Why video analytics is in scope
Four facts make CCTV and AI analytics PDPL-relevant by default in 2026:
- A face, a uniform with a name patch, a vehicle plate, or even gait can identify an individual. PDPL applies to data from which a person can be identified, directly or indirectly.
- Industrial sites in KSA routinely store weeks to months of footage — by definition retention with a purpose.
- Many sites stream to vendors outside the Kingdom for processing; that is a cross-border transfer under PDPL.
- SDAIA continues to publish guidance and enforcement updates; treat this checklist as good practice as of public data May 2026 and re-verify against current SDAIA publications before signing a contract.
For broader context see the Vision 2030 digitisation reading and the edge vs cloud architecture decision tree.
The 12-point checklist
1. DPO appointed and named in writing
PDPL requires controllers in scope to appoint a Data Protection Officer. For video analytics deployments at any meaningful scale, name the DPO in the contract — not merely in a back-office policy document. The DPO must be reachable by data subjects.
2. Lawful basis documented per use case
Each AI use case has a distinct lawful basis. Be specific in the privacy notice and contract:
| Use case | Typical lawful basis |
|---|---|
| PPE detection on contractor sites | Legitimate interests / legal obligation (HSE) |
| Perimeter intrusion | Legitimate interests (asset protection) |
| Worker attendance via face | Contract performance + explicit consent — narrow basis |
| Visitor counting (anonymous) | Legitimate interests, but verify anonymisation is real |
| Compliance archive of incidents | Legal obligation |
Generic “consent” is the weakest basis on a worksite. Build cases on legitimate interests, legal obligation, or contract performance where defensible.
3. Privacy notice posted on site, in Arabic and English
Saudi sites need bilingual signage at every entrance describing: who controls the data, the purpose of recording, the retention window, the legal basis, and how to contact the DPO. The signage must be visible before a worker or visitor enters the captured area.
4. Data inventory and flow diagram
Maintain a formal record of:
- Each camera and its capture zone
- Each model running on the footage
- Each storage location (edge device, on-premises NVR, Saudi-resident cloud, vendor cloud)
- The data path between them, with country of operation marked
This is the document SDAIA inspectors and auditors typically request first. Build it before go-live, not retroactively.
5. Saudi-resident data path
Cross-border transfer of personal data is restricted under PDPL. The defensible default for video analytics is end-to-end Saudi residency. Where a non-resident leg is unavoidable (e.g. specialist model retraining), document the transfer impact assessment and the legal mechanism, and route only the minimum necessary data through it.
For the architecture trade-off see the edge vs cloud decision tree.
6. Retention windows aligned to purpose
Generic 90-day retention is no longer defensible. Align retention to the documented purpose:
| Purpose | Typical window |
|---|---|
| Live operational alerts | 7–30 days |
| Incident investigation | 90 days, extended only with case file |
| HSE compliance evidence | Per contractor contract, often 12 months |
| Legal hold | Indefinite, ring-fenced from main store |
Implement automated deletion with logs proving deletion executed.
7. Right-to-erasure pipeline for stored frames
This is the operational gap most enterprises have in 2026. A worker, contractor, or visitor can request erasure. The pipeline must:
- Receive the request via the published DPO channel
- Identify all stored frames containing the individual (face, badge, plate)
- Erase or pseudonymise those frames in primary storage
- Erase from edge cache, mid-tier storage, and archived backups
- Log the action with timestamps and operator IDs
If the architecture cannot execute steps 3–5, the deployment is not PDPL-defensible. Most failures happen in step 5 — backups outlive the erasure.
8. Access controls and audit trail
- Role-based access on the video management system, including model output dashboards
- Per-user audit log of every clip viewed, exported, or shared
- Tamper-evident logs (hash chain or signed events) to support incident review
- Quarterly access review with sign-off
9. Vendor and processor controls
Every processor — AI vendor, cloud provider, integrator — needs a Data Processing Agreement:
- Naming the processor and sub-processors
- Describing the data, purpose, and duration
- Specifying technical and organisational measures
- Defining breach notification timelines
- Requiring deletion or return at contract end
- Naming the Saudi DPO of the processor
For our processor posture see the certifications and trust page.
10. Data Protection Impact Assessment (DPIA)
Conduct a DPIA before deploying any video analytics workload that processes personal data at scale, uses biometric features, or runs in publicly accessible areas. Document:
- Necessity and proportionality
- Risks to rights and freedoms
- Mitigating measures
- Residual risk acceptance by the DPO
Refresh annually or on material change.
11. Breach response runbook
A documented runbook for video data breaches, including:
- Detection sources (SIEM, vendor disclosure, user report)
- Internal escalation chain with phone numbers
- DPO and legal notification timelines
- SDAIA notification procedure where applicable
- Data-subject notification procedure where applicable
- Post-incident review template
Test it annually with a tabletop exercise.
12. Training and contractor briefing
Every operator with access to video analytics output, every site supervisor running incident reviews, and every contractor PMO needs PDPL awareness training. Refresh annually. Maintain attendance records.
Common pitfalls in 2026 KSA deployments
- Treating retention as a vendor default. Vendors ship 30/60/90 days; PDPL needs purpose-aligned windows.
- Silent cross-border transfer. A free-tier monitoring SaaS based abroad processes the metadata; the metadata identifies the worker.
- Erasure that misses backups. Backups continue to hold what the primary store erased.
- Single DPO across many sites without resource. A single nominal DPO who cannot respond to subject requests in 30 days does not satisfy the obligation.
- Privacy notices in English only. Field workers do not read English privacy notices; bilingual is a baseline.
Mapping the checklist to a typical Saudi site
A typical AI-enabled construction site running PPE detection, intrusion detection, progress tracking, and vehicle and pedestrian safety needs:
- One DPO named in the master services agreement
- Four documented lawful bases (one per use case)
- One bilingual privacy notice covering all four
- One data inventory covering 50–500 cameras
- One Saudi-resident architecture validated against the edge vs cloud decision tree
- Four retention policies, automated
- One right-to-erasure pipeline
- One vendor DPA covering the AI provider, the cloud provider, and the integrator
- One DPIA refreshed annually
- One breach runbook tested annually
- One training programme refreshed annually
Next steps
If you are scoping PDPL compliance for a 2026 Saudi video analytics deployment, start with the trust and certifications overview, the AI analytics platform, and the edge vs cloud architecture guide. For the procurement angle see the IKTVA reality check.
Request a PDPL gap assessment and we will produce a 12-point evaluation against your current deployment within 10 working days.
