How to comply with Saudi Arabian data protection laws

Sameer Ahirrao -

The Personal Data Protection Law (PDPL) is the first such kind of data protection law to be passed in the Kingdom of Saudi Arabia, which regulates the processing of personal data of Saudi Arabia residents, called data subjects.

The PDPL will regulate any kind of processing of personal data of Saudi Arabia residents including collecting, using, storing, managing, sharing, or updating of personal data.

The principal aim of the PDPL requires the private and public entities, called data controllers, to have a legal basis for the processing of personal data, and to ensure that the entities process personal data fairly, lawfully, and securely. Companies and organizations must protect personal data from loss, damage, or destruction.

Who should be aware of data protection laws in Saudi Arabia?

Personal information and sensitive personal information of Saudi Arabians, whether living or deceased, are the subject of Saudi Arabia’s data privacy rules. As such, all publicly or individually owned organizations that handle such data by any means must do so within the ambit of Saudi Arabia’s personal data protection law.

These laws also apply to any processing entities outside the Kingdom carry out. As a result, even foreign companies must comply if they must do business with Saudi clients. The following section talks about these laws and what their provisions entail.


What Saudi Arabia data protection laws you need to know

Saudi Arabia’s data protection landscape is primarily governed by two laws.

One is the Personal Data Protection Interim Regulation (PDPIR). The other is the very recent Personal Data Protection Law, which will soon take full effect.

As the title implies, the PDPIR administers Saudi Arabia’s personal data protection in the interim, regulating all companies within and outside the Kingdom.

The enforced PDPL, on the other hand, is considerably more comprehensive. It governs activities involving the collection and processing of personal information. It is based on general data processing principles and extensively covers data subjects’ rights, processors’ obligations, cross-border transfer protocols, and consequences for noncompliance.

Notably, despite this new law, it does not prejudge or attempt to replace any earlier local or international regulation that provides better protection or offers the data owner a better right.


Complying with the PDPL

The law specifies the measures that entities must take during the business. This section provides an overview of them.

The PDPL makes it clear that consent from the owner is required before obtaining and processing data, which can be withdrawn at any time.

Nonetheless, there are several cases where the need for consent will be dispensed with. For example, where:

  • The processing is for a specific benefit, and it is not possible or practicable to reach the subject;
  • It is mandated by law or a prior agreement to which the subject is a party;
  • The controller is a government agency, and the processing is necessary for a public purpose;
  • The data is collected for scientific or investigative reasons, and other applicable legal measures have been followed.

Rights of data subjects

The PDPL grants certain rights to enable owners to retain control over their data. These include the rights to:

  • Be duly informed of the purpose of collection and whether it will be shared with a third party.
  • Access and acquire a clear and legible copy of their personal data on demand and free of charge.
  • Request the correction of data that is no longer complete, accurate, or up-to-date.
  • Demand destruction of data collected where it has been withdrawn.
  • Complain to the authority where their rights have been breached.


Requirement of privacy notices

The PDPL also contains provisions governing data privacy in Saudi Arabia. It mandates that all organizations make available their privacy policies for subjects to review before giving out their information.

The privacy policy should include all necessary details, such as:

  • the lawful purpose for collecting;
  • what fields are mandatory or optional, and assurance that processing will be limited to the purpose of collection and in accordance with the PDPL;
  • identification details of the controllers, save where the information is collected for security purposes;
  • other parties with whom the data may be shared, and whether such sharing crosses borders;
  • potential risks and consequences of failing to complete the collection procedure;
  • the rights of the subject,
  • and other details which may be specially required depending on the type of organization.

Other procedural measures

When a breach occurs, firms must notify the regulatory authorities within 72 hours of discovering the breach. This should be followed by a detailed report on the nature of the violation and steps taken to avoid a repeat of the incident.

If the breach jeopardizes the security of the data, the company may be compelled to notify the affected subject(s) as soon as possible. In addition, the official in charge of data protection must ensure that the subjects’ fears about the breach are allayed.

The PDPL expects companies to conduct impact assessments regularly to ensure all compliance processes are in place. Similarly, when outsourcing processing, the organization must select only providers who have made all necessary efforts to comply with the legislation. This compliance must also be assessed regularly to ensure that data is not compromised from any end.

Processors must keep up-to-date records of processing activities for the period specified in the Draft. They should include the following information: the processor’s details, the purpose of processing, any party to whom personal data has been or will be shared if there will be a transfer outside Saudi Arabia, and the duration for which the information will be kept.


Penalties for non-compliance

The penalty for revealing sensitive personal data under the PDPL is two-year imprisonment, an $800,000 fine, or both.

For violations during cross-border transfer, the penalty is one year in prison or a fine of around $267,000, or both. Violation of other provisions is normally punished by warning notices or fines, with the highest fine set at about $1.3 million.

Any of these sanctions may be doubled in the event of a repeat offense.


Data transfer requirements

The PDPL supports Saudi Arabia’s data localization. As such, transfers beyond the Kingdom are typically prohibited except for the purposes specified in the Regulations.

The Saudi Arabia Data and Artificial Intelligence Authority (SDAIA) and its Regulations can give additional grounds for authorized transfers, but currently, there are a few conditions under the PDPL that must be met before data can be transmitted outside of Saudi Arabia.

First, a strict impact assessment on the destination country is required to ensure the receiving location is secure. In addition, the organization must obtain written permission from the SDAIA.

The exceptions to this requirement are where the transfer is necessary for a public purpose or to keep the subject alive.


How can Ardent Privacy Help?

To overcome these above obligations and challenges, Ardent helps enterprises to build DBoM (Data Bill of Materials) to prioritize critical data assets which are most important to business. It aligns security and data privacy control to business. Our solutions helps enterprises in discovering, identifying, and mapping data from Personal Identifiable Information (PII) to sensitive data assets. It also reduces their unwanted or excess data footprint to become compliant and resilient in case of a “significant security and privacy challenges”. It also provides discovery capabilities essential to meet privacy requirements for updated Saudi Arabia (PDPL) compliance, such as data inventory, identification, data subject access requests (DSAR) and data minimization. Enterprises collect and retain vast amounts of personal data which represents a substantial liability for privacy compliance. By utilizing the Ardent Privacy solution, enterprises can reduce risk and liability by limiting excess storage of personal data. Data minimization reduces the costs associated with securing data and storage. It is vital for enterprises to know what data they have and only keep what they need to do business.