Solutions
Product
Pricing
Resources
Start free trial

Saudi PDPL Enforcement Is Live: What Schools Using WhatsApp Must Do

Saudi PDPL Enforcement Is Live: What Schools Using WhatsApp Must Do

If you run a school in Saudi Arabia or anywhere across the Gulf, and your staff communicate with parents through WhatsApp groups, you are almost certainly processing personal data without a lawful basis. That is not a theoretical risk. It is the first of the three violation categories that drove 48 enforcement decisions from the Saudi Data and Artificial Intelligence Authority (SDAIA).

In September 2024, Saudi Arabia’s Personal Data Protection Law moved from a framework with a grace period into active enforcement. By mid-January 2026, SDAIA had issued those 48 enforcement decisions against organizations across multiple sectors — with individual fines reaching SAR 5 million per violation and the possibility of doubling for repeat offenders, according to analysis published by Clyde & Co partner Lamisse Bajunaid. The authority itself described 2025 as “a turning point in its oversight of data privacy practices,” per IAPP reporting by Basmah Alsubaie of Privacy Professionals LLC.

Forty-eight decisions: What SDAIA is actually penalizing

The 48 enforcement decisions fall into three distinct violation categories, as described in Alsubaie’s IAPP analysis:

  1. Sending marketing or direct communications without prior consent from the data subjects
  2. Processing personal data beyond what was necessary for the stated purpose, or without a clear legal justification
  3. Failing to implement adequate technical and organizational security controls over personal data

According to Bajunaid’s analysis at Clyde & Co, organizations have only five days to respond once SDAIA notifies them of a violation. The window for preparation is effectively zero at that point — compliance work must happen before notification, not after. “Early legal involvement is critical for assessing exposure and managing SDAIA interactions effectively,” Bajunaid writes.

The sectors targeted in initial enforcement were retail, telecommunications, and finance. But the legal exposure for education is structurally identical.

Why WhatsApp parent groups trigger all three violation categories

A 2026 peer-reviewed study by Bataineh et al., published in Digital Education Review and co-authored by a researcher at King Faisal University in Saudi Arabia, found that WhatsApp has become the de facto communication backbone in schools operating without institutional digital infrastructure. Its adoption occurred, the authors document, “in the absence of institutional policy, pedagogical oversight, or ethical safeguards.”

Against that backdrop, here is how each SDAIA violation category maps to a WhatsApp-based setup:

Lawful basis gap — most directly relevant to Category 2: While Category 1 enforcement has targeted promotional messaging, the consent issues in school WhatsApp groups map most directly to Category 2’s lawful basis requirement. When a parent joins a WhatsApp group, the school typically has no documented consent record, no privacy notice explaining how data will be processed, and no mechanism for a parent to object or withdraw. Joining a group chat is not legally equivalent to freely given, specific, informed consent under the PDPL.

Category 2 — Processing beyond the stated purpose: WhatsApp groups created for “homework reminders” quickly absorb attendance updates, disciplinary notes, health queries, event photos, and personal conversations. Bataineh et al. document how the channel’s role in school-home communication expands in ways not anticipated at implementation — including the accumulation of communication types within a single channel. Each additional use case requires its own documented lawful basis under the PDPL, which schools have almost never established.

Category 3 — Inadequate security controls: WhatsApp’s official privacy policy confirms that group membership information — including phone numbers, profile names and pictures, group membership lists, “last seen” and online presence data, and device identifiers — is shared with Meta companies (Facebook, Instagram) and third-party service providers for “infrastructure, safety, personalization, and integrated features.” WhatsApp operates as a consumer service under its own standard terms, meaning schools cannot define data handling requirements through a customized institutional agreement.

The conclusion of Alsubaie’s analysis is direct: “compliance with the PDPL is no longer optional.”

What WhatsApp actually processes on behalf of your school

It is worth being precise about the data flows, because the scale is often underestimated. According to WhatsApp’s current privacy policy, every group member’s data processed by the platform includes:

  • Phone number (required for registration and visible to all group members)
  • Profile name and picture
  • Group name and description
  • Full group membership list
  • “Last seen” timestamp and real-time online presence indicators
  • Message delivery and activity data
  • Device identifiers and IP addresses

WhatsApp states: “We require certain information to deliver our Services and without this we will not be able to provide our Services to you.” This means the school cannot configure WhatsApp to process less data — the collection is non-negotiable by design.

For a school group containing 300 parents, that is 300 phone numbers, device identifiers, and behavioral patterns flowing into Meta’s infrastructure, processed under contractual necessity rather than school-issued consent, with visibility into data flows limited to what WhatsApp’s public policy discloses.

Why you cannot rely on staff to catch this themselves

Two peer-reviewed studies from 2024 document a consistent pattern: educators systematically underestimate the personal data that flows through their school environments and have limited awareness of the regulations governing it.

A study by Hermida et al. (2024), published in the Journal of Media Literacy Education, found that pre-service teachers underestimate children’s privacy sharing behavior — their mental model of what data children generate at school is materially less accurate than surveys of the students themselves reveal. The study is survey-based and correlational, so it does not isolate cause; it does, however, reveal a consistent gap in how educators perceive data flows.

Separately, Koc and Golcukcu (2024), in a study of pre-service teachers at ICEMST 2024 in Antalya, found that while most participants understood the general concept of personal data, “approximately half of them were not aware of the regulation on this subject.” Again this is a correlational finding from a small-scale survey (76 participants), but it is consistent with the Hermida results. Neither study is conducted in the Gulf region, but their consistency across independent educational contexts supports treating the gap as a baseline assumption rather than a locally specific anomaly.

The operational implication for school administrators is clear: you cannot rely on individual staff members to self-identify the risk. The gap is structural, not individual. Compliance requires institutional policy, not personal vigilance.

What schools must do now

The following three steps correspond directly to the three SDAIA violation categories. They are ordered by urgency.

Step 1: Document a lawful basis before any communication

Under the Saudi PDPL, every act of personal data processing requires a lawful basis. For schools, the most defensible bases are consent (freely given, specific, informed, and documented) or contractual necessity (processing required to deliver the educational service agreed at enrollment).

In practice, this looks like: a one-page enrollment data notice — delivered at registration, stored as a signed PDF — that explicitly names each communication channel the school uses, what data each channel processes, and whom that data is shared with. At minimum, the notice must cover four fields for each channel:

  1. Channel name and purpose
  2. Categories of personal data processed
  3. Third parties the data is shared with
  4. Retention period and deletion procedure

The notice should be reviewed and re-signed annually. If you currently have no such document, creating it this term is your first priority.

Step 2: Define and enforce the purpose of each channel

A communication channel used for homework reminders must stay limited to that purpose. Each new use case — attendance records, health communications, media sharing — requires its own documented lawful basis.

In practice, this looks like: a written internal policy (one page, reviewed twice per year) that lists each active channel by name, its permitted scope, and the staff member accountable for enforcing that scope (typically the class teacher for classroom channels; the data coordinator or principal for school-wide channels). When a parent posts a personal query in a homework-reminder group, the staff member closes the thread and redirects the conversation to the correct channel. The policy is presented to all teaching staff at the start of each academic year and acknowledged in writing.

Step 3: Replace uncontrolled third-party platforms with purpose-built infrastructure

WhatsApp cannot be configured to stop collecting device identifiers, group membership data, or activity data. The collection is built into the service. The only structural solution is to move parent communications to a platform that operates under a data processing agreement, limits collection to what the school authorizes, and provides the audit trail regulators expect.

In practice, this looks like: replacing the informal homework-reminder group with a structured messaging channel inside a dedicated school communication platform — where the school controls who has access, what data is retained, for how long, and under what jurisdiction. A class teacher sends a weekly three-to-five bullet summary every Sunday evening via an in-app notification to each parent’s account; no message is sent via a personal phone number, no personal data leaves the school’s designated infrastructure, and the school can produce a full communication log on request.

Compliant infrastructure as an operational requirement

For Gulf school administrators, the regulatory question is no longer whether to address PDPL compliance but when — and the enforcement calendar has already made that decision. SDAIA’s 48 decisions demonstrate that the authority is active, that it is expanding sector coverage, and that the five-day response window leaves no room for reactive preparation.

Schools that cannot produce a data processing agreement for their current parent communication platform, or cannot generate a full communication log on request, have an open compliance gap.

BeeNet’s school communication platform was designed for this operational context — with structured messaging channels, role-based access controls, and a data architecture that keeps personal data within the school’s own configured environment. For schools evaluating their options, it represents one implementation path toward the compliance posture that PDPL enforcement now requires.

The question is not whether you need compliant infrastructure. The question is whether you address it this term or respond to a SDAIA notification in five days.


References

  1. Bajunaid, L. (2026, March 30). Enforcement of the Saudi Personal Data Protection Law is live: Are you ready? Clyde & Co. https://www.clydeco.com/en/insights/2026/03/enforcement-of-the-saudi-pdp-law

  2. Alsubaie, B. (2026, February 25). Saudi Arabia’s data protection authority steps up enforcement. IAPP. https://iapp.org/news/a/saudi-arabia-s-data-protection-authority-steps-up-enforcement

  3. Bataineh, R. F., Bataineh, R., Al-Barakat, A., & AlAli, R. (2026). WhatsApp as a mediational infrastructure: Informal parental involvement and pedagogical drift in Jordanian primary education. Digital Education Review, 48, 157–173. https://doi.org/10.1344/der.2026.48.157-173

  4. Hermida, M., Meier, R., Schrackmann, I., Imlig-Iten, N., & Marinus, E. (2024). What kinds of personal data do primary school pupils share with whom? Children’s view of personal data and its implications for teaching about privacy. Journal of Media Literacy Education, 16(2), 14–27. https://doi.org/10.23860/JMLE-2024-16-2-2

  5. WhatsApp LLC. (2026). WhatsApp Privacy Policy. Meta Platforms. https://www.whatsapp.com/legal/privacy-policy

  6. Koc, M., & Golcukcu, S. (2024, April). Pre-service teachers’ personal data privacy awareness levels and related behaviors in online environments. Proceedings of ICEMST 2024, Antalya, Turkey. ISTES Organization. https://files.eric.ed.gov/fulltext/ED672793.pdf

Ready to Transform Your School Communication?

Start saving time and increasing parent engagement with BeeNet.

Request Demo