How to prepare for Saudi Arabia’s Personal Data Protection Law
In September 2021, the Kingdom of Saudi Arabia issued its Personal Data Protection Law to regulate the processing of personal data. The PDPL is the first federal, sector-agnostic data privacy legislation in Saudi Arabia. Organizations will be faced with significant changes to their operations to ensure compliance.
The PDPL comes into effect only 180 days after the publication in the Official Gazette, meaning the law will be effective March 23, subject to the passage of the implementing regulations. For the first two years, it will be enforced under the Saudi Data and Artificial Intelligence Authority, after which a transition to the National Data Management Office will be considered.
Like other new data protection laws and updates within the broader Middle East and North Africa region, some elements within the PDPL are similar to those of other international data protection regulations. The law also includes numerous unique requirements — such as data transfer and localization requirements — businesses will need to pay careful attention to. Fulfilling these requirements may be operationally burdensome and early planning will be critical to avoid significant setbacks.
The PDPL also includes extraterritorial effect so organizations based outside Saudi Arabia will still be subject to the law and its requirements if they process the personal data of Saudi residents.
What does the law introduce?
The PDPL introduces a number of requirements that could significantly impact how companies in the Kingdom operate. The most notable include:
Data controllers, the organizations that determine the means and purpose of processing of personal data, must register via an electronic portal which includes an annual registration fee.
Records of processing.
Data controllers must create and maintain a record of how they process personal data, and it must be registered with the SDAIA. Any foreign company operating in the Kingdom and processing personal data of Saudi residents must appoint a local representative. More guidance regarding when this requirement will become effective is forthcoming from the SDAIA. Organizations will also be expected to appoint data officers to manage compliance with the law.
Data subject rights.
Individuals are now provided with new rights to their data, namely that they have the right to information about how their data is processed, the ability to access copies of their data and request corrections, and the right to have their data destroyed. Individuals will also have the right to lodge complaints with the regulatory authority.
Data transfers outside the Kingdom are only permitted in limited circumstances. However, even if the transfer meets one of the permitted exceptions, the data controller must receive approval by an appropriate government authority, amongst other conditions.
The principal legal basis for processing under the law is consent. Personal data may only be processed without consent in certain circumstances. Individuals will also have the right to withdraw their consent to the processing of their personal data. Importantly, data controllers must also have prior consent of individuals to send direct marketing and must provide an opt-out mechanism.
Data controllers must assess projects, products and services to identify data protection risks posed to individuals.
Data controllers must implement a privacy notice specifying how data will be processed prior to collecting personal data from individuals.
Data controllers will be expected to report data breaches to the regulatory authority as soon as they become aware of an incident.
Information such as genetic, health, credit and financial data will fall under scope of the law. This data is also likely to be subject to additional regulation.
So how do we prepare?
Like most compliance efforts, early preparation is essential, especially to achieve compliance with some of the more onerous requirements detailed in the PDPL. As a priority, organizations should follow this six-point plan:
Step 1: Understand the data.
Organizations must understand what data they hold, how it is used and who it is shared with. This can be accomplished by creating a record of processing activities to trace data through the information lifecycle. This document can be used as a single source of truth and to inform other compliance activities.
Step 2: Establish governance.
Identifying local representatives where appropriate and appointing data officers will be an essential step. These individuals should be integrated into existing data protection or security networks of governance to enable the successful communication and escalation of risks.
Step 3: Create policies and procedures.
Policies and processes must be updated to reflect the new data protection responsibilities, including procedural guidance for responding to data subject rights requests and issuing data breach notifications. Policy refreshes must also address the assessment of data protection and security standards in place among third parties.
Step 4: Implement and test breach plans.
Organizations need a robust data breach plan that articulates each step involved in responding to a breach, the individuals and teams involved, and the timelines to complete each step. Testing your plan will help to ensure your teams are cohesive and ready should an actual incident occur.
Step 5: Identify international data transfers.
Using the ROPAs as a starting point, organizations should seek to understand what data is transferred internationally and where it is transferred to. This includes understanding how limitations in the law may affect these transfers and beginning to adopt strategies for compliance.
Step 6: Provide training and change management.
Training is an effective tool to develop a sustainable culture of compliance. To complement training activities, organizations should consider identifying change management strategies to help ensure that the compliance activities are embedded successfully.