Jordan's PDPL Execution Plan with TurtlShield: Six steps towards your compliance Journey

Sameer Ahirrao -

Jordan's Personal Data Protection Law (PDPL), officially Law No. 24 of 2023, marks the nation’s first comprehensive framework for the regulation and protection of personal data. Published in the Official Gazette on September 17, 2023, and effective from March 17, 2024, the law provides a one-year grace period for full compliance, ending March 16, 2025.

Organizations operating in or interacting with Jordan must act swiftly to align with PDPL’s mandates. Here's a six-step compliance roadmap to help your organization meet the regulatory requirements with the support of Ardent’s TurtleShield platform for seamless execution.

1) Conduct PIA/DPIA/TIA (Risk Assessments)

To comply with PDPL’s mandates, businesses must proactively assess their data-handling practices. This includes conducting:

  • Privacy Impact Assessments (PIAs)
  • Data Protection Impact Assessments (DPIAs)
  • Transfer Impact Assessments (TIAs)

These evaluations help identify high-risk data processing operations and ensure compliance with cross-border data transfer provisions.

PDP Law: Article 11, 14 and 15

Ardent Solution: The TurtleShield PA (Privacy Automation) automates and streamlines privacy-related processes and tasks. Conducting DPIAs and TIAs enhances privacy practices, ensures Jordan’s PDPL compliance with applicable privacy laws, and also protects sensitive information.

2) Discover PII (Personal Data Bill of Materials)

Knowing what personal data you process — and where it resides — is foundational. Organizations should undertake:

  • Data Discovery and Classification
  • Building a Data Bill of Materials (DBoM)
  • Maintaining a Record of Processing Activities (RoPA)
  • Performing regular audits and reviews

PDP Law: Article 14

Ardent Solution: Our Innovative and patented technology "TurtleShield DD (Data Discovery)" addresses these challenges by discovering hard-to-find datasets at scale, enabling quick actions, and reducing compliance costs. It locates and categorizes data based on regulatory requirements in PDPL, ensuring companies maintain compliance, secure sensitive information, and minimize data breach risks.

Implement Data Subject Rights Management

PDPL grants extensive rights to data subjects, including the right to object to processing, restrict usage, and withdraw consent. Organizations must:

  • Establish secure portals for Data Subjects
  • Enable privacy teams to act on DSARs efficiently

PDP Law: Article 4

Ardent Solution: TurtleShield DSAR streamlines the Data Subject Access Request (DSAR) process, ensuring efficient compliance with PDPL. It offers a centralized portal for intake, automated data discovery, and secure response delivery.

4) Establish a Centralized Consent Management System

To legally process data, organizations need to capture and manage consent transparently. This includes:

  • Centralized Consent Collection and Management
  • Consent Withdrawal Mechanisms
  • Privacy Notice and Preference Management

PDP Law: Article 4, 5, 8, 10, 14 and 15

Ardent Solution: TurtleShield CM (Consent Management) automates required user privacy notices, the gathering and management of consent/opt-out privacy preferences, and the operational honoring of preferences by both internal and downstream third-party data sharers.

5) Enforce Storage Limitation Requirements

PDPL mandates organizations to avoid over-retention of personal data. Businesses must:

  • Review and assess stored personal data periodically
  • Anonymize or delete non-essential data

PDP Law: Article 6

Ardent Solution: TurtleShield DM (Data Minimization) helps you reduce the data and focus on enterprise-centric data. It can provide you detailed insights to get rid of non-essential data, reducing cost of security and storage and building confidence of business owners and data custodians.

6) Implement Data Disclosure and Data Breach Management and Notification

A timely and coordinated breach response is a legal obligation under PDPL. Organizations should:

  • Automate internal breach response workflows
  • Notify affected individuals within 24 hours
  • Notify the regulatory unit within 72 hours

PDP Law: Article 20

Ardent Solution: TurtleShield DBM (Data Breach Management) module helps organizations efficiently verify, assess, contain, manage and respond to data breaches including notifying affected individuals and regulatory bodies as per the legal requirements. TurtleShield DBM streamlines data breach management process, handles stakeholder management, accelerates breach response, enabling organizations to notify regulators and stakeholders within the required timeframe.

Follow PDPL Timelines

Compliance with PDPL timelines is crucial for regulatory adherence and avoiding penalties.

Key Requirements:

Breach Discovery – Day 0

Notify Affected Data Subjects

  • Within 24 hours of breach discovery
  • Include protective measures to mitigate impact

Notify The Unit

  • Within 72 hours of breach discovery
  • Include: source, mechanism, affected individuals, and any available details

Conclusion:

Jordan’s Personal Data Protection Law No. 24 of 2023 is a landmark step in the region’s digital transformation. Whether you're a local business, a multinational company, or a startup engaging with Jordanian users, compliance is urgent and necessary. Leveraging a solution like Ardent’s TurtleShield platform not only simplifies compliance but demonstrates a commitment to protecting customer data, earning long-term trust and competitive advantage.