Privacy and Data Protection in the Kingdom of Saudi Arabia

Privacy & Data Protection in the Kingdom of Saudi Arabia
Estimated Reading Time: 6 minutes

In September 2021, the Kingdom of Saudi Arabia (KSA) issued its Personal Data Protection Law (PDPL) to regulate the processing of personal data. The PDPL is the first standalone data protection law of its kind in KSA and bears many similarities with the European Union’s (EU) General Data Protection Regulation (GDPR) when it comes to data owner rights and data controller responsibilities. 

For the first two years, the authority responsible for the implementation of the law will be the Saudi Data & Artificial Intelligence Authority (“SDAIA”) but this function is set to be delegated to the National Data Management Authority (“NDMO”), which falls under SDAIA, two years from the implementation of the legislation. 

The PDPL was set to come into effect 180 days after the original announcement—meaning the law would be effective March 23, 2022—but was postponed to March 17, 2023 based on feedback received by the authority during a public consultation on the draft. 

Personal Data Protection Law (PDPL) at a glance 

In terms of scope, the PDPL applies to any processing by businesses or public entities of personal data performed in KSA by any means whatsoever, including the processing of the personal data of KSA residents by entities located outside of Saudi Arabia. The PDPL grants many familiar rights to data owners including:

  • a right to be informed 
  • a right to access the data collected about them 
  • a right to request correction, completion, and/or updating of their personal data 
  • a right to request the deletion of their data 

The main basis for processing personal data under the PDPL is by obtaining the consent of the data owner. Data owners may withdraw their consent to the processing of personal data at any time. At the time of writing it is understood that consent must be an explicit opt-in. Consent is not required if the processing would achieve a clear benefit, if it is impossible or impractical to contact the data subject, if it is required by law or prior agreement with the data subject, or if the controller is a public entity and the processing is required for security or judicial purposes. So nothing too surprising so far, but where the legislation takes a different direction is on data transfers and enforcement. 

The PDPL prohibits data controllers from transferring personal data to an entity outside of KSA unless required to comply with an agreement to which KSA is a party, to serve KSA interests, or for other purposes that will be set out in the regulations. Feedback on this point is the main reason for the delay in the legislation going live; it almost certainly means there will be additional exceptions but what they are and how to get one is yet to be confirmed.

Data controllers will also be required to register with, and pay a fee to, the SDAIA (up to SAR100,000 / $27,000 / £25,000 / €35,000). In addition, data controllers will be required to upload a record of processing activities to a new online portal that must include the purpose of the processing, entities to which the personal data was or will be disclosed, whether the personal data was or will be transferred outside of KSA, and the expected retention period. 

Under the new law there are some serious penalties for non-compliance:

  • The unlawful use of sensitive data can lead to imprisonment for up to two years and/or a fine of up to SAR3,000,000 / $800,000 / £660000 / €760,000.
  • Failure to comply with the requirements relating to transfers of personal data can lead to imprisonment for up to one year and/or a fine of up to SAR1,000,000 (about USD 270,000). 
  • Both of the above constitute criminal offenses which would be investigated by the KSA Public Prosecutor.
  • Failure to comply with the requirements of the legislation other than those specified above can lead to fines of up to SAR5,000,000 / $1,350,000 / £1,185,000 / €1,285,000.
  • Repeated offenses can lead to penalties of up to twice the maximums outlined above including the length of imprisonment and the fine amount. 

While it’s not certain who would be imprisoned in the case of a breach, I’d be more than mildly concerned if I was to be a DPO of an international organization doing business in KSA in 2023.

Additional highlights from the PDPL

The PDPL introduces a number of requirements that could significantly impact how companies operate in KSA including:

  • Data controllers must create and maintain a record of how they process personal data which must be registered with the SDAIA.
  • Any foreign company operating in the Kingdom and processing personal data of Saudi residents must appoint a local representative; additional guidance on this point is in the works. 
  • Organizations will also be expected to appoint data officers to manage compliance with the law.
  • Data controllers must assess projects, products, and services to identify data protection risks posed to individuals (basically Impact Assessments).
  • Data controllers must implement a privacy notice specifying how data will be processed prior to collecting personal data from individuals. 
  • Data controllers will be expected to report data breaches to the regulatory authority as soon as they become aware of an incident.
  • Information such as genetic, health, credit, and financial data are deemed sensitive data, will fall under scope of the law, and likely to be subject to additional regulation.

What does this mean for you/r business?

Organizations operating in KSA should begin efforts to understand what data is collected, how it’s used, if it is transferred internationally, and where it is transferred to which is something your organization should have completed already or at the very least begun working on as part of compliance with existing privacy legislation in the EU and beyond. Beyond that, keeping a close eye on the additional guidance that is sure to be forthcoming, bookmark this article as we’ll be adding updates here as they come. If you’re not sure where to start in creating your privacy strategy, we’re here to chat.

Do you have marketing questions about privacy at your organization?

Our team is here to help when you need us.
Facebook
Twitter
LinkedIn
Email
Originally Published: November 29, 2022
November 29, 2022

Other Articles You Will Enjoy

AI and GDPR: Establishing a Lawful Basis to Process Personal Data with Artificial Intelligence

AI and GDPR: Establishing a Lawful Basis to Process Personal Data with Artificial Intelligence

Thus far in 2023, Artificial Intelligence has been the talk of the town. With a proliferation of new platforms touting to revolutionize various industries…

6-minute read
7 Things To Consider When Choosing A Consent Management Platform (CMP)

7 Things To Consider When Choosing A Consent Management Platform (CMP)

As the online privacy landscape is advancing, the number of consent management platforms available is increasing and the regulatory requirements for organizations to comply…

6-minute read
Respecting Privacy Rights: How to Handle Health Data Collection in Analytics and Advertising

Respecting Privacy Rights: How to Handle Health Data Collection in Analytics and Advertising

The past year has seen a significant increase in the focus on the privacy of health data. Beginning with the guidance released by the…

9-minute read
Cookieless Measurement: An Introduction to Browser Measurement APIs

Cookieless Measurement: An Introduction to Browser Measurement APIs

“How will we measure campaign effectiveness?” “How will we report conversions?” “Will attribution still be possible?” These are common questions from advertisers as they…

5-minute read
AI Governance In The United States: Principles for Responsible Use

AI Governance In The United States: Principles for Responsible Use

Much has been made in the first half of 2023 about the advances in Artificial Intelligence and potential threats to everything from the normal…

8-minute read
Privacy Impacts on Customer Experience: What Leaders Need to Know

Privacy Impacts on Customer Experience: What Leaders Need to Know

TL;DR Increasing privacy regulations will continue to force change on organizations’ customer experience due to third-party cookie deprecation and the impact of technical changes…

5-minute read

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.