On 24 September 2021, the National Centre for Documents and Archives Royal Court of Saudi Arabia published the Personal Data Protection Law (PDPL). The introduction of the PDPL reflects Saudi Arabia’s Vision 2030, which aims to develop a digital infrastructure and support innovation to grow a digital economy. The law will come into effect on 23 March 2022, 180 days after its publication. It is important to mention that within that period, the law will be supplemented by the publication of executive Regulations.
The PDPL will transform the data protection system in Saudi Arabia, as privacy and data protection are currently protected by uncodified Shari'a principles and multiple sectorial regulations. The new law has similarities with the EU General Data Protection Regulation (GDPR), as it recognises similar rights and principles, such as transparency, data minimisation, purpose limitation, storage limitation, accuracy. However, key differences emerge due to the applicability of the law to deceased persons, stringent breach notification and data transfer requirements.
Key PDPL provisions
Personal data is defined as any information that identifies or can identify, directly or indirectly individuals. Sensitive personal data includes reference to an individual's race, ethnicity, religion, political views or opinions, criminal and genetic data, personal biological characteristics, and health information, as well as financial and location information.
The PDPL applies to the processing of personal data of individuals that takes place within the territory of the Kingdom, including the processing from organisations located outside the territory. Foreign organisations are required to appoint representatives within the Kingdom who will be responsible for the protection of personal data.
Unlike the GDPR, the PDPL’s scope extends to personal data of the deceased if it will lead to him/her or his/her family members to be identified.
Responsibilities of Personal Data Controller
Data controller are defined by the PDPL as the entity that defines the purposes and means of the personal data processing. Data controllers are obliged to register with the Saudi Arabian Authority for Data and Artificial Intelligence and to register their records of processing activities, implement security measures, appoint an employee(s) responsible for compliance with data protection obligations, establish and make available privacy policies (otherwise known as privacy notices) before any processing activity takes place, and prepare data protection impact assessments in relation to any product and service.
Data controllers are required to establish policies and procedures for management of processors. Organisations should only engage with processors that have adequate safeguards for personal data, that the relationship is regulated by a contract and that they are able to conduct regular audits to verify the processor’s compliance with the law and contractual obligations.
Legal Bases for Processing
For the processing of personal data to be lawful, the PDPL has a number of legal bases. These include:
- Processing in the interests of the individual, who cannot be reasonably contacted;
- Compliance with legal obligations;
- Contractual necessity; and
- Where the controller is a public entity, for security and judicial purposes.
The primary legal basis for processing is consent, which must be explicit, and it cannot be conditioned for the provision of a service or benefit. In certain circumstances, written consent will be required for the processing to be lawful, for example, credit data can only be processed under written consent.
The PDPL sets out a general prohibition on the transfer of personal data outside Saudi Arabia. There are exemptions to the prohibition, permitting them only where (i) necessary to preserve the vital interest of the individual; (ii) public health purposes; (iii) for the fulfilment of an obligation of the Kingdom; and (iv) for the interest of the Kingdom.
Provided one of the previous exemptions applied, in addition, the following conditions must be met (i) the transfer must not prejudice national security or the interest of the Kingdom; (ii) adequate safeguards must be in place that protects personal data in an equivalent manner as the PDPL; (iii) data minimisation principle must be observed; and (iv) in some circumstances the transfer might need to be approved by the competent authority.
The PDPL only allows marketing communications where individuals have opted in and individuals must be able to withdraw their consent at any time.
Under PDPL, individuals have the right to be informed that processing is happening and to obtain a copy of, update, correct or complete their information. Individuals also have the right to withdraw their consent at any time.
Controllers must notify data breaches to the competent authority as soon as the organisation becomes aware of the incident. If the breach is likely to cause serious harm to individuals, they must be notified immediately. The requirement for immediate notification of breaches is a significant difference from other regulations, for instance the GDPR requires notification within a 72 hour period of being aware of the breach.
The Saudi Arabian Authority for Data and Artificial Intelligence will supervise the application of the PDPL for two years. After that period, the National Data Management Office will be considered to be the lead data protection authority in the Kingdom.
A violation of the PDPL will be subject to criminal, administrative and civil penalties. The unlawful processing of sensitive data can result in wide-ranging sanctions including imprisonment of employees of the Personal Data Controller for up to two years and/or fines of up to SAR 3 million (approx. £592.000). Infringements to international data transfers requirements could result in imprisonment of controller’s employees for up to one year and/or fines of up to SAR 1 million (approx. £197.000). All other violations of the new law could be subject to warnings and fines of up to SAR 5 million (approx. £1 million). In the case of repeat violations, the amount of the fines may be double. Finally, the competent court may order the confiscation of funds obtaining by the violations, the publication of the judgement in a local newspaper and/or compensation for material or/and moral damages.
There are a number of practical steps that organisations can already begin to undertake in preparation for the upcoming PDPL.
Develop a Record of Processing Activities
- Undertake data mapping exercises to understand and document what personal data is processed, the legal basis relied upon, where it is stored and what security measures are in place to protect personal data
- Categorise personal data on a risk based approach and identify whether additional risk mitigation measures are required (e.g., encryption, transfer safeguards)
Update Policies and Procedures
- Identify existing policies and procedures detailing privacy and data protection protections and develop a remediation schedule. Particular focus should be given to any external facing policies (e.g., privacy notices)
- Review and update existing risk management procedures to include privacy impact assessments aligned to business change activities
- Review and update or implement policies and procedures addressing individual right requests and inquiries
- Identify existing systems / business processes processing personal data and liaise with IT to ensure the functionality exists to respond to individual right requests and inquiries
Develop and deploy privacy training & awareness materials
- Update privacy training & awareness materials for employees to reflect PDPL provisions
- Design rollout plan for training & awareness materials ahead of PDPL implementation date (23 March 2022)
Define and test breach management processes
- Define breach and incident management processes, including reporting lines and designate individuals to perform key roles (e.g., privacy response team, information technology, to form part of the crisis management team)
- Undertake breach simulation exercises to gauge the effectiveness of breach management process
Identify instances of international transfers and assess applicability of exemptions / safeguards
- Identify instances where personal data is transferred outside of Saudi Arabia
- Assess whether the transfer falls within the four categories of exemptions
- Where the transfer does not fall within the four categories of exemptions, assess organisational impact and determine whether additional measures are required to store data within Saudi Arabia (e.g., designating a data warehouse in Saudi Arabia)
Review Governance Structures
- Identify and / or designate point of contact for privacy and assess suitability based on qualifications, experience and capacity
- Determine whether supplementary resources are required to bolster privacy
Monitor regulatory updates
- Monitor regulatory developments and guidance in Saudi Arabia, with a particular focus on the supplementary regulations that are due to be published prior to the PDPL implementation date
- Monitor regulatory developments within region, with a particular focus on jurisdictions in the region with economies that are closely connected to Saudi Arabia
A&M: Leadership. Action. Results.
A&M’s privacy and data protection professionals have extensive operations and advisory experience together with a proven track record in leading businesses through tough, complex situations. To learn more about our expertise and to understand the full scope of our services, please get in touch with one of our authors.
Robert Grosvenor, Managing Director
James Daniell, Managing Director
Matthew Negus, Senior Director
Christopher Woodhead, Associate
Dubhe Sarmiento, Analyst
The introduction of the PDPL reflects Saudi Arabia’s Vision 2030, which aims to develop a digital infrastructure and support innovation to grow a digital economy.