UNDERSTANDING SAUDI ARABIA’S PDPL

Article by Tsaaro

7 min read

UNDERSTANDING SAUDI ARABIA’S PDPL

INTRODUCTION 

Saudi Arabia PDPL issued its pilot national data protection legislation to regulate collection, storage and processing of personal data. The law would be accelerating Saudi Arabia’s efforts to digitize its economy while creating a data bank in the society. This is the new Personal Data Protection Law (PDPL) which was implemented on the 14th of the September in 2021. The SDAIA (Saudi Data & Artificial Intelligence Authority) was taking care of the implementation of the new law for the first two years from the introduction after which the transfer was taken over by the NDMO (National Data Management Office). The PDPL would ensure the privacy of personal data, regulating data sharing and the preventing the abuse of personal data aligned with the goals of the Kingdom of Saudi Arabia Vision 2030 in order to develop the digital infrastructure to support innovation and growth of digital economy.  

SCOPE OF THE SAUDI ARABIA’S PDPL ACT 

The PDPL has been designed for the protection of “personal data” which is any information in any form through any such person which may be directly or indirectly be identified. This explicitly includes the name of the individual, identification number, proof of address and the contact numbers along with any photographs and video recordings of the personal data for any such personal or familial use.  

FEATURES OF THE ACT 

Some of the prominent features of the PDPL are quite consistent with principles and concepts with the contemporary international data protection laws.  

  • Data Subject Rights: Individuals subject to certain exceptions will have the rights to be informed of processing of personal data and the legal basis for such processing, the right to access to their personal, right to correction or updating their personal data and the right to requesting of its deletion as and when deemed redundant. Data subjects would also hold the ability to file any complaints with regards to the application of the PDPL with the regulating authorities. 

  • Controller Registration: Companies which collect personal data and determine the purpose for which it was used and the method of such processing would be required to register on the electronic portal which would form a national record of controllers. There will be a processing of annual fee payable for the registration. The fee would be determined in the executive regulations.  

  • Consent Withdrawal and Service Provision: Data subjects may withdraw their consent to data processing at any time. Furthermore, consent cannot be a prerequisite for getting a service or benefit unless the service expressly requires such processing.  

  • Alternatives to Consent for Data Processing: The law recognises that data processing may occur without the consent of the data subject. These include situations in which processing would result in a clear advantage but contacting the data subject is impractical, where it is required by law or a previous agreement, or when the data controller is a governmental agency and must handle data for security or legal purposes.  

  • Data controllers must create a privacy policy outlining the scope and purpose of data collection, which must be informed to data subjects prior to collecting their personal information. 

  • Limitations on Data Use: Organizations are urged to clearly specify the purposes for collecting personal data and to acquire just the amount of data required to fulfil these purposes. 

  • Impact Assessments and Data Collection Cease: Controllers must undertake impact assessments on data processing actions. If the personal data is no longer required for its intended purpose, data collection should be stopped. 

  • Marketing Restrictions: The use of personal data for marketing purposes is banned unless the data subject consents or there is an opt-out mechanism. 

  • Breach Notifications: Data breaches, any leakages or unauthorized access to any personal data is to be notified to the supervising authorities and such breaches which cause material harm to the data subject should be notified to the data subjects.  

OPERATIONAL IMPACT ON BUSINESS 

The rapid change in the landscape of privacy has been pushing for efficient practices. Operations would require to consider the changes which the PDPL would have on them. Authorities have to consider the five core aspects within the model of their enterprises. This includes Gap Analysis Review and identification of the core procedures within the companies along with the identification of the key touchpoints which would either require to hold the personal data.   

• Compliance Audit: Assess adherence to PDPL requirements using a comprehensive, risk-based method to guarantee that significant compliance risks are effectively addressed with strong controls. 

• Governance: Business leaders must create detailed policies, procedures, and frameworks to uphold PDPL requirements. 

• Training & Development: Educating and increasing awareness among employees and operations teams is crucial for ensuring PDPL and regulatory compliance. 

• Compliance Programme: Leaders should develop and implement an extensive compliance program that encompasses PDPL requirements throughout the organization. This program should integrate privacy as a core aspect of the business value chain, with leaders continually monitoring data privacy risks and seeking to improve their competitive position in the market. 

CONCLUSION 

The introduction of Saudi Arabia’s Personal Data Protection Law (PDPL) marks a significant step forward in the country’s digital transformation, aligning with Vision 2030’s goals to enhance its digital infrastructure and boost the digital economy. By establishing clear guidelines for data protection, individual rights, and corporate responsibilities, the PDPL not only safeguards personal information but also sets a framework for ethical data use across sectors. As organizations adapt to these regulations, the emphasis on compliance audits, governance, training, and robust data management practices will be crucial in fostering a secure, privacy-respecting business environment, ultimately driving innovation and competitive advantage in the region. 

Shubham Bansal

INTRODUCTION: The Personal Data Protection Law No. 6698, known as Kişisel Verileri Koruma Kanunu (KVKK), is Türkiye’s landmark data protection …

Tsaaro Consulting

At the Singapore International Cyber Week 2024, The Cyber Security Agency (CSA) of Singapore released Guidelines on Securing Artificial Intelligence …

Tsaaro Consulting

The European Data Protection Board (EDPB) on 8th October 2024, issued draft Guidelines 1/2024 on processing of personal data based …

Tsaaro Consulting

Introduction   With data playing a pivotal role in business operations, ensuring data privacy compliance has become a key focus in …

Tsaaro Consulting

The FinTech industry has transformed the financial landscape, offering customers digital solutions that make banking, lending, insurance, and investing more …

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them