IDC Names Securiti a Worldwide Leader in Data PrivacyView
The Kingdom of Saudi Arabia has enforced its first-ever comprehensive data protection law. The Personal Data Protection Law (PDPL) aims to protect individuals' personal data privacy and regulate organizations' collection, processing, disclosure, or retention of personal data. The Saudi Data & Artificial Intelligence Authority (SDAIA) is the primary regulatory body that will enforce PDPL in KSA for the first two years, following which a transfer to the National Data Management Office will be considered.
The PDPL provides comprehensive requirements related to processing principles, data subjects' rights, organizations' obligations while processing the personal data of individuals, and cross-border data transfer mechanisms and lays out penalties for organizations in case of non-compliance with the PDPL.
One of the prominent features of the PDPL is that it does not prejudice any provision that grants a right to the data subject or stipulates better protection in any other law or an international convention to which Saudi Arabia is a party.
The PDPL was originally set to be enforced on March 23, 2022. However, SDAIA submitted proposed amendments to the PDPL for public consultation from 20th November 2022 till 20th December 2022. On March 21st, 2023, the Saudi Council of Ministers passed amendments to the PDPL.
On 7th September, 2023, SDAIA published the Implementing Regulations to the PDPL and the Personal Data Transfers Regulations. The Implementing Regulations and the Regulations on Personal Data Transfers provide details to the general obligations and principles highlighter in the PDPL. These regulations along with the PDPL will come into force and effect on 14 September 2023.
So, who needs to comply with this law? What rights do data subjects have? Who enforces this new law? To learn more about these questions plus a lot more to increase your compliance efforts, read on below:
Here’s how the new law applies to organizations based on their jurisdiction as well as the kind of data involved:
The PDPL applies to the processing of personal data and sensitive personal data related to individuals residing in Saudi Arabia. The PDPL also covers the deceased’s personal data, if it would lead to identifying the deceased or one of his/her family members specifically. The PDPL excludes the processing of personal data for domestic purposes from its application scope.
The PDPL applies to public or private organizations that process personal data related to individuals in Saudi Arabia by any means. If a foreign organisation processes personal data related to individuals residing in Saudi Arabia, then the PDPL will also apply.
The PDPL provides several obligations for the controlling authorities (data controllers). These have been expanded upon by the Implementing Regulations and the Personal Data Transfer Regulations. Before processing personal data, the data controllers (organisations) are required to ensure the accuracy, completeness, and relevancy of the personal data. The controlling authorities must also fulfill data protection principles (collection limitation, purpose limitation, data security, accountability, retention limitation, etc.). There is a 12-month grace period provided by the PDPL to allow organizations to become compliant after the effective date i.e. 14 September 2023.
Following are the critical obligations provided under the PDPL that organizations must oblige to stay compliant:
The PDPL requires that organizations not process personal data without the consent of its owner except for the cases stipulated under the Implementing Regulations. Organizations must obtain consent that is given freely, and independent consent must be obtained for each purpose of processing.
Data subjects may withdraw their consent to the processing of personal data at any time, and consent must not be a prerequisite for the data controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).
The PDPL provides that consent is not required in the following scenarios:
Organizations must – in the case of collecting personal data directly from data subjects – use adequate means to inform data subjects of the following elements before starting to collect their data:
The PDPL requires organizations to take the necessary organizational, administrative, and technical measures and means to ensure the preservation of personal data, including when it is transferred, per the provisions and controls specified by the Implementing Regulations and Personal Data Transfer Regulations.
The PDPL and accompanying Regulations require that organizations notify the regulatory authority no later than 72 hours of first becoming aware of a data breach. Furthermore, the data controller must provide the regulatory authority with a detailed analysis of the breach and what steps are being taken to ensure such an incident is not repeated.
Additionally, if the data breach puts the data subjects' personal data at significant risk, the data controller must inform them promptly. The controller must also communicate the contact details of the relevant DPO the data subjects can contact to know more about what data has been compromised.
The PDPL provides that organizations are required to appoint a person (or several persons) to be responsible for implementing the provisions of the PDPL. The Implementing Regulations provide the cases in which such an individual can be appointed. Additionally, the responsibilities of the Data Protection Officer have also been provided.
The PDPL mandates organizations to conduct an assessment of the consequences of processing personal data for any product or service provided to the public according to the nature of their processing activities. The Implementing Regulations go further by providing the minimum informational requirements for DPIAs.
Under the PDPL, organizations must keep records of their processing activities during the period of processing and for an additional five years from the respective dates when the processing activities are completed. n. The records should include a minimum of the following data:
The PDPL provides that organizations – when choosing the processing party – must choose an entity that provides the necessary guarantees for enforcing the provisions of the PDPL and must constantly verify such entity's compliance with its instructions in all matters relating to the protection of personal data.
PDPL allows for transfers outside of KSA but requires the recipient country to have regulations that ensure appropriate protection of personal data and has a supervisory entity that imposes appropriate procedures and measures on controllers to protect personal data. The Personal Data Transfer Regulations state that subject to exemptions,the SDAIA will be evaluating countries, international organizations and specific sectors to enable the transfer of personal data outside KSA and has set the evaluation criteria. A few requirements of this criteria include:
f Additionally, Article 28 of PDPL prescribes that any of the following can be a basis for transfer:
SDAIA will issue the rules for registration in the National Register of Controllers, and specify the controllers that need to be included. This requirement has been re-introduced by the Implementing Regulations.
Previously, cross-border transfer was only allowed in extreme cases and under certain conditions such as in cases of extreme necessity to preserve the life of the data subject outside the Saudi or his vital interests, or to prevent, examine or treat an infection. Moreover, SDAIA was required to approve the transfer on a case-by-case basis.
Like most other data protection regulations globally, the PDPL ensures that all data subjects are guaranteed certain rights known as data subject rights. The Implementing Regulations further expand upon these rights. These rights ensure that all users retain control over their data once it has been collected. Different data protection laws offer various different kinds of data subject rights. The ones guaranteed by the PDPL include the following:
The data controller is required to ensure that all data subjects are appropriately informed about these rights and establish dedicated channels for data subjects to exercise these rights. The data controller must fulfill these requests within 30 days and record all data subject requests received. The 30 day requirement is shorter than the three-month requirement laid out by the GDPR, thus, multinational organizations must act accordingly.
SDAIA will be the primary body responsible for enforcing the PDPL within Saudi borders. More than just levying penalties on organizations found in violation of the PDPL, the SDAIA is also expected to advise organizations in internal data transfers and keep track of data subject rights requests received by organizations, among other responsibilities.
However, SDAIA will supervise the implementation of the new legislation for only the first two years. A transfer of supervision to the National Data Management Office (NDMO) will be considered in 2024.
The PDPL provides that the penalty for disclosing or publishing sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million ($800,000); both organizations and individuals can therefore be sanctioned.
For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5 million ($1.3 million). The court may double the penalty of the fine in case of repetition of offenses.
Organizations will be required to adjust their status per provisions of the PDPL within a period not exceeding one year from the date that it becomes effective.
Global privacy regulations encourage organizations to be responsible custodians of their consumers' data and automate privacy and security operations. To operationalize compliance, organizations need to incorporate robotic automation to keep up with the current digital landscape. Several organizations offer software that helps companies comply with global privacy regulations, but these solutions have been restricted to mainly process-driven tasks or rudimentary data-driven functions.
Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with the PDPL and its accompanying regulations, as well as other privacy and security regulations worldwide.
See how it works. Request a demo today.
PDPL is the Personal Data Protection Law in Saudi Arabia, the country's data protection legislation.
The Executive Regulations are comprised of the Implementation Regulations and the Personal Data Transfer Regulations, which came into effect on 14th September 2023 along with the PDPL.
Saudi Arabia is not part of the European Union, so GDPR does not directly apply there. However, Saudi Arabia has its own data protection law, the PDPL, which is similar to GDPR in protecting personal data.
The privacy and data protection law of Saudi Arabia is the Personal Data Protection Law (PDPL), which aims to regulate the processing of personal data and protect individuals' privacy rights.
See how easy it is to manage privacy compliance with robotic automation.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.