PDPL Compliance


What is the PDPL?

Saudi Arabia's new Personal Data Protection Law (PDPL) is focused on enhancing data privacy and protection within the kingdom. The PDPL aims to protect the privacy of individuals' personal data and regulate the practices of organizations involved in its collection, processing, disclosure, and retention. Initially managed by the Saudi Data and Artificial Intelligence Authority (SDAIA), the law's supervision might transfer to the National Data Management Office.

The PDPL aligns with Saudi Vision 2030, which focuses on advancing digital infrastructure and innovation for a thriving digital economy. The PDPL addresses the fundamental aspects of data protection, including data processing principles, the rights of data subjects, organizational obligations, and penalties for noncompliance.

Who must comply with the PDPL?

The PDPL's applicability is based on the jurisdiction and data type:

  • Material scope: The processing of the personal and sensitive data of individuals in Saudi Arabia, excluding personal data processed for non-business purposes
  • Territorial scope: Both public and private entities processing personal data within Saudi Arabia as well as foreign organizations processing data related to Saudi residents

Consequences of PDPL noncompliance

Noncompliance with the PDPL carries severe penalties:

  • Individuals involved in unauthorized data transfers to outside the kingdom may face imprisonment for a maximum of one year and/or a fine amounting to SAR 1 million (USD 267,000).
  • The disclosure of sensitive data carries even more severe penalties, leading to imprisonment for up to two years and/or a fine of SAR 3 million.
  • SDAIA possesses the power to levy fines of up to SAR 5 million.

PDPL requirements for compliance

Under the PDPL, controlling authorities or data controllers bear the obligation to ensure the accuracy, completeness, and relevance of personal data prior to processing.

1. Consent requirements

Organizations must secure explicit consent from owners before processing personal data, excluding cases detailed in SDAIA's Implementing Regulations. Individuals must provide consent willingly for each distinct purpose of data processing. The ability to withdraw this consent at any time is a fundamental right, and accessing services should not require providing consent unless they are directly tied to the processing involved.

Exceptions to the consent requirements include scenarios where processing yields clear benefits and contacting the data subject is impractical; legal requirements or prior agreements; public entity security or judicial purposes; scientific, research, or statistical data collection in compliance with the law; and processing necessary for legitimate interests. These exceptions do not apply to sensitive personal data.

2. Privacy policy creation

Organizations must adhere to the PDPL by adopting a concise privacy policy that is accessible to data subjects before their data is collected. The policy should detail the purpose, content type, collection, storage, processing, and destruction of data, along with the owner's rights and how to exercise them.

When directly collecting data, organizations must inform subjects about the legal justification, collection purpose (mandatory or optional), collector identity (unless for security), entities that data will be disclosed to, potential consequences of incomplete data collection, data subject rights, and other relevant elements according to regulations based on the organization's activity.

3. Essential security standards

The PDPL underscores the significance of security by compelling organizations to implement essential organizational, administrative, and technical measures for preserving personal data integrity, especially during its transfer. Compliance with the provisions and controls outlined in SDAIA's Implementing Regulations and Personal Data Transfer Regulations is essential in this regard.

4. Data breach disclosure guidelines

In the event of a data breach, the PDPL mandates that organizations notify the supervisory authority within 72 hours of detection. In cases where the breach poses a significant risk to data subjects' personal data, immediate notification is mandatory. Additionally, the data controller is responsible for furnishing the relevant data protection officer's contact information for inquiries regarding the compromised data.

5. An obligation to appoint a data protection officer

The appointment of individuals to oversee the implementation of data protection measures is a mandatory requirement for organizations. The Implementing Regulations provide guidance on the criteria for these appointments and outline the specific responsibilities assigned to the data protection officer.

6. Impact assessments for data protection

It is essential for organizations to assess the potential risks associated with processing personal data, particularly for products or services available to the public. The Implementing Regulations further detail this obligation by specifying the minimum of informational prerequisites for the execution of data protection impact assessments.

7. Processing activity records

Entities are required to document their data processing activities and retain these records for five years after the processing period. These records must include the:

  • Organization's contact details.
  • Objectives for processing personal data.
  • Types of data subjects.
  • Recipients of personal data disclosures.
  • International data transfers or disclosures.
  • Expected personal data retention time frame.

8. Third-party vendor evaluation

Organizations must carefully select data processors who can provide adequate assurances for adhering to PDPL regulations. Organizations must also consistently verify that the selected entities comply with their instructions concerning the protection of personal data.

9. Cross-border data transfer conditions

Under the PDPL, personal data can be transferred outside of Saudi Arabia provided that the destination countries maintain sufficient data protection measures. SDAIA assesses countries, organizations, and sectors according to the Personal Data Transfer Regulations, emphasizing criteria like protective laws, a supervisory authority presence, and accessible channels for data subject complaints.

10. Registration in the national register of controllers

SDAIA is preparing to issue directives for the registration process in the national register of controllers, outlining the controllers that must comply with this requirement as stipulated by the Implementing Regulations. Earlier, cross-border data transfers were restricted to special cases, like the urgent protection of a data subject's vital interests, with each transfer requiring individual SDAIA approval after a case-by-case review.

Rights of data subjects under the PDPL

The PDPL grants data subjects key rights as stated below. The data controller must inform users of these rights, establish channels for users to exercise their rights, and respond to requests within 30 days, a shorter time frame than that required by the GDPR.

  • The right to know: This encompasses providing an understanding of the legal or functional basis for processing data.
  • The right to access personal data: This involves allowing data subjects to access personal data and receive a free copy of it.
  • The right to request personal data correction: Individuals have the right to request changes to their personal data if it is found to be inaccurate or incomplete.
  • The right to request personal data destruction: Individuals can seek the deletion of their personal data.

The PDPL roadmap

Organizations must diligently follow these guidelines to ensure compliance with the PDPL of Saudi Arabia:

  • Understand PDPL requirements: Become familiar with the scope and obligations of the PDPL, which applies to all entities handling the personal data of Saudi residents.
  • Obtain consent and provide privacy policies: Secure explicit consent for data processing and inform individuals about how their data is used.
  • Report data breaches: Notify the authorities and affected individuals in the event of data breaches or unauthorized access.
  • Adhere to data processing principles: Follow the principles of data accuracy, security, and individual consent, especially for sensitive data.
  • Respect data subjects' rights: Ensure individuals' rights to access, correct, delete, and transfer their data.
  • Maintain processing records: Keep detailed records of data processing activities, including purposes and retention periods.
  • Conduct privacy risk assessments: Assess the risks associated with personal data processing for all your services and products.
  • Implement data protection safeguards: Protect personal data from unauthorized access and comply with data breach notification requirements.
  • Regulate data transfers: Ensure that data transfers comply with PDPL standards, including obtaining consent and minimizing the amount of data transferred.
  • Stay informed and use technology aids: Keep up to date with PDPL changes and leverage technology to secure data and ensure ongoing compliance.

Best practices for PDPL compliance: A checklist

  • Accountability: Ensure that the entity head or their designee bears the responsibility for upholding the privacy policies and procedures as the data controller.
  • Transparency: Create a clear, comprehensive privacy notice as it is crucial for providing information on the purposes of collecting personal data.
  • Choice and consent: Gain prior, explicit consent as a prerequisite before collecting, using, or disclosing personal data.
  • Data minimization: Strive to limit data collection to the bare minimum necessary to fulfill the intended purposes.
  • Purposeful use, retention, and destruction: Utilize, retain, and destruct personal data strictly for the intended purposes and always in compliance with the relevant laws and regulations.
  • Access to data: Empower data subjects to review, update, and correct their personal information.
  • Data disclosure limitations: Limit disclosure strictly to the purposes outlined in the privacy notice and authorized by the data subject.
  • Data security: Implement robust security measures in accordance with national cybersecurity authority directives to defend personal data against potential vulnerabilities, encompassing risks such as leakage, damage, loss, theft, misuse, or unauthorized access.
  • Data quality: Regularly verify data to maintain accuracy and timeliness.
  • Monitoring and compliance: Continuously oversee and comply with privacy policies and resolve related issues and disputes.

The PDPL: Key rules to consider

PDPL requirement Requirement description
Article 19 - Information security The controller shall apply organizational, administrative, and technological means and measures to ensure the privacy of personal data subjects at all the stages where their personal data is dealt with, used, and transferred.
Article 23 - Controls and procedures for dealing with health data The controller is responsible for implementing a range of organizational, technological, and administrative strategies and safeguards to ensure the protection of health data. These measures are designed to prevent unauthorized use, misuse, or use beyond the original purposes of collection as well as to safeguard against data breaches or destruction—all while maintaining the confidentiality of health data.
Article 24 - Controls and procedures for dealing with credit data The controller must adopt appropriate organizational, technological, and administrative strategies to secure credit data from any unauthorized utilization, misuse, unauthorized access, use for unintended purposes, breaches, and destruction

Achieve PDPL compliance with EventLog Analyzer

EventLog Analyzer is an IT compliance and log management solution that helps enterprises comply with PDPL requirements through its real-time monitoring and incident reporting capabilities. The solution detects suspicious activities and provides in-depth insights into security incidents. This empowers organizations to take a proactive approach to PDPL-related security threats.

The automated alert system ensures a swift response to potential compliance issues by delivering real-time alerts via SMS and email upon detection of PDPL violations. This proactive alert mechanism not only aids in compliance but also strengthens the organization's overall security posture. You can schedule a demo to see how EventLog Analyzer simplifies compliance.

Source: https://sdaia.gov.sa/en/Research/Pages/DataProtection.aspx