The Kingdom of Saudi Arabia has published its first-ever comprehensive data protection law. The Personal Data Protection Law (PDPL) aims to protect individuals' personal data privacy and regulate organizations' collection, processing, disclosure, or retention of personal data.
The PDPL provides comprehensive requirements related to processing principles, data subjects' rights, organizations' obligations while processing the personal data of individuals, and cross-border data transfer mechanisms and lays out penalties for organizations in case of non-compliance with the PDPL.
One of the prominent features of the PDPL is that it does not prejudice any provision that grants a right to the data subject or stipulates better protection in any other law or an international convention to which Saudi Arabia is a party.
Furthermore, the Saudi data protection regulatory authority, the SDAIA, in collaboration with the National Data Management Office (NDMO), issued a draft version of the Executive Regulations on 10 March 2022.
The PDPL was originally set to be enforced on March 23, 2022. However, SDAIA submitted proposed amendments to the PDPL for public consultation from 20th November 2022 till 20th December 2022. On March 21st, 2023, the Saudi Council of Ministers passed amendments to the PDPL. As per the timeline within the amended version, PDPL will officially come into force on 14 September 2023, and organizations will have till 13th September 2024 to comply.
So, who needs to comply with this law? What rights do data subjects have? Who enforces this new law? To learn more about these questions plus a lot more to increase your compliance efforts, read on below:
1. Who Needs to Comply with the Law
Here’s how the new law applies to organizations based on their jurisdiction as well as the kind of data involved:
A. Material Scope
The PDPL applies to the processing of personal data and sensitive personal data related to individuals residing in Saudi Arabia. The PDPL also covers the deceased’s personal data, if it would lead to identifying the deceased or one of his/her family members specifically. The PDPL excludes the processing of personal data for domestic purposes from its application scope.
B. Territorial Scope
The PDPL applies to public or private organizations that process personal data related to individuals in Saudi Arabia by any means. If a foreign organisation processes personal data related to individuals residing in Saudi Arabia, then the PDPL will also apply.
2. Obligations for Organisations Under PDPL
The PDPL provides several obligations for the controlling authorities (data controllers). Before processing personal data, the data controllers (organisations) are required to ensure the accuracy, completeness, and relevancy of the personal data. The controlling authorities must also fulfill data protection principles (collection limitation, purpose limitation, data security, accountability, retention limitation, etc.).
Following are the critical obligations provided under the PDPL that organizations must oblige to stay compliant:
A. Consent Requirements
The PDPL requires that organizations not process personal data without the consent of its owner except for the cases stipulated under the Draft Regulation.
Data subjects may withdraw their consent to the processing of personal data at any time, and consent must not be a prerequisite for the data controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).
The PDPL provides that consent is not required in the following scenarios:
- If the processing would achieve a clear benefit and it is impossible or impractical to contact the data subject;
- If it is required by law or prior agreement to which the data subject is a party;
- If the controller is a public entity and the processing is required for security or judicial purposes;
- If the controller is collecting data for scientific, research, or statistical purposes while having taken the necessary steps stipulated within the law;
- Processing is necessary for the legitimate interests of the controller or other party, provided that the rights of data subjects are not prejudiced. However, this does not apply in the case of sensitive personal data.
B. Privacy Policy Requirements
The PDPL requires that organizations adopt a personal data privacy policy and make it available to data subjects to review before collecting their data. This policy shall include the purpose of its collection, the content of the personal data to be collected, the method of collecting it, the means of storing it, how it will be processed, how it will be destroyed, the rights of its owner in relation to it, and how these rights will be exercised.
Organizations must – in the case of collecting personal data directly from data subjects – use adequate means to inform data subjects of the following elements before starting to collect their data:
- The valid legal or practical justification for collecting their personal data;
- The purpose of collecting their personal data, and whether collecting all or some of it is mandatory or optional, and informing them also that their data will not be processed later in a manner inconsistent with the purpose of its collection or in cases other than those stipulated in the PDPL;
- The identity of the person collecting the personal data and the address of their reference when necessary, unless the collection is for security purposes;
- The organization (s) to which the personal data will be disclosed, its/their capacity, and whether the personal data will be transferred, disclosed, or processed outside the Kingdom;
- Possible effects and dangers of not completing the personal data collection procedure;
- Data subject rights; and
- The regulations determine other elements according to the nature of the activity practiced by the organization.
C. Security Requirements
The PDPL requires organizations to take the necessary organizational, administrative, and technical measures and means to ensure the preservation of personal data, including when it is transferred, per the provisions and controls specified by the Draft Regulations.
D. Data Breach Requirements
The PDPL requires that organizations notify the regulatory authority no later than 72 hours of first becoming aware of a data breach. Furthermore, the data controller must provide the regulatory authority with a detailed analysis of the breach and what steps are being taken to ensure such an incident is not repeated.
Additionally, if the data breach puts the data subjects' personal data at significant risk, the data controller must inform them promptly. The controller must also communicate the contact details of the relevant DPO the data subjects can contact to know more about what data has been compromised.
E. Data Protection Officer Requirement
The PDPL provides that organizations are required to appoint a person (or several persons) to be responsible for implementing the provisions of the PDPL.
F. Data Protection Impact Assessment
The PDPL mandates organizations to conduct an assessment of the consequences of processing personal data for any product or service provided to the public according to the nature of their processing activities.
G. Record of Processing Activities
Under the PDPL, organizations must keep records of their processing activities and for a period determined by the Draft Regulation. The records should include a minimum of the following data:
- Contact details of the organization;
- The purpose of processing personal data;
- A description of the categories of data subjects;
- Any party to which personal data has been (or will be) disclosed;
- Whether personal data has been (or will be) transferred outside Saudi Arabia or disclosed to a party outside Saudi Arabia; and
- The period of time that it is expected the personal data will be kept.
H. Vendor Assessment/Third-Party Processing Requirements
The PDPL provides that organizations – when choosing the processing party – must choose an entity that provides the necessary guarantees for enforcing the provisions of the PDPL and must constantly verify such entity's compliance with its instructions in all matters relating to the protection of personal data.
I. Cross Border Data Transfer Requirements
PDPL allows for transfers outside of Saudi but requires the recipient country to have regulations that ensure appropriate protection of personal data and has a supervisory entity that imposes appropriate procedures and measures on controllers to protect personal data. For these purposes, SDAIA will set evaluation criteria. Additionally, Article 28 of PDPL prescribes that any of the following can be a basis for transfer:
- preservation of the public interest, public health, public safety, or protection of life or health of a specific individual or individuals;
- performance of an obligation under an international agreement to which the Kingdom of Saudi Arabia is a party; or
- performance of an obligation of the personal data subject in accordance with the Draft Regulations.
Previously, cross-border transfer was only allowed in extreme cases and under certain conditions such as in cases of extreme necessity to preserve the life of the data subject outside the Saudi or his vital interests, or to prevent, examine or treat an infection. Moreover, SDAIA was required to approve the transfer on a case-by-case basis.
3. Data Subject Rights
Like most other data protection regulations globally, the PDPL ensures that all data subjects are guaranteed certain rights. These rights, known as data subject rights, ensure that all users retain control over their data once it has been collected. Different data protection laws offer various different kinds of data subject rights. The ones guaranteed by the PDPL include the following:
- Right to Know/Information - Data subjects have the right to know about the data controller's contact details, the exact reason the data is being collected, the methods being used for data collection, and whether this collected data will be shared or sold.
- Right to Request Correction - Data subjects have the right to request correction of any data collected on them if it is incomplete, inaccurate, or obsolete.
- Right to Request Destruction - Data subjects have the right to request the destruction of data collected on them. The reasons can range from the user rescinding their consent for data collection to the data no longer serving the purpose for which it was collected.
- Right to Limit/Restriction of Processing - Data subjects have the right to limit or refuse the processing of their personal information by the organization for special cases and for a limited period of time. This right is not explicitly provided under the PDPL; however, the regulatory authority has released a set of FAQs that provides details of this right.
- Right to Data Portability - The data subjects can obtain their personal data in a legible and clear format and request their personal data to be transferred to another controller.
The data controller is required to ensure that all data subjects are appropriately informed about these rights and establish dedicated channels for data subjects to exercise these rights. The data controller must fulfill these requests within 30 days and record all data subject requests received.
4. Regulatory Authority
The Saudi Data & Artificial Intelligence Authority (SDAIA) will be the primary body responsible for enforcing the PDPL within Saudi borders. More than just levying penalties on organizations found in violation of the PDPL, the SDAIA is also expected to advise organizations in internal data transfers and keep track of data subject rights requests received by organizations, among other responsibilities.
However, the Saudi Data & Artificial Intelligence Authority (SDAIA) will supervise the implementation of the new legislation for only the first two years. A transfer of supervision to the National Data Management Office (NDMO) will be considered in 2024.
5. Penalties for Non-Compliance
The PDPL provides that the penalty for disclosing or publishing sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million ($800,000); both organizations and individuals can therefore be sanctioned.
For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5 million ($1.3 million). The court may double the penalty of the fine in case of repetition of offenses.
6. How an Organisation Can Operationalize the Law
Organizations will be required to adjust their status per provisions of the PDPL within a period not exceeding one year from the date that it becomes effective.
- Catalog their data inventories and classify sensitive personal data and personal data;
- Assess whether they need to appoint a representative in Saudi Arabia;
- Register themself within Saudi Arabia;
- Disclose how personal data is being processed through transparent formal policies and privacy notices;
- Develop formal policies and procedures for data collection (consent framework etc.) and processing, and update privacy policies as needed;
- Have robust data breach notification mechanisms in place;
- Map their processes and discover cross-border data flows from Saudi Arabia to other countries, and fulfill strict cross-border requirements under the PDPL;
- Have a comprehensive data subject requests framework in place;
- Develop the capability to scan and track data processing activity and produce ROPA reports for compliance;
- Have technical and organizational security measures in place to protect their processing activities; and
- Conduct personal information protection impact assessments, vendor assessments, and other risk assessments.
7. How Can Securiti Help
Global privacy regulations encourage organizations to be responsible custodians of their consumers' data and automate privacy and security operations. To operationalize compliance, organizations need to incorporate robotic automation to keep up with the current digital landscape. Several organizations offer software that helps companies comply with global privacy regulations, but these solutions have been restricted to mainly process-driven tasks or rudimentary data-driven functions.
Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with the PDPL and other privacy and security regulations worldwide.
See how it works. Request a demo today.
