On March 23rd, 2022, the Kingdom of Saudi Arabia has enrolled its first comprehensive data protection law (the PDPL). The law aims to protect personal data privacy by regulating the collection, processing, disclosure, or archiving of information within organizations. 

The Saudi Data & Artificial Intelligence Authority will supervise the implementation of the new legislation for the first two years, then a transfer under the supervision of the National Data Management Office (NDMO) will be considered.

The transition period is expected to take 12-18 months before the regulation is enforced nationally. This period can be elongated for the companies outside KSA. But all operations review is highly recommended for all companies, doing business in or with KSA. Organizations might consider changes in their data processing to ensure compliance with the new PDPL, as penalties for breaches will now be reaching up to SAR 5,000,000 (USD 1,333,000) or, in some cases, will lead to imprisonment.

To whom and where this applies

The PDPL applies to public or private organizations, processing data of KSA residents, including processing by entities outside the Kingdom. Therefore, special attention should be paid if your company is selling goods or services to KSA-based customers or if your company has KSA-based employees.

Before the processing of sensitive data, organizations are required to ensure the accuracy, completeness, and relevancy of personal data. The data processing principles, such as collection, purpose, retention limitations, data security, accountability, etc., should also be fulfilled.

Key requirements

1. Registration. Organizations need to register and pay annual registration fees on an electronic portal that will form a national record of controlling authorities. Organizations operating outside of the KSA and processing sensitive data of the Saudi residents must appoint a representative in Saudi Arabia, that will be in charge of compliance with the applicable laws.

2. Data Flow Mapping. Organizations will be obliged to track where and by whom data is held and processed. Detailed records will be uploaded to a new online portal, stating the purpose, entities, and whether the data will be transferred outside the KSA.

3. Consent. The PDPL requires that organizations must not process personal data without the consent of its owner. There are several exceptions still. Particularly, if the organization is a public entity and the processing is required for security or judicial purposes, - consent is not required.

4. Privacy Policy. The new PDPL grants employees, customers, or any data owners a right to be informed, a right to access the data collected about them, a right to request correction, completion, or updating of their personal data, and a right (within acceptable limits) to request the destruction of it.

5. Record of processing activities. Organizations are required to keep records of their processing activities, including a minimum of the following: contact details, the purpose of processing, data subjects’ categories description, parties to which data are disclosed, whether sensitive data is transferred or disclosed outside Saudi Arabia, time data will be kept within the organization.

6. Immediate breach notification. PDPL demands to notify authorities about a breach, whether it be a leak, unauthorized access, or unintended destruction, right as soon as this becomes known. Unlike many other international laws, PDPL doesn’t give a specified period.

7. Cross-border personal data transfer. PDPL prohibits data users from transferring personal data to an entity outside of KSA unless this is a necessity related to a threat to life or is required by an agreement to which the Kingdom is a party. Therefore, the companies will have to receive a permit from the competent authority for any cross-border data transfers.

8. Security. The PDPL obliges organizations to take all necessary organizational, administrative, and technical measures to ensure the preservation of sensitive data. This includes vendors' assessment obligation when choosing a third-party company for data processing.

Steps to comply with the PDPL

1. Revise your data inventory and classify sensitive data. Find out more about Zecurion Data Classification here.
2. Appoint a cybersecurity representative in Saudi Arabia if needed.
3. Create and timely update transparent data protection policies.
4. Have a clear incident response plan.
5. Scan and track data processing activities, have all required reports ready, and use all needed technical measures to protect sensitive data.

How Zecurion can help

It is crucial to have mature DLP features in place to ease the cybersecurity team load. Zecurion User Connection Map, Discovery, UBA, and risk-based assessment will predict and prevent PDPL violations before they become a problem.