcement committees issued 48 decisions confirming violations across multiple sectors. The most common failures: processing personal data without a valid legal basis, unauthorised disclosure, and failure to implement adequate technical and organisational safeguards. Fines reach SAR 5 million per violation, doubled for repeat offences. Intentional disclosure of sensitive personal data carries criminal liability – up to two years imprisonment and a SAR 3 million fine.
One thing most organisations miss: PDPL applies extraterritorially. If you process personal data of Saudi residents from anywhere in the world, you’re in scope.
Oman’s PDPL became fully enforceable in February 2026 with a characteristic that sets it apart from every comparable framework: there is no legitimate interest basis. Every processing activity requires explicit, documented consent. The law also mandates a DPO and, uniquely in the region, an external auditor.
In the UAE, the federal PDPL sits alongside the Information Assurance Standards governed by SIA: 188 security controls across 15 security areas, one of which is security awareness. SIA mandates annual, structured, documented training for all staff. A presentation or a PDF employees are asked to read doesn’t cut it.
The overlap nobody is managing
Most organisations treat cybersecurity and data protection as separate problems. Compliance handles PDPL, IT handles security, HR handles onboarding, and nobody handles the gap in between. That gap is where the liability sits.
Consider what happens when an employee forwards a document with customer records to their personal email to work from home. That single action is simultaneously a PDPL violation (unauthorised data transfer, potential cross-border issue), a cybersecurity incident (data leaving the corporate environment without controls), and an HR failure (was this person trained? Is there a policy?). Under Saudi PDPL, Oman PDPL, and UAE cybercrime law, the organisation is liable whether or not the employee acted with intent.
Shadow AI compounds the problem. 80% of organisations are concerned about sensitive data leaking through generative AI tools but 60% have no strategy to address it. When an employee in Dubai pastes customer records into an unapproved AI tool to draft a report, that’s a potential cross-border transfer under UAE PDPL, an unauthorised disclosure under Saudi PDPL, and a consent violation under Oman’s framework. IBM’s 2025 Cost of Data Breach Report found that shadow AI was a factor in 20% of breaches studied, adding an average of $670,000 to breach costs compared to organisations with low or no shadow AI exposure.
The training implication is direct. An employee who knows the data classification policy but not the cybersecurity protocols is still a risk. An IT administrator who can configure access controls but doesn’t know what counts as personal data under Omani law is still a liability.
What PDPL and NESA compliance require from your training programme
The bar across these frameworks is more specific than most HR teams realise.
SIA’s framework is the most explicit: annual security awareness training, structured, delivered to all staff, with documented completion. That means recurring training delivery (a once-a-year event won’t suffice), per-employee completion records, and content that covers the domains SIA audits: data handling, access controls, incident reporting, phishing awareness.
Saudi PDPL doesn’t prescribe a training format, but negligence – not just intent – is enforceable. Organisations that can’t demonstrate they trained employees on compliant data handling have significantly weaker standing when an enforcement committee comes knocking. Oman layers an awareness obligation on top of its mandatory DPO requirement.
Across all three jurisdictions, “documented” means completion records per person, per course, with timestamps. A spreadsheet of names and dates is the floor. What actually holds up in an audit is per-lesson completion data, quiz results, and a record of when content was last updated.
Role differentiation matters too. All-staff baseline training covers the fundamentals – what personal data is, approved vs. unapproved AI tools, phishing, incident reporting. But IT administrators, HR, finance, and managers each carry distinct risk profiles that require function-specific depth. SIA’s framework is explicit on this distinction.
The practical gap: what most Gulf organisations actually have
The most common answer to “what’s your employee training programme?” is an annual slide deck with a sign-off sheet. Yet, it doesn’t meet SIA’s structured training requirement. It doesn’t demonstrate the ongoing, documented compliance regulators look for when investigating a PDPL breach. And it almost certainly doesn’t cover shadow AI, cross-border transfer risks, or role-specific obligations.
The other gaps that appear consistently: no completion records that would survive an audit, no recurring schedule (so training is stale by the time enforcement asks about it), shadow AI policies sitting as documents nobody has read, and new joiners who fall through entirely.
If you want to know exactly where your organisation stands, the guide below includes a 20-question self-assessment across data protection governance, cybersecurity controls, employee training, and AI governance – plus a country-by-country compliance matrix covering Saudi Arabia, Oman, and the UAE.
How to close the gap before an auditor does
A compliant training programme has five components: a company-wide baseline, role-specific depth for IT, HR, finance, and managers, a recurring delivery schedule, per-employee completion tracking, and a regular refresh as regulations and your AI tool stack evolve.
Most HR teams know what a compliant programme looks like – building and maintaining one without adding overhead to an already stretched function is the hard part. Writing courses from scratch, assigning them, chasing completions, and updating content when the shadow AI policy changes is real work on top of everything else compliance demands.
Ervy takes your existing compliance documents and policies and builds structured microlearning courses from them automatically. Lessons are delivered in 2–3 minute sessions inside Microsoft Teams, with no new logins or platforms to manage. Completion is tracked per employee, per course, with timestamps – exactly what an auditor will ask for.
The full practical toolkit is in the guide below: a country-by-country PDPL compliance matrix, a role-based training content map, a shadow AI policy template, a 12-month compliance training roadmap, and a 20-question self-assessment checklist.
