Preparing Organizations for Saudi Arabia’s New Data Protection Law

Technologies are constantly evolving, more devices are being connected to the worldwide network, data are becoming more important than ever, and countries are taking data privacy more seriously, putting data into consideration in jurisdiction strategies.

Saudi Arabia announced its first data privacy law, the Personal Data Protection Law (PDPL), in 2021.¹ In addition, a draft version of the executive regulations supplementing the PDPL, which adds significant detail to the PDPL, was issued for public consultation on 10 March 2022.² The PDPL will take effect on 17 March 2023.

Similar to other data privacy laws around the world, the PDPL seems based on the EU General Data Protection Regulation (GDPR),³ but there are some differences in terms of fines, notifications, data transfer and other caveats. It is important for management and people who are directly in touch with personal data, especially those who work in cybersecurity and data privacy, to understand how to be prepared for the PDPL by creating the required policies, procedures and controls to ensure the confidentiality, ntegrity and availability (CIA) of the data. It is also crucial for legal professionals to understand the PDPL to handle any external conflicts and issues in case of noncompliance.

Which Entity Supervises the PDPL?

For the first 2 years, the PDPL will be supervised by the Saudi Data and Artificial Intelligence Authority (SDAIA). After 2 years, it will be transferred to the Saudi National Data Management Office (NDMO) depending on the results from the application of the provisions of the PDPL and its implementing regulation and in light of the level of maturity in the data sector.⁴

However, organizations that have to apply the PDPL need to coordinate with different commissions, such as the Saudi Central Bank and the Saudi Communication and Information Technology Commission, depending on their business and industry.⁵

Which Organizations Have to Comply With PDPL?

Any public or private organization that performs any processing of personal data related to individuals that takes place in Saudi Arabia by any means, including processing personal data related to individuals who reside in Saudi Arabia by any means from any party outside of the country must comply with PDPL. For example, an organization could be affected by the PDPL even if it is not established in Saudi Arabia if it sells goods or services to Saudi Arabia-based customers. The PDPL also includes extraterritorial effects, which means that organizations based outside of Saudi Arabia will be subject to the law and its requirements if they process the personal data of residents of Saudi Arabia. In this matter, the territorial applications of the PDPL is quite similar to those of GDPR.  

Any foreign organization operating in Saudi Arabia or processing the personal data of residents of Saudi Arabia must appoint a local representative. More guidance regarding when this requirement will become effective is expected in forthcoming executive regulations. Organizations will also be expected to appoint data officers to manage compliance with the law.⁶

The Information Protected by the PDPL

The main purpose of the PDPL is to protect individual’s personal data privacy and regulate organizations’ data life cycle (i.e., collection, storage, use, processing, retention, disposal). These data include:

• Personal data—Any type of data that would lead to the direct identification of an individual or make it possible to identify individuals indirectly, including name, personal identification number, addresses, contact numbers, license number records, personal property information, bank account numbers, credit card numbers, photos or videos of an individual and other data of a personal nature⁷
• Sensitive data—Any form of personal statement that includes a reference to an individual’s ethnic or tribal origin or religious, intellectual or political beliefs, or indicates an individual’s membership in civil associations or institutions and criminal and security data, bioidentifying data, genetic data, credit data, health data, location data, and data that indicate that an individual is unknown to one or both parents⁸
• Genetic data—Every personal statement related to the genetic or acquired characteristics of a natural person that uniquely identifies the physiological or health characteristics of that person or are extracted from the analysis of a biological sample of the person, such as the analysis of DNA or any other sample that leads to the extraction of genetic data⁹
• Health data—Every personal statement related to an individual's health condition, whether physical, mental, psychological or related to their health services¹⁰
• Credit data—Every personal statement related to an individual's request for financing, whether for a personal or family purpose, from an entity that practices financing, including any statement relating to the individual’s ability to obtain credit, ability to meet it or credit history¹¹

How to Prepare an Organization for the PDPL

For organizations that need to comply with PDPL, there are 3 phases that should be followed to prepare for the PDPL.

Phase 1: Getting Ready
Organizations that have to comply with PDPL- must be registered in the electronic portal that will form a national record of Saudi controlling authorities.¹² If an organization operates outside Saudi Arabia and processes the personal data of Saudi Arabia residents, it must appoint a representative in Saudi Arabia that the regulatory authority can contact regarding compliance with the applicable laws.

Organizations should read the law document and the drafted executive regulation cover-to-cover to understand the details of the law. They should also reach out to legal consultants for advice.

Organizations should read the law document and the drafted executive regulation cover-to-cover to understand the details of the law. They should also reach out to legal consultants for advice.

Finally, organizations should establish a data privacy department led by privacy experts equipped with globally recognized privacy certificates such as the International Association of Privacy Professionals (IAPP) Certified Information Privacy Manager (CIPM) certification,¹³ ISACA’s Certified Data Privacy Solutions Engineer^® (CDPSE^®) certification¹⁴ and the PECB Certified Data Protection Officer (CDPO) certification.¹⁵ This data privacy department will be responsible for implementing the data privacy program and represents the organization's commitment to protecting the privacy of the personal data which it manages. The department can take initiative by coordinating with the supervising entity to show the organization’s intent to comply with the PDPL.

Phase 2: Data Privacy Program
An effective data protection program minimizes an organization’s sensitive data footprint and helps keep business-critical and regulated data secure and out of the hands of individuals with unauthorized access. If a breach does occur, a data protection program can help reduce the impact by securely restoring the affected data.

Data Classification and Data Mapping
How can an organization protect what it does not know? Data classification helps organizations understand what types of data it is dealing with and what critical data need more restricted security countermeasures. Data mapping is a system of cataloguing the data collected by an organization that records how data are created, stored, used, processed, shared, archived and destroyed. This allows the organization to organize, manage and structure data for operational needs and helps the organization easily access relevant data whenever required. Enabling data flow tracking and maintaining adequate records of data processing activities make data management and protection more efficient.

Assessments
The privacy assessment is a key element to ensure the readiness of an organization. It isan opportunity to identify and close the privacy gaps and raise awareness of the privacy risk level and the impact of that risk on the organization.

• Readiness assessment—Evaluates whether an organization has undertaken the right measures (i.e., administrative, legal, technical) to comply with the PDPL and all current data protection capabilities of the organization. It identifies and evaluates the organization’s preparedness for the nature of the processing, lawful basis of the processing, security measures, data retention policies, consent and cookie mechanism, data subject request framework, sharing of personal data and any other regulatory obligation. A readiness assessment is far more than a checklist. It engages stakeholders from all business areas and uses questions and their responses to identify risk caused by gaps between current organization policies and complex regulatory requirements.
• Privacy impact assessment (PIA)—Requires organizations to have written policies and procedures that the organization can implement in its projects effectively. A PIA should be conducted for every new project, process or system to ensure that all privacy risk is identified early to minimize them. The primary objectives of a PIA are:
  • Ensuring that the project is compliant with privacy laws
  • Reflecting privacy and personal information in the project design
  • Identifying strategies to achieve project goals without impacting privacy
  • Considering privacy issues early, thus reducing costs
  • Demonstrating a privacy-first approach to stakeholders
• Data protection impact assessment—This helps organizations identify and minimize the data protection risk of a project.

Policies
Policies help create the culture within an organization. In addition to IT policies, the most important policies regarding data privacy include:

• Privacy notice—This is an outward-facing statement that is written for data subjects and data protection authorities. It describes how an enterprise collects, uses, retains, safeguards and discloses personal data,¹⁶ and it is mandated by the PDPL.
• Privacy policy—This is an is inward-facing, formally expressed document from management that describes the overall intention and direction for employees who process data must follow to protect personal information.
• Data retention policy—This policy states the guidelines for how long an organization can keep personal data, and when and how to those data after the purpose of their collection and is complete.

Standard Operating Procedure
The purpose of standard operating procedures (SOPs) is to outline the required steps and actions that should be taken during the data collection process, how to store and use the collected data, and the required actions for the disposal and retention of the collected personal information used by an organization to ensure the safe handling of the collected personal information related to the staff, customers, stakeholders and other beneficiaries.

Information Security and Data Privacy Framework
An information security framework helps organizations put the required safeguarding measures in place to maintain the CIA of collected and stored personal data. A data privacy framework identifies and manages privacy risk to build innovative products and services while protecting individuals’ privacy. The US National Institute for Standard and Technology (NIST) Cybersecurity Framework¹⁷ and the NIST Data Privacy Framework¹⁸ can be used to enhance an organization’s information security and data privacy programs and make them more coherent.

Phase 3: Training and Response
Employees, including the executive team and the board of directors, should be equipped with the required knowledge to protect customers’ personal information through frequent awareness training sessions so they know the importance of personal data and why those data must be kept safe and secure at all times.There should also be an established process for handling breaches, such as incident response and risk management processes. Employees should be knowledgeable about these processes and they should include how to prepare after-action report for senior management.

The procedures for notifying the PDPL regulator about any leak, loss or unauthorized access to personal data should also be defined. As per the PDPL, the notification must be immediate¹⁹ which is different from GDPR where the regulator can be notified up to 72 hours after the incident.²⁰

Noncompliance

In case of noncompliance, organizations should be prepared for consequences in addition to fines.

Anyone who discloses or publishes sensitive data in violation of the provisions of the law may be punished by imprisonment for up to 2 years or a fine of up to SAR3,000,000 (approximately US$800,000) if that violation occurs with the intent to harm the data owner or with the intent to achieve a personal benefit. Anyone who violates the data transfer terms shall be punished by imprisonment for up to 1 year and a fine of up to SAR1,000,000 (approximately US$266,000). The Saudi court may double the penalty of the fine in the event of recurrence, even if it results in exceeding its maximum limit, provided that it does not exceed double this limit.²¹

Any violation not mentioned in Article 35 of the PDPL will lead to a warning or a fine of up to SAR5,000,000 (approximately US$1,330,000) imposed on any person of a private natural or legal capacity—covered by the provisions of the system—who violates any of the provisions of the system or regulations.²²

Conclusion

Any organization that wants to work effectively and maintain its reputation in the market needs to ensure the safety of its clients’ information by implementing a data protection and privacy plan.

A good privacy program informs employees how an organization plans to keep information secure, who is responsible for managing the plan and what actions will be taken during a security breach. Privacy programs range broadly and can be as short or detailed as needed. Thorough outlines, for example, may include the specific software, protocols, tools, and other relevant data protection measures in place.

If an organization that operates in Saudi Arabia or processes the data of Saudi residents has not yet started working on its data privacy program, there is still time, but the clock is ticking. The new privacy law will be effective in March 2023. Organizations that must comply with the PDPL should take action now to maintain a compliant, competitive position in the marketplace.

Endnotes

¹ Saudi Arabia Bureau of Experts at the Council of Ministers, “Personal Data Protection System”
² National Competitiveness Center, Draft of the Executive Regulation of Personal Data Protection Law (PDPL)
³ Official Journal of the European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation)
⁴ Ibid.
⁵ Ibid.
⁶ Ibid.
⁷ Ibid.
⁸ Ibid.
⁹ Ibid.
¹⁰ Ibid.
¹¹ Ibid.
¹² Ibid.
¹³ International Association of Privacy Professional (IAPP), “Certified Information Privacy Manager Certification”
¹⁴ ISACA^®, “Certified Data Privacy Solutions Engineer”
¹⁵ PECB, “GDPR: Certified Data Protection Officer”
¹⁶ ISACA, CDPSE Review Manual, USA, 2020
¹⁷ National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1., USA, 2018
¹⁸ National Institute of Standards and Technology (NIST), NIST Privacy Framework, Version 1.0, USA, 2020
¹⁹ Op cit Saudi Arabia Bureau of Experts at the Council of Ministers
²⁰ Op cit Official Journal of the European Union
²¹ Op cit Saudi Arabia Bureau of Experts at the Council of Ministers
²² Ibid.

Bassel Kablawi, CISM, CDPSE, COBIT Foundation, ITIL v3

Is an information security and data privacy consultant with more than 10 years of experience delivering network and security management and support services across diverse industries and technologies in the telecom, fintech and nongovernmental organization (NGO) domains. Kablawi facilitates information security and data privacy, advises senior leadership on security direction and resource investments, and designs appropriate policies to manage information security and data privacy programs.