The Kingdom of Saudi Arabia has introduced its first-ever comprehensive data protection law. The Personal Data Protection Law (PDPL) aims to protect individuals' personal data privacy and regulate organizations' collection, processing, disclosure, or retention of personal data. From 14 September 2023, entities had one year to achieve compliance with the PDPL and Regulations, which all became fully enforceable on 14 September 2024.
So, who needs to comply? Who enforces this new law? To learn more about these questions and a lot more to increase your compliance efforts, read more below:
Who Needs to Comply with the PDPL?
The PDPL applies to processing personal data and sensitive personal data related to individuals residing in Saudi Arabia.
The PDPL applies to public or private organizations that process personal data related to individuals in Saudi Arabia by any means. If a foreign organization processes personal data related to individuals residing in Saudi Arabia, then the PDPL will also apply.
Who Enforces the PDPL?
SDAIA will be the primary body responsible for enforcing the PDPL within Saudi borders. In addition to penalizing organizations found violating the PDPL, the SDAIA is expected to advise organizations on controls required for the proper implementation of the data protection framework.
Nevertheless, SDAIA will supervise the new law's implementation. In 2025, a transfer of supervision to the National Data Management Office (NDMO) will be considered for only the first two years. A transfer of supervision to the National Data Management Office (NDMO) will be considered in 2025.
What are the Penalties for Non-Compliance?
The PDPL can issue fines (up to SAR 5,000,000) for violating the provisions and regulations. The competent court may also double the fine for data breaches in case of repetitive violations.
The PDPL also provides for imprisonment (up to two years) for disclosure or publication of sensitive data (done in violation of the PDPL) with the intention to harm an individual or to achieve personal gain.
What are the Roles and Obligations of an Organization under the PDPL?
The PDPL provides two roles for an organization regarding the processing of personal data – a Controller and a Processor.
A Controller is an organization that makes decisions about the purposes and means of processing personal data. The Controller is ultimately responsible for processing under PDPL.
A Processor is an organization that processes personal data on behalf of a Controller. Unlike the Controller, the Processor does not make decisions about the purposes and methods of personal data processing and instead takes direction from the Controller.
Some of the key obligations covered by the PDPL include:
The PDPL requires that organizations do not process personal data without the consent of their owner except for cases stipulated under the Implementing regulations. Organizations must obtain consent that is freely given and independent consent must be obtained for each purpose of processing.
The PDPL requires that organizations adopt a personal data privacy policy and make it available to data subjects to review before collecting their data. This policy shall include the purpose of its collection, the content of the personal data to be collected, the method of collecting it, the means of storing it, how it will be processed, how it will be destroyed, the rights of its owner to it, and how these rights will be exercised.
The PDPL requires organizations to take the necessary organizational, administrative, and technical measures and means to preserve personal data, including when it is stored or transferred.
The PDPL requires that organizations notify the regulatory authority no later than 72 hours after first becoming aware of a data breach. Furthermore, the data controller must provide the regulatory authority with a detailed analysis of the violation and what steps are being taken to ensure such an incident is not repeated.
- Data Protection Officer Appointment
To guarantee adherence to the Personal Data Protection Law, the SDAIA has established Rules for Appointing A Personal Data Protection Officer (DPO). Check those rules to determine whether your organization is mandated to appoint a DPO.
- Data Protection Impact Assessment
The PDPL mandates organizations to assess the consequences of processing personal data for any product or service provided to the public, according to the nature of their processing activities.
- Record of Processing Activities
Under the PDPL, organizations must keep records of their processing activities during the processing period and for an additional five years from the respective dates when the processing activities are completed.
- Vendor Assessment/Third-Party Processing Requirements
The PDPL provides that organizations must choose an entity that provides the necessary guarantees for enforcing the provisions of the PDPL when choosing the processing party and constantly verify such entity's compliance with its instructions in all matters relating to the protection of personal data.
- Cross Border Data Transfer Requirements
PDPL allows transfers outside of KSA but requires the recipient country to have regulations that ensure appropriate protection of personal data and has a supervisory entity that imposes proper procedures and measures on controllers to protect personal data.
How Can Organizations Ensure they are PDPL Compliant?
There will be different timelines for enforcement that will be applied to certain sector-specific entities (e.g. financial institutions, private entities working primarily with government and public organizations, etc.) and the relevant authority for each sector will communicate that. This will require businesses and organizations to remain vigilant in their efforts to ensure compliance with the PDPL to safeguard the privacy and security of individual personal information.
SDAIA and NDMO have also provided several resources to assist organizations with their implementation of PDPL:
Knowledge Centres
NDMO: Knowledge Centre
SDAIA: Laws, Regulations and Guidance
PDPL Self-Assessment Tools:
NDMO: PDPL Compliance Self-Assessment
This assessment is designed to support entities in performing a self-assessment of their existing compliance posture with the regulatory requirements of PDPL and its regulations.
Embracing data protection builds trust between a business and its customers and provides a solid platform for successful partnerships. At Unifonic, all our products and services comply with these regulations, and we are ideally placed to help our clients navigate the complexities of adhering to these new standards.
After providing an overview of the PDPL, in the next blog, we’ll discuss how and when you should obtain consent from your customer now that the law is in effect.
The above provides a summary of the PDPL; however, Unifonic cannot provide legal advice, so please check with your legal counsel before taking any action in your pursuit of PDPL compliance.
