What is the PDPL?
The Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia (KSA) is a key piece of legislation. It is designed to regulate the handling and protection of personal data. It is inspired by global standards such as the General Data Protection Regulation (GDPR). The PDPL aims to safeguard individuals’ privacy by imposing stringent rules on how personal data is processed, stored, and transferred. It extends to both entities within KSA and those outside KSA that handle the personal data of individuals residing in the Kingdom.
Why is the PDPL Changing?
The PDPL has been updated to address the evolving landscape of data protection and privacy. The new amendments, introduced via Royal Decree No. M/148, seek to strengthen data protection mechanisms, enhance compliance requirements, and streamline cross-border data transfers. This evolution aligns with global practices while addressing specific needs within KSA.
When is the Change Coming into Effect?
The updated PDPL became effective on 14 September 2023. With businesses granted a 12-month period to comply, the deadline was extended to 14 September 2024. This timeframe allows organisations to adjust their practices and ensure full adherence to the new regulations.
Key Points Organisations Should Know before complying to PDPL:
1.Scope of the PDPL: Applies to any entity processing personal data within KSA or by entities outside KSA concerning KSA residents. It includes data about deceased individuals if it could identify them or their relatives.
2. Cross-Border Data Transfers: Transfers outside KSA are restricted and must comply with certain conditions, including using standard contractual clauses or obtaining certifications of compliance. The PDPL prohibits transfers that may harm national security or violate other KSA laws.
3. Data Protection Officers (DPOs): Appointing a DPO is mandatory for certain organisations, particularly those processing data on a large scale or handling sensitive data. The Saudi Data & AI Authority have published guidance on a series of policies and regulations (not an exhaustive list), including a revised Data Transfer Regulation, guidelines for appointing DPOs, SCC, BCR, RPAs, and privacy policy standards. Click here to access the full set of policies and regulations here:
4.Data Breach Notifications: Businesses must notify both the Saudi Data & AI Authority (SDAIA) and affected individuals within specified timeframes if a data breach occurs.
5.Penalties for Non-Compliance: Severe penalties include fines up to SAR 5 million (approximately USD 1.3 million) for non-compliance, with additional criminal penalties for intentional unlawful disclosure of sensitive data.
Step-by-Step Action Plan for Compliance:
1.Conduct a Compliance Audit: Review current data processing activities to ensure they align with the PDPL requirements.
2. Review Data Protection Policies: Update or establish comprehensive data protection policies and procedures that comply with PDPL standards.
3. Appoint a Data Protection Officer (DPO): Designate a DPO to oversee compliance, especially if handling large-scale data processing or sensitive data.
4. Train Staff: Implement training programs to ensure all employees understand their roles and responsibilities under the PDPL.
5. Prepare for Financial Implications: Assess potential financial risks associated with non-compliance and put measures in place to mitigate these risks.
6. Monitor and Adjust: Stay informed about any updates or additional guidelines issued by the SDAIA and adjust practices as necessary.
Need expert advice for your business?
Tenintelligence Thoughts
The role of a Data Protection Officer (DPO) is critical in navigating the complexities of the PDPL.
A DPO not only ensures that an organisation’s data handling practices comply with legal requirements. They also serve as a key resource in implementing and maintaining data protection policies. They can assist with the compliance audit, guide the development of data protection procedures, oversee staff training, and manage data breach notifications. By appointing a DPO, organisations can effectively address regulatory requirements, protect their data subjects, and mitigate risks associated with data processing.
Contact us for further guidance on how to tailor and implement these policies and procedures.
Written by
Lynsey Hanson