Saudi Arabia PDPL Compliance: How to Prepare

The Saudi Arabia Personal Data Protection Law (PDPL) was created to protect the privacy of individuals and businesses in the Kingdom of Saudi Arabia (KSA). The law applies to any entity operating in Saudi Arabia and holds data controllers and data processors responsible for protecting the personal data of individuals and businesses.

What is the Saudi Arabia Personal Data Protection Law?

The PDPL is the first-ever comprehensive data protection law in the KSA. The  Saudi Arabia Personal Data Protection Law (PDPL) aims to protect individuals’ personal data privacy and regulate organizations’ collection, processing, disclosure, or retention of personal data.

The PDPL provides comprehensive requirements related to processing principles, data subjects’ rights, organizations’ obligations while processing the personal data of individuals, and cross-border data transfers mechanisms and lays out penalties for organizations in case of non-compliance with the PDPL.

PDPL vs GDPR

Since its passing in 2016, the General Data Protection Regulation (GDPR) has influenced many of the subsequent legislation for data privacy, protection, and governance. When comparing the PDPL and the GDPR, you can see that the core of both laws are similar, however, several key differences should be noted between the two.

The UAE data protection law does not provide as much information about how data subjects can enforce their rights. Additionally, the PDPL imposes stricter restrictions on organizations that want to transfer personal data out of Saudi Arabia. Other differences include the registration obligations for data controllers and the PDPL’s greater emphasis on consent as a precondition for lawful data processing.

More clarity on the requirements of the PDPL is expected to be added through the release of the Executive Regulations. The draft of these regulations was made available for public review on March 10, 2022, and the final version is expected to be published prior to the law’s effective date in 2023.

PDPL Executive Regulations

KSA PDPL executive regulations cover a wide range of data protection initiatives, including:

• Regulatory Authority: Any government authority or any entity that has independent public personality and has, in accordance with its powers and responsibilities, regulatory or oversight duties and responsibilities over a certain sector or activity in the Kingdom.
• Direct Marketing: Communication, by any means, with a person or a group of persons, aiming to send marketing, advertising, or awareness-raising material to such person or group.
• Practical Need: Actual need for processing personal data, with fairness and integrity and without conflicting with the rights and expectations of the Personal Data Subject.
• Personal Data Breach: Any act in any manner that leads to illegal disclosure of Personal Data, whether it is intentional or not.
• Risks and Impact: The possibility that Personal Data Subjects may suffer damage due to the processing of their Personal Data and the impact of such risk.
• Anonymization: Removing any direct or indirect characteristics from the Personal Data that may make the Personal Data Subject specifically identified.
• Transfer of Personal Data to outside the Kingdom: Sending or sharing Personal Data, by any means, to or with an entity outside the Kingdom, in order to process such Personal Data fully or partially, for specific purposes based on legal justification or Practical Need.
• Implied Consent: Consent that is not given Explicitly by the Data Subject or the authorized person, but given implicitly through the person’s actions and the facts and circumstances of the situation

Processing PDPL Data

The PDPL only applies to data controllers and processors who are established in the Kingdom of Saudi Arabia or who process the personal data of individuals in the KSA. However, the law also applies to data controllers and processors operating outside the country if they process the data of individuals in the KSA.

The PDPL sets some critical principles that data controllers and processors must adhere to, including:

• Data controllers and processors must obtain consent from an individual before collecting, using, transferring, or storing personal data.
• Explicit consent is needed to process sensitive data for marketing and advertising purposes.
• Personal data must be collected and used for legitimate purposes only.
• Data controllers and processors must ensure that personal data is accurate, relevant, and up-to-date.
• Personal data must be kept secure and not disclosed to any third party without the individual’s written consent.
• Data controllers and processors must delete any personal data that is no longer needed.
• Data controllers and processors must provide individuals with information about how their data is being used.
• Controllers may not use personal communications (including post and email) to send advertising or informational materials to a Personal Data Subject without their prior consent.
• Controllers must provide clear opt-out mechanisms.

PDPL Consumer Rights

Article 4 of the proposed amendments to the PDPL created actionable data rights for Saudi Arabian citizens (data subjects), including but not limited to the right to access, right to correct, and right to delete. Additionally, the PDPL doesn’t allow the processing data to change without the consumer’s consent. But similar to the GDPR, consumers may also withdraw consent (without exceptions).

• Right to Be Informed: consumers need to be informed of the legal basis and purpose for using personal data.
• Right to Access: Consumers can request their information and have the right to know how the data is collected, stored, processed, and shared.
• Right to Correct: Consumers can request updates and corrections from the controller. However, the controller must also notify all parties that have received the information to correct, complete or update the personal data.
• Right to Destruction: Consumers can request deletion, with exceptions, for example, if the data is necessary for a legal purpose and only retained for a certain period. In addition, controllers may retain Personal Data after the Collection purpose no longer exists if they remove identifying factors from the Personal Data.
• Right to Obtain: Consumers have the right to obtain their personal data in a clear and concise format, including the right to request data transfer.

Record of Processing Activities

Under the PDPL, organizations must keep a record of the personal data processing activities, so that the documented records are available whenever requested by the Authority. The records should contain the following information at a minimum:

• The purpose of the Processing
• A description of the categories of Data Subjects;
• The contact details of the organization
• Any other entity to which Personal Data has been/will be Disclosed.
• Whether the Personal Data has been/will be transferred or disclosed outside of KSA;
• The expected period for which Personal Data shall be retained.

Privacy Risk Assessments

Under the PDPL, organizations are required to conduct a privacy risk assessment for processing personal data in any consumer-facing product or service. In cases necessitating a risk impact assessment, additional mandatory details must be provided, such as the types of sensitive data involved or a description of automated processing activities.

Data Minimization

There is guidance on adhering to the PDPL’s requirement that personal data collection be strictly limited to what is necessary for a specific purpose, avoiding data collection for unspecified future use. These guidelines outline key principles for controllers, covering the entire data lifecycle from collection to destruction. Organizations must establish a legitimate need for the data, use clear and secure collection methods, and securely dispose of data once it is no longer required. Additionally, controllers are expected to regularly assess their data holdings and ensure processing activities are structured to prevent unnecessary data collection.

Destruction, Anonymization, and Pseudonymization

The PDPL requires that personal data must be destroyed, including upon a data subject’s request or withdrawal of consent. It mandates that controllers follow strict procedures to ensure all copies, including backups, are permanently erased and that any recipients of the data do the same. Additionally, leveraging effective anonymization and pseudonymization techniques—such as data masking, encryption, generalization, and aggregation—serve as essential safeguards for protecting personal data.

Data Breaches

The PDPL requires organizations to put in place appropriate safeguards to protect personal data from unauthorized access, disclosure, and use. In addition, the law sets out strict data breach notification requirements that organizations must comply with in the event of a data breach.

The PDPL requires that organizations notify the regulatory authority within three days of the breach. Additionally, organizations must provide a full beach analysis and show steps toward future accountability.

If an organization becomes aware of a breach that is capable of causing harm to an individual, that person must be notified in accordance with PDPL notification requirements.

Data Transfer & Sharing

SDAIA has optimized the data transfer framework to better align with global standards like the GDPR. Organizations must implement appropriate safeguards when transferring personal data to countries that SDAIA has not recognized as having an adequate level of data protection.

Transfers of personal information in and out of Saudi Arabia under the PDPL are as follows:

• Data transfers are permitted to a third party subject to legal or corporate data protection rules similar to the PDPL.
• Certain types of transfer are exempt from the conditions, such as when an individual has consented to the transfer or where the transfer is necessary to fulfill an agreement.
• Article 4 states that controllers must implement safeguards for the transfer of personal data, such as standard contractual clauses, binding common rules, and certificates of accreditation.
• Article 4 provides that controllers relying on the appropriate safeguards available will be exempt from the obligation of transferring the minimum amount of personal data needed.
• Data disclosures and transfers are limited to the minimum personal data required.
• Data transfers must preserve the interest, health, safety, or protect the life or health of a specific person
• Data transfers must not adversely affect the national security or vital interests of the Kingdom of Saudi Arabia.

KSA PDPL Enforcement

According to Article 20(1) of the PDPL, controllers are obliged to notify the relevant authority if they become aware of a data security breach. The executive regulations will specify the conditions under which controllers must inform data subjects of a breach of their personal data.

However, if the breach is likely to cause significant harm to the individual or their personal data, the controller must promptly notify them of the breach, as outlined in Article 20(2) of the PDPL. UAE PDPL executive regulations enforce penalties for disclosure or publication of sensitive personal data that can include imprisonment for up to two years and/or a fine not exceeding SAR 3 million.

The penalty in relation to violations of the data transfer provision in Article 29 of the PDPL may result in imprisonment for up to one year and/or a fine not exceeding SAR 1,000,000. For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5,000,000.

Achieve PDPL Compliance with BigID

Ultimately, the PDPL is designed to help protect the privacy of individuals in the Kingdom of Saudi Arabia, and to ensure that businesses who process personal data are held accountable for how they use it. If you’re collecting, using, transferring, or storing personal data in Saudi Arabia, then it’s important to ensure that you comply with the PDPL.

With BigID, companies can avoid penalties and get ahead of PDPL compliance challenges:

• Discover data: Identify personal data and classify sensitive data.
• Contextualize data: Correlate relationships between data by bringing context to personal data and sensitive data.
• Label and tag data for legal purposes: Ensure data is being processed in agreement with privacy regulations.
• Document record of processing activities: Manage a Record of Processing Activities (RoPA) to assess data assets, protection, breach status, location, PIA, data sharing, and transfers
• Detect out-of-policy, cross-border data transfers: Track data access, usage, and transfer violations across the organization for immediate action.
• Automate data rights fulfillment: Automate manual fulfillment of individual data access and deletion requests.
• Capture consent: Automate consent and preferences lifecycle across channels, systems, and applications across the environment, including consent for cookies, ad targeting, email, direct marketing, and personal and sensitive data processing.
• Manage data risk: Discover, classify, and map data to apply controls for breach risk reduction and fulfill privacy impact assessments (PIA).
• Minimize duplicate or sensitive data: Enable data minimization with duplicate identification and apply retention rules based on a legal purpose.
• Report on data risk: Enable correction workflows and validate whether sensitive data is being captured.
• Integrate with applications: Seamlessly extend and enrich existing security, privacy, management, and compliance solutions and workflows, including Nafath.

Any organization processing the personal data of Saudi Arabia residents should ensure they’re in compliance with PDPL and pay close attention to any updates released from regulators over the next few months.

See how BigID can help you ensure your organization’s compliance with PDPL.