March 20, 2023

How to comply with Saudi Arabian data protection laws

How to comply with Saudi Arabian data protection laws

Data reigns supreme in the digital age, and protecting sensitive information has become a top priority for governments and businesses. That’s why many countries have gone the extra mile to hold organizations accountable for safeguarding consumer data by implementing strict laws and regulations.

The first legal framework for Saudi Arabia’s data protection was published in September 2021. The new law, which comes into effect on March 17, 2023, is expected to align the Kingdom with standards like GDPR while maximally protecting personal data interests and ensuring data residency.

This article delves deep into the country’s intricacies of data protection regulations, highlighting the essential provisions that organizations must follow. Read this article if you want to learn more about Middle Eastern data residency.

Who should be aware of data protection laws in Saudi Arabia?

Personal information and sensitive personal information of Saudi Arabians, whether living or deceased, are the subject of Saudi Arabia’s data privacy rules. As such, all publicly or individually owned organizations that handle such data by any means must do so within the ambit of Saudi Arabia’s personal data protection law.

These laws also apply to any processing entities outside the Kingdom carry out. As a result, even foreign companies must comply if they must do business with Saudi clients. The following section talks about these laws and what their provisions entail.

What Saudi Arabia data protection laws you need to know

Saudi Arabia’s data protection landscape is primarily governed by two laws.

One is the Personal Data Protection Interim Regulation. The other is the very recent Personal Data Protection Law, which will soon take full effect.

As the title implies, the PDPIR administers Saudi Arabia’s personal data protection in the interim, regulating all companies within and outside the Kingdom.

The soon-to-be-enforced PDPL, on the other hand, is considerably more comprehensive. It governs activities involving the collection and processing of personal information. It is based on general data processing principles and extensively covers data subjects’ rights, processors’ obligations, cross-border transfer protocols, and consequences for noncompliance.

Notably, despite this new law, it does not prejudge or attempt to replace any earlier local or international regulation that provides better protection or offers the data owner a better right.

Complying with the PDPL

The law specifies the measures that entities must take during the business. This section provides an overview of them.

Rules guiding consent

The PDPL makes it clear that consent from the owner is required before obtaining and processing data, which can be withdrawn at any time.

Nonetheless, there are several cases where the need for consent will be dispensed with. For example, where:

  1. the processing is for a specific benefit, and it is not possible or practicable to reach the subject;
  2. it is mandated by law or a prior agreement to which the subject is a party;
  3. the controller is a government agency, and the processing is necessary for a public purpose;
  4. the data is collected for scientific or investigative reasons, and other applicable legal measures have been followed.

Rights of data subjects

The PDPL grants certain rights to enable owners to retain control over their data. These include the rights to:

  • Be duly informed of the purpose of collection and whether it will be shared with a third party.
  • Access and acquire a clear and legible copy of their personal data on demand and free of charge.
  • Request the correction of data that is no longer complete, accurate, or up-to-date.
  • Demand destruction of data collected where it has been withdrawn.
  • Complain to the authority where their rights have been breached.

Registration requirements

The PDPL provides for creating an electronic portal on which all data-controlling entities must be registered. The payment of a yearly fee renews this.

Foreign organizations that process the data of Saudi residents must have a representative within the Kingdom charged with keeping in touch with the SDAIA on their compliance efforts.

Requirement of privacy notices

The PDPL also contains provisions governing data privacy in Saudi Arabia. It mandates that all organizations make available their privacy policies for subjects to review before giving out their information.

The privacy policy should include all necessary details, such as:

  1. the lawful purpose for collecting;
  2. what fields are mandatory or optional, and assurance that processing will be limited to the purpose of collection and in accordance with the PDPL;
  3. identification details of the controllers, save where the information is collected for security purposes;
  4. other parties with whom the data may be shared, and whether such sharing crosses borders;
  5. potential risks and consequences of failing to complete the collection procedure;
  6. the rights of the subject,

and other details which may be specially required depending on the type of organization.

Other procedural measures 

When a breach occurs, firms must notify the regulatory authorities within 72 hours of discovering the breach. This should be followed by a detailed report on the nature of the violation and steps taken to avoid a repeat of the incident.

If the breach jeopardizes the security of the data, the company may be compelled to notify the affected subject(s) as soon as possible. In addition, the official in charge of data protection must ensure that the subjects’ fears about the breach are allayed.

The PDPL expects companies to conduct impact assessments regularly to ensure all compliance processes are in place. Similarly, when outsourcing processing, the organization must select only providers who have made all necessary efforts to comply with the legislation. This compliance must also be assessed regularly to ensure that data is not compromised from any end.

Processors must keep up-to-date records of processing activities for the period specified in the Draft. They should include the following information: the processor’s details, the purpose of processing, any party to whom personal data has been or will be shared if there will be a transfer outside Saudi Arabia, and the duration for which the information will be kept.

Penalties for non-compliance

The penalty for revealing sensitive personal data under the PDPL is two-year imprisonment, an $800,000 fine, or both.

For violations during cross-border transfer, the penalty is one year in prison or a fine of around $267,000, or both. Violation of other provisions is normally punished by warning notices or fines, with the highest fine set at about $1.3 million.

Any of these sanctions may be doubled in the event of a repeat offense.

Apart from PDPIR and the PDPL, there are other laws to ensure data sovereignty compliance in specific sectors. Two notable examples are the Anti-CyberCrime Law of 2007, regulated by the National Cybersecurity Authority, and the E-commerce Law of 2019, by the Communications and Information Technology Commission.

Data localization by InCountry is a one-step method of complying with protection rules in every country.

Data transfer requirements

The PDPL supports Saudi Arabia’s data localization. As such, transfers beyond the Kingdom are typically prohibited except for the purposes specified in the Regulations.

The SDAIA and its Regulations can give additional grounds for authorized transfers, but currently, there are a few conditions under the PDPL that must be met before data can be transmitted outside of Saudi Arabia.

First, a strict impact assessment on the destination country is required to ensure the receiving location is secure. In addition, the organization must obtain written permission from the Saudi Arabia Data and Artificial Intelligence Authority (SDAIA).

The exceptions to this requirement are where the transfer is necessary for a public purpose or to keep the subject alive.

How to comply with data protection laws in the KSA — InCountry’s approach

Since the PDPL is new, the SDAIA has generously allowed organizations one year from the date it becomes effective to fully implement its provisions. In our subsection on PDPL compliance, we have discussed the rigorous implementation process.

InCountry can simplify this process instantly and help you stay compliant with the PDPL and other data residency requirements by country.

Here are a few reasons why you can trust InCountry to help you achieve data compliance around the clock:

  • InCountry is always up to speed with residency and localization requirements by country. Our cloud infrastructure is secure and certified. Your data can be localized and stored in top-tier centers within the country.
  • InCountry uses and provides only the highest security and protection measures across the globe, like SHA-256 and AES-256 encryption ( firewalling, network isolation, and intrusion detection. InCountry takes security very seriously.
  • We work with only proven and efficient security-compliant cloud service providers so that all stages in your data lifecycle are tightly secured.

Schedule a call with our experts or request a demo to learn more about how InCountry can help your company to comply with data regulations.