The time is now: countdown to compliance with the new Saudi Arabia Personal Data Protection Law

The new Personal Data Protection Law is now effective in the Kingdom of Saudi Arabia with organisations required to fully align with the legislation by September 2024. For many businesses operating in the Kingdom, this will be the first time they have had to comply with a data protection regime and there may be challenges with meeting the extensive governance and accountability requirements.

The Personal Data Protection Law (PDPL) was originally issued in September 2021 with subsequent amendments published in March 2023. This was followed by a set of Implementing Regulations and the Data Transfer Regulations that were issued by the Saudi Data & Artificial Intelligence Authority (SDAIA) in September 2023. The Implementing Regulations and the Personal Data Transfer Regulations (together the Regulations) expanded on the general principles and obligations outlined in the PDPL and introduced various new compliance requirements for data controllers. All organisations that process personal data in the Kingdom of Saudi Arabia (KSA) by any means whatsoever and any entities located outside KSA that process the personal data of Saudi residents will be caught by the PDPL and the Regulations.

What are the key requirements of the KSA data protection regime?

Many of the features of the PDPL and the Regulations are consistent with concepts and principles contained in other international data protection laws, including:

• National register of controllers: There is a requirement for organisations that control personal data (controllers) to register with SDAIA. The rules for registration in the National Register will be published in due course and these are expected to specify which controllers will have to register.
• Record of processing activities (ROPA): Unlike other data protection regimes, the Regulations specify that controllers must keep a ROPA during the period it engages in the relevant processing activities and a further five years after the end of the processing activity. The Regulations also set out the information that should be included in a ROPA, such as a description of the organisational, administrative and technical measures taken by the controller.
• “Legitimate interests” as a lawful basis for processing data: The PDPL sets out certain lawful bases for data processing, including the data subject’s consent, legal requirements or processing in pursuance of the controller’s legitimate interests. However, the PDPL does not permit processing of sensitive personal data on the basis of the controller’s legitimate interests. Further, the Regulations introduce specific conditions for controllers to meet when relying on their legitimate interests as the legal basis for processing, including balancing the rights and interests of the data subject against the legitimate interests of the controller. Controllers must also conduct a legitimate interest assessment when relying on this ground to process personal data.
• Consent: Where an organisation relies on the consent of an individual to process their personal data, such consent must be given freely, the purposes for processing must be clear and specific, and independent consent must be obtained for each purpose of processing. Consent must also be documented and it must be given by a person who has full legal capacity. There are circumstances when “explicit” consent is necessary, including where the processing involves sensitive data, credit data and decisions based entirely on automated processing.
• Data subject rights: Individuals (data subjects) will, subject to some exceptions, have the right to be informed of personal data processing and the legal basis of such processing, the right to access their personal data (including to obtain a free of charge copy of the same), the right to correct or update their personal data, and the right to request its destruction if no longer needed. Data subjects also have the ability to file complaints relating to the application of the PDPL with the regulatory authority. The Regulations set out new details and requirements in respect of data subject rights and require that controllers respond to data subject requests within 30 days. This can be extended by an additional 30 days where responding to the request requires unexpected or unusual additional effort or where the controller receives multiple requests from the data subject. Multinational organisations should note that this is a shorter time period than under some international legislation such as the European GDPR, which allows a maximum of three calendar months for complex or multiple requests.
• Adequacy system for data transfers: The Personal Data Transfer Regulations enable the transfer of personal data outside KSA to countries that have been evaluated by SDAIA as providing an appropriate level of data protection. The Regulations set out the evaluation criteria and the procedure for determining and reassessing adequacy, although a list of adequate countries had not been issued by the end of November 2023. Exemptions for transfers to non-adequate countries include measures that are familiar under other data protection regimes, such as Binding Corporate Rules for intra-group data transfers or Binding Rules of Conduct approved by SDAIA, standard contractual clauses (to be issued by SDAIA) and certificates of compliance issued by an entity licensed by SDAIA. In the absence of an adequacy decision and the inability of the controller to use any of the other stated measures, there are exemptions that may allow for transfers in limited circumstances, including where the transfer is necessary to conclude or implement an agreement to which the data subject is a party. However, when relying on the safeguards or exemptions, or where the transfer involves ongoing or large-scale sensitive data, controllers must conduct a risk assessment to determine whether the transfer could result in a high risk to data subjects.
• Additional bases for international data transfers: The Personal Data Transfer Regulations introduce additional bases for transferring personal data outside of the KSA, including providing a service or benefit to the data subject and carrying out operational processes to enable the controller to carry out its activities (including the operations of the central administration).
• Data processors: Controllers must enter into agreements with third party processors which contain specific information, including a commitment from the processor to notify the controller of a personal data breach without undue delay and confirmation of any subcontractors engaged by the data processor or any other party to whom the personal data will be disclosed. The processor must meet specific conditions when contracting with sub-processors, including obtaining prior approval from the controller. The controller is responsible for verifying the processor’s compliance with the PDPL and the Regulations.
• Data breach notifications: Controllers must notify personal data breaches to SDAIA within 72 hours of becoming aware of the breach and must notify data subjects without undue delay. The threshold for reporting a breach to SDAIA and data subjects appear similar: a breach is reportable to SDAIA and data subjects where it may cause harm to the personal data (or data subject, in the case of notifications to SDAIA), or conflicts with their rights or interests.
• Data Protection Impact Assessments (DPIAs): Controllers are required under the PDPL to evaluate the impact of processing personal data and, if personal data is no longer needed to achieve the intended purpose, the controller should stop the collection of such data. The Regulations specify further circumstances when a DPIA is required. DPIAs must be completed where the processing involves sensitive data; where the controller collects, compares or links two or more sets of personal data obtained from different sources; the activity of the controller includes systematic large scale processing of personal data of individuals who fully or partially lack legal capacity; the activity involves processing operations that by their nature require continuous monitoring of data subjects; the activity involves processing personal data using new technologies; the activity involves making decisions based on automated processing of personal data; and the processing involves the provisions of a product or service that involves processing of personal data that is likely to cause serious harm to the privacy of data subjects. The Regulations also specify the information that should be included as a minimum in DPIAs.
• Advertising and direct marketing: Consent is required to process personal data for advertising and direct marketing purposes. Controllers must also provide an easy and simplified mechanism to enable data subjects to stop receiving advertising and marketing materials at any time.
• Data Protection Officers (DPOs): The Regulations specify when controllers must appoint one or more persons responsible for the protection of personal data (i.e. a DPO). The circumstances include where the controller is a public entity that provides services that include large scale data processing; where the primary activities of the controller are based on processing operations that require regular and systematic monitoring of data subjects; and where the main activities of the controller are based on the processing of sensitive data. The DPO can be an official or employee of the controller or an external contractor. Organisations therefore can either appoint internally or engage a third party company that provides DPO services. The Regulations do not specify, however, whether a DPO should be based in the Kingdom. Further rules for the appointment of DPOs are expected.

What should companies do next?

While organisations have until 14 September 2024 to fully adjust their positions to comply with the PDPL and the Regulations, the law is now effective and SDAIA is likely to be pushing for prompt compliance. With the Regulations now in place to supplement the framework established by the Law, there is a clearer path to compliance for all organisations seeking to do business in or with KSA. Early steps should be taken to:

• Assess data processing activities relating to KSA with a view to understanding the impact of the PDPL and the Regulations and any operational changes that will be necessary to align with them.
• Document the personal data that an organisation processes as part of the record-keeping obligation and comply with other governance requirements under the PDPL.
• Obtain senior management buy-in to implement the changes that may be required to adopt new or updated data protection frameworks. This can be a complex exercise and it is important that senior management understands the risks that may arise from non-compliance with the PDPL, including financial sanctions (such as potential fines and compensation claims), criminal penalties and reputational damage.
• Review and, where necessary, update policies, processes and contracts to take account of new rights and obligations, particularly the statutory deadlines for responding to data subject requests.
• Assess whether there is a requirement to appoint a DPO and, if so, ensure that a DPO is appointed before the deadline.
• Implement or update security breach policies and procedures to ensure compliance with the breach notification deadlines under the PDPL.
• Train staff (and suppliers) on the terms and principles of the PDPL and the Regulations.

Organisations will need time to implement the relevant controls and embed data protection within the business culture and operational processes. This should be done at the earliest opportunity to meet the legal deadline and with the support of data privacy and cybersecurity specialists who can help to navigate the compliance challenge.