Yes. Article 42 grants SDAIA (later NDMO) the authority to amend or supplement the PDPL’s Implementing Regulations after the law has taken effect. These updates can: 

• Clarify definitions and procedures (e.g., consent mechanisms, DPIA obligations, marketing rules) 

• Introduce or refine consent protocols, privacy notice clarity, DPO responsibilities, cross-border data standards, and more 

• Be informed by public consultations such as the one completed in April-May 2025 for further updates to privacy notices, marketing consent, DPO duties, and controller registration criteria

Absolutely. SDAIA follows a transparent and formal process, including: 

• Publishing updates to Implementing Regulations, Transfer Rules, guidelines, and official forms (e.g., SCCs, BCRs, DPO guidance) on its website and national registry portal  

• Launching public consultations such as the third round in May 2025 to gather stakeholder feedback before finalizing changes  

Controllers must actively monitor these updates and ensure timely implementation before legal deadlines (e.g., the grace period to 14 Sept 2024). Not doing so may lead to enforcement actions. 

Yes, they become legally enforceable once officially published. Updated Implementing Regulations, Transfer Rules, and associated guidelines carry full legal effect, meaning: 

• Failure to comply can result in warnings, administrative fines, and legal penalties, just like the original PDPL text  

• Controllers must treat updated rules the same as core law—updating internal policies, systems, contracts, and staff training to align with new requirements