News

As of September 14, 2024, the Personal Data Protection Law (“PDPL”) in Saudi Arabia is officially enforceable, indicating a new era for data privacy in the Kingdom. This pivotal moment not only solidifies the framework for protecting personal data but also presents organizations with critical questions about compliance and operational adjustments.

In the wake of this enforcement, the Saudi Data and AI Authority (“SDAIA”) has introduced essential regulations and guidelines. These developments signal a robust commitment to data privacy, but they also pose significant challenges for organizations navigating this evolving landscape.

What does this mean for your organization? Understanding the implications of the PDPL and the subsequent regulatory updates is vital for ensuring compliance. Let’s explore certain key updates and actionable steps you need to take to adapt to this new regulatory reality.

Data Transfers Outside Saudi Arabia

SDAIA has issued a separate Regulation on Personal Data Transfer Outside the Kingdom. This regulation specifies the safeguards required for data transfers in the absence of an adequacy decision. These safeguards include the use of standard contractual clauses (“SCC”), binding common rules (“BCR”), and approval certificates. Additionally, SDAIA has published guidelines on BCR and SCCs for managing data transfers.

BCRs are internal policies adopted by multinational companies to facilitate cross-border data transfers within the same corporate group. SCCs, on the other hand, are pre-approved contract templates that ensure adequate protection for data transfers to countries without an adequacy decision.

These safeguards are applicable in specific cases as outlined in the regulations, such as limited and non-recurring transfers, or transfers within multinational groups for central operations.

Now what? Organizations must proactively assess their data transfer practices in light of these new regulations. This means reviewing current data transfer mechanisms and determining whether SCCs or BCRs are applicable to their operations. Compliance with these regulations is crucial, especially as the list of countries deemed adequate for data transfers is still forthcoming. By taking immediate action to understand and implement these safeguards, organizations can better navigate the complexities of international data transfers and reinforce their commitment to data protection.

Appointing a Personal Data Protection Officer (“DPO”):

SADIA has also issued new rules outlining the requirements for appointing a DPO. Under these guidelines, a data controller is obligated to appoint a DPO in certain circumstances. These include cases where the controller is a public entity that processes personal data on a large scale, or where the core activities involve processing operations requiring regular and systematic monitoring of data subjects, or where the processing of sensitive personal data is central to the controller’s operations. In any of these situations, appointing a DPO is mandatory.

The entities appointing a DPO are required to provide SDAIA with the DPO’s contact details upon appointing them through the National Data Governance Platform. They are also required to provide a clear and accessible means of communication for data subjects.

For those organizations that fall under these criteria, immediate steps must be taken to appoint a qualified DPO and to communicate this decision to SDAIA through the National Data Governance Platform. Furthermore, organizations must establish a clear and accessible means of communication for data subjects to ensure their rights are upheld. As we move forward, addressing these requirements is essential for compliance and will significantly contribute to fostering a culture of data protection within the organization. Organizations should prioritize this appointment as part of their broader strategy to meet PDPL requirements, enhance their compliance posture, and build trust with stakeholders.

Registration in the Controller National Registry:

For SDAIA to monitor controllers’ compliance with the PDPL and its implementing regulations in KSA, controllers are required to register in the Controller National Registry Platform (the “Platform”). This registry includes public, private, and individual controllers within KSA who process personal data. Its primary purpose is to monitor, follow up, and support controllers in enhancing their compliance with the provisions of the PDPL and related regulations, as well as to provide services related to personal data protection.

A controller is required to register on the Registry if:

• the controller is a public entity;
• the controller’s main activity is based on personal data processing
• the controller is processing sensitive data; and/or
• the controller is an individual who processes personal data for purposes exceeding personal or family use.

When registering, controllers must provide their data, as well as their representatives’ information (if applicable). If a DPO is appointed, the controller is also required to register the DPO’s details on the Platform. Upon successful registration, a certificate will be issued, which will be valid for a maximum of five years.

The Platform offers a range of services to help controllers, and their representatives protect data and uphold individuals’ rights against unlawful violations. These services include (i) Personal Data Breach Notification Service, (ii) Privacy Impact Assessment Service, (iii) Legal Support Service, and (iv) Compliance Assessment Services.

It is important to note that for controllers located outside the Kingdom, SDAIA will issue separate registration guidelines to ensure compliance with the PDPL and its implementing regulations.

In practice, this registration requirement will push organizations to closely examine their data handling practices and ensure they comply with the PDPL. By registering, controllers confirm their commitment to data protection and gain access to valuable resources and support services. This not only helps them improve their data governance but also strengthens their overall compliance efforts.

Penalties

With the coming into force of the data privacy framework, organizations are now very much aware of the financial penalties under the PDPL. Non-compliance can lead to fines of up to $1.3 million, which may be doubled for repeat offenses. Furthermore, severe violations, particularly those involving the unauthorized disclosure of sensitive personal data, could result in imprisonment. The implications extend beyond monetary penalties; companies may face confiscation of funds acquired through violations and potential compensation claims from affected individuals.

While the potential fines for non-compliance can be a strong motivator, it is important for organizations to see the bigger picture: adhering to the PDPL is not just about avoiding penalties; it is also about safeguarding your company’s reputation and building trust with customers and stakeholders. By prioritizing compliance with data privacy laws, businesses can position themselves to attract clients from countries with stricter and established data protection regulations.

As Saudi Arabia moves into a new era of data protection with the enforcement of the PDPL, organizations must recognize that compliance is not merely a checkbox exercise but a fundamental shift in how they manage personal data. The regulations surrounding data transfers, the appointment of a DPO, registration with the national registry of controllers, and the penalties for non-compliance are all critical components of this new framework.

The stakes are high, and the landscape is continually evolving. By embracing these changes and embedding data protection into the organizational culture, companies can not only avoid penalties but also enhance their reputation and build trust with customers and stakeholders.