KSA’s Personal Data Protection Law
Introduction
Privacy and data protection is becoming one of the most critical issues of an era that is characterized by the technological revolution and a paradigm shift in our interaction with each other and the digital world in general. Data protection is an essential element in protecting the rights of individuals, which is intrinsically tied to the Human Rights of Individuals. Privacy and data protection are not just the responsibility of a nation state, but the onus to have a robust privacy structure is the responsibility of organizations too. Several national laws to safeguard citizens’ privacy ights and the practical application of data protection rules in day-to-day businesses have been modelled after the European regime of data protection and privacy regulations. So, it is crucial to consider the Kingdom of Saudi Arabia’s new rules in light of the General Data Protection Regulation (GDPR). The cornerstone for the law’s effective implementation and operation in Saudi Arabia will be its main considerations, principles, and requirements.
DATA PROTECTION AND KINGDOM OF SAUDI ARABIA
The KSA’s New Personal Data Protection Law designed to systematically protect “personal data” of individuals. After a period of 180 from the date of publication, the law will come into effect on 23 March 2022., and thus data controllers would have to ensure compliance to the law. Vision 2030 programme in the Kingdom of Saudi Arabia brought about significant changes in the telecommunication, media and technology regulatory landscape. Saudi Data & Artificial Intelligence Authority (“SDAIA”) will be coordinating with the Central bank and other Information Technology ministries for the implementation of PDPL.On September 24, 2021, the PDPL was released in the Saudi Arabian Official Gazette. It goes into effect in full on March 23, 2022. After that, Data Controllers have an additional year to comply with the PDPL, though this time frame may be extended. The PDPL will be supplemented by rules, which must be published by 23 March 2022 and will probably give more context and direction for the PDPL’s actual use.
AIMS OF PDPL SAUDI ARABIA
- Privacy of personal data of residents of Saudi Arabia
- Streamline various sector-specific privacy laws under one single statute
- Regulate data sharing
- Prevent the abuse of personal data
- Develop digital Infrastructure
- Support innovation to grow a digital economy
- Place Saudi Arabia aligned with the international standards
PROVISIONS OF PDPL
Consent
The PDPL requires that organizations not process personal data without the consent of its owner except for the cases stipulated under the Draft Regulation.
Data Controller :
1.The Controllers must adopt a data privacy policy, and the policy should be available to individuals to view before collecting their data.
2.If the Controller is collecting data directly from the data owner, it must inform him or her of:
- a) the legal basis for collecting data
- b) the purpose of collecting data,
- c) the information of those who collect it, d) informing the data subjects
- e) decision of cross border transfer of data Data controllers must prepare, Maintain and register data processing activities with SDAIA.
- Breach incident must be notified ‘immediately’ to the SDAIA and data subjects.
- Controllers must appoint at least one of their employees to be responsible for achieving compliance with the Law.
- Controllers must conduct an evaluation of the effects of processing associated with any product or service provided to the public, in accordance with the requirements of the Regulations.
Cross Border Transfers
KSA’s Personal Data Protection Law strictly stipulates that a cross-border data transfer may only take place unless a strict impact assessment has been carried out to evaluate just how secure the external location is. Additionally, written consent from the regulatory authority is also required.
Data Subject Rights
Rights of the Data Subjects have been enumerated, inclusive of;
Right to be informed
- Right to access
- Right to rectification
- Right to destruction
Penalties
The KSA PDPL provides that the penalty for disclosing or publishing sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million ($800,000); both organizations and individuals can therefore be sanctioned. For violating the cross-border data transfer requirements, there may be imprisonment for up to one year and/or a fine not exceeding SAR 1 million ($267,000). For violations of other provisions of the Saudi PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5 million ($1.3 million). The court may double the penalty of the fine in case of repetition of offenses.
CHALLENGES FOR ORGANIZATIONS
- Compliance of data sovereignty regulations in cross boarder transfer of. data
- Compliance with sever other sectorial stakeholders and regulations (Eg. CITC,SAMA)
- Operationalization and classification of data to mitigate any identified data sovereignty risks
- The concepts of privacy and data protection have to be embedded in the approach of an organization
- Vendor management
- Compliance with international standardizations
- Establishing robust Cybersecurity and privacy management
Checkout Other Whitepapers
𝐎𝐮𝐫 𝐋𝐚𝐭𝐞𝐬𝐭 𝐖𝐡𝐢𝐭𝐞𝐩𝐚𝐩𝐞𝐫 𝐀𝐮𝐭𝐡𝐨𝐫𝐞𝐝 𝐛𝐲 The Advertising Standards Council of India (𝐀𝐒𝐂𝐈), PSA (Priti Suri & Associates) & Tsaaro Consulting! We are …
𝐎𝐮𝐫 𝐋𝐚𝐭𝐞𝐬𝐭 𝐖𝐡𝐢𝐭𝐞𝐩𝐚𝐩𝐞𝐫 𝐨𝐧 𝐀𝐈 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞 𝐆𝐮𝐢𝐝𝐞𝐥𝐢𝐧𝐞𝐬! 𝐓𝐡𝐢𝐬 𝐜𝐨𝐦𝐩𝐫𝐞𝐡𝐞𝐧𝐬𝐢𝐯𝐞 𝐚𝐧𝐚𝐥𝐲𝐬𝐢𝐬 𝐜𝐨𝐯𝐞𝐫𝐬:– A business-focused implementation roadmap– Key principles shaping AI governance strategies– Insights …
𝗢𝘂𝗿 𝗹𝗮𝘁𝗲𝘀𝘁 𝗪𝗵𝗶𝘁𝗲𝗽𝗮𝗽𝗲𝗿 𝗼𝗻 𝗗𝗿𝗮𝗳𝘁 𝗗𝗣𝗗𝗣 𝗥𝘂𝗹𝗲𝘀! 𝗧𝗵𝗶𝘀 𝗱𝗲𝘁𝗮𝗶𝗹𝗲𝗱 𝗮𝗻𝗮𝗹𝘆𝘀𝗶𝘀 𝗰𝗼𝘃𝗲𝗿𝘀:– A practical approach to implementing provisions– Key concepts shaping India’s data …
We’re thrilled to unveil our latest Whitepaper: “Kuwait’s Approach to Data Protection: A Comprehensive Review of Legal Developments and Provisions.” 🛡️📄 In …
