Saudi Arabia Personal Data Protection Law (PDPL)

Following the lead of the EU with its creation of GDPR, many countries and regions have created their own data protection standards. Saudi Arabia’s legal requirements for managing sensitive data are described in the Personal Data Protection Law (PDPL). We explain the details of these regulations.

What is the new personal data protection law in Saudi Arabia (PDPL)?

Saudi Arabia's new personal data protection law is the first of its kind in the Middle Eastern state, and aims to bolster public confidence and trust in sensitive information management. The Saudi Arabian PDPL is inspired by the EU’s General Data Protection Regulation (GDPR), with similar goals to protect the privacy of individual information and set the regulatory standards for companies that collect, process, disclose, and retain personal data. 

The PDPL is part of an overarching Saudi Vision 2030 objective, which aims to diversify Saudi Arabia's economy by making it less reliant on natural resource extraction. A key part of this vision is to promote the technology services sector, which the PDPL will regulate.

Some fundamental aspects of these new regulations include data protection, data processing principles, the rights of data subjects, organizational obligations, and penalties for noncompliance. 

PDPL Timeline  

The PDPL came into effect on 14th September 2023, with a one-year grace period. This means businesses have until 14 September 2024 when the law comes into full force. So, there is still time to get business processes PDPL compliant. 

The government has some leeway in the option to grant a business an extension on implementation. However, this favor is not automatic, and companies struggling to get all systems in place should not rely on this option. Naturally, the businesses applying for extensions will have to explain why they need more time. As you can imagine, it is only large and complicated conglomerates that will be able to demonstrate the impossibility of implementing the rules in the stated time frame.

PDPL compliance requirements

The central tenet of the PDPL is that companies implement “appropriate safeguards” to protect the PII of Saudi citizens. This is an elastic concept but it is no more vague than the requirements of GDPR. When a breach does occur, businesses can evade prosecution if they can prove that they took all reasonable steps to protect data.

The best way to meet these requirements is with PDPL compliance software, but let's take you through an overview of the main tenets of the law. 

Appointing a data protection officer (DPO)

Compliance with the PDPL requires appointing a data protection officer (DPO). This role can be fulfilled by an employee or outsourced to a consultancy. Any company in Saudi Arabia that intends to handle PII should register with the Saudi Data & AI Authority (SDAIA), including the name and contact details of the DPO through whom the Authority will pass information about new requirements. Larger organizations might require multiple DPOs.

Details in the registration record for a data processing organization also include the categories of data that the organization has to handle. The company needs to give a justification for handling PII and a statement on the likely partners that the business will deal with in managing sensitive data. The declaration of business associates should also identify which partners are based abroad or, in the case of multinationals, whether they will be handling the PII in another country. 

The declaration should also state the retention period for sensitive data – both as actively managed information and as archives.

One of the DPO's responsibilities is to ensure that risk assessments are conducted regarding the storage of PII. This extends to third-party risk management and the imposition of appropriate safeguards. 

The requirement for third-party risk management and particularly the assessment of overseas business partners is a much larger focus of the PDPL than is encountered in parallel standards, such as the CPRA in California or GDPR in the EU.    

Asking for user consent 

Under the PDPL, consent must be freely given and made as an informed decision. Any business operating in North America is familiar with these guidelines. Websites should include both a Terms of Service page and a Privacy Policy that clearly outlines what data is collected, how long it's stored for, and which parties it's shared with.

The best way to ask for and store consent is via a traditional consent manager, akin to GDPR, CCPA, and Law 25.

Explicit consent must be recorded and that documentation needs to be stored. A citizen must be of legal age and not considered to be mentally impaired in order to grant consent.  

Targeted marketing, which requires activity monitoring, requires specific consent. Explicit consent is also required for direct marketing that involves a regular stream of informational or sales emails. There should be a mechanism available for customers to record their consent to these interactions at any time.

👉 Start building a free consent manager that's fully compliant with the PDPL

Building data subject access requests

As with many data protection regulations, PDPL outlines the rights of a data subject to see and correct where necessary, the data that is being held. Such a transaction is called a data subject access request (DSAR) and it must be responded to within 30 days. The deadline for responding can be extended if the DPO can show that the response requires exceptional effort.  

Data Protection Impact Assessments (DPIAs)

The DPIA requirements in the Regulations refer to data discovery and classifications. This should result in the creation of a data catalog that consolidates disparate records relating to the same person, removing duplication and clearly distinguishing the consent given for different use cases. 

The DPIA should ensure that the data collection and processing activities of the business do not damage the privacy or freedoms of private individuals. The precise phases of the DPIA are explained in the Executive Regulations. 

Data processors 

The Regulations explain the contractual agreements that businesses should establish if they intend to liaise with third parties to process PII. The bulk of these guidelines are outlined below. However, this section includes procedures and communication channels that should be established to enable service providers to notify the principal data collector of a data breach. 

Record of Processing Activities 

The Regulations require that the business that handles PII – as opposed to one that merely stores it – should keep a record of processing activities. This log of activities only needs to track access to files or databases that have been identified as containing sensitive data. The documentation is called the Record of Processing Activities (ROPA). 

Most of the data loss prevention systems available today automatically manage the task of creating a ROPA. Combining a DLP tool with a SIEM allows you to identify insider threats and advanced persistent threats. A typical SIEM package should also provide you with a log manager that stores records in files with meaningful names. 

You will also need a file backup system that can manage archiving because ROPA files have to be stored for five years even if the company stops handling sensitive data. Archived files should be accessible through a reviving mechanism to make them available for spot-check audits.

The fields that need to be written into a ROPA log are detailed in the Executive Regulations. 

Contractual protection for data transfers

Although the Executive Regulations are a separate part of the PDPL from the Personal Data Transfer Regulations, they do contain guidance on how to manage data movements. This extends to legal, procedural, and organizational steps that need to be taken in order to protect data.

The authorities have such faith in the contractual protection measures outlined in the Executive Regulations that they even override the ban on dealing with third parties in countries with which there is no national mutual agreement. 

To date, the SDAIA has not produced a list of approved countries with which Saudi businesses can exchange data. So, the leeway of transferring data to any country as long as the correct documents are in place could be a stop-gap ruling to enable digital commerce to continue.

In order to transfer data abroad to non-approved countries (which is currently all countries) the following documents have to be composed:

• Binding Corporate Rules for intra-group data transfers 
• Binding Rules of Conduct approved by SDAIA
• Certificates of Compliance provided at the conclusion of a successful compliance audit conducted by an authorized auditing organization

An agreement by the data subject to the movement of data to a specific location and for a specific purpose also overrides the restrictions on data movements.   

In all cases, the inclusion of third parties in the processing of storage of Saudi PII must be fully backed up by a risk assessment whether those associated businesses are located within Saudi Arabia or abroad.

Data breach notifications

The DPO named in the SDAIA register is responsible for making data breach notifications. These must be made to the SDAIA within 72 hours of the discovery of a data loss event. All of the data subjects whose information was involved in the event should also be notified.  

The reporting of a data breach does not necessarily result in a fine. This is the same with GDPR. Trying to cover up a data breach will certainly get the company fined. The requirements for activity logging and record keeping is intended to remove the possibility of companies trying to keep a data breach a secret. In that scenario, the security audit, combing through activity records would identify the breach, the company would fail to get certified, and the auditor would notify the SDAIA of the transgression.

Clear privacy policies

Similar to the GDPR, the PDPL requires website operators in Saudi Arabia to publish an accessible privacy policy on their website, outlining the terms and conditions for website use as well as what personal data is collected, how it's used, and what third parties its shared with.

👉 Create a free privacy policy that's compliant with the PDPL 

What is the penalty for PDPL in Saudi Arabia?

There are two sides to the penalty structure outlined in PDPL. There are penalties for the people who actually publish sensitive data. This would be applied to disgruntled employees who leak data and intruders who steal data for blackmail purposes and then publish PII as a punishment for those businesses that don’t pay up. The other type of penalty is applied to the businesses that were holding the disclosed data.

The PDPL penalties for data thieves that publish PII include imprisonment for up to two years and a fine of SAR 3 million, which is roughly equivalent to US$ 800,000. These punishments apply to those who intentionally disclosed PII, a data leak that can be traced to a specific employee could be forgiven if that person is able to prove that the disclosure was accidental. The penalties also would not be applied if an employee can show that the theft of data was implemented by trickery from others and not malice on the part of the employee. 

A company that is targeted by data thieves and fails to detect and repel intruders will be fined if that security breach results in the thrift and publication of sensitive data. Companies that have trade secrets stolen would not be fined if the type of data taken related to factors such as vendor and supplier lists or secret prices. However, because the PDPL extends to data that is of national security importance, disclosure of research or negotiations with government departments for contracts could be subject to PDPL fines. 

There are no criminal charges outlined in PDPL for businesses that suffer data breaches. Fines under the PDPL guidelines can vary and take account of the severity of the fine. A company that is being prosecuted can reduce the fines that it will have to pay if it can demonstrate that it took all appropriate steps to protect PII and other types of sensitive data. The maximum fine allowed by PDPL is SAR 5 million, which is around US$1.3 million.

PDPL Data Security Frameworks

It is better to focus all efforts on getting data protection functions in place rather than focusing resources on thinking up ways to get an extension. A complicating factor for PDPL implementation is that the law supplements all previous data management legislation rather than replacing it. Thus, there are also other laws with which a business needs to comply in order to avoid prosecution.  

The government of the Kingdom of Saudi Arabia (KSA) includes a number of agencies that produce guidelines for data protection implementations in specific contexts. For example, banking and payment card data protection regulations are managed by the Saudi Central Bank. The Ministry of Health governs the healthcare sector in the Kingdom and is guided by a general ruling called the Patient’s Bill of Rights, which dates to 2006. The Saudi Commission for Health Specialties is responsible for healthcare practice licensing. It examines data protection issues when examining the sustainability of an approved clinic or healthcare facility. 

The KSA’s National Cybersecurity Authority also has input into data protection enforcement and so does the Communication, Space, and Technology Commission. So, there are many authorities involved in the management of data security within the country and some businesses might be simultaneously governed by several of them. However, the central authority with designated responsibility for the enforcement of PDPL is the Saudi Data & Artificial Intelligence Authority (SDAIA).

PDPL Executive Regulations

The Personal Data Protection Law is divided into two sections: 

• The Personal Data Transfer Regulations: Contain the details of PDPL, including definitions of PII and penalties for data breaches
• The Executive Regulations: Describe the procedures that should be put in place to manage and protect sensitive data

The Executive Regulations are also known as the Implementing Regulations. These are guidelines for businesses and they explain how to adopt technologies and procedures to enforce the PDPL requirements. Strict adherence to these recommendations can prevent a victimized company from paying a hefty fine in the event of a data breach.  

The Saudi Arabia PDPL system requirements are not exceptional. A business simply needs to implement a sensitive data discovery and classification service, a data loss prevention package, and a SIEM. Businesses also need to pay attention to the interfaces that collect data, such as websites. These need to outline the purpose of PII collection and seek and store the data subject’s consent.

The requirements specify procedures for dealing with business processes that pertain to PII.

Read the entire PDPL Executive Regulations (PDF Link)

What are Saudi Arabia’s data transfer regulations?

The considerations for data transfers are central to PDPL as they are in GDPR. They are closely tied to the concepts of appropriate usage and the security issues required for data access. The rules are officially called the Personal Data Transfer Regulations.

Types of Data Transfer Actions

There are three levels of data transfers that are regulated by the PDPL. 

Internal data transfers

The first data transfer type is internal – within a business. Personal data can be held but only for a specific purpose. Data collection can be explicit, as in a collection of data in exchange for a prize draw or a free guide, or implicit, such as buyer name and delivery address. This information can only be used for the declared (or implied) purpose for which it was gathered. Putting that data to other uses effectively counts as a change in its ownership.

Inter-company data transfers

The second level of data transfer can occur between businesses. One business might collect PII and then send it to another company for processing. Where data is stored on a cloud platform that is not the property of the gathering institution, the movement of data to that storage location counts as an inter-company data transfer. In all scenarios where multiple companies share PII, this is regarded as a business association and all of the companies involved are jointly accountable. Thus, one company could be liable to compensation costs and fines if lax security at an associate business results in a data breach.

International data transfers

The third level of data transfer relates to international movements of PII. These are not completely banned. If a KSA business uses managed services, such as a data storage cloud platform or an overseas data processing service, PII can be moved outside the country in order to implement those necessary processes. This is a necessary loophole built into the regulations because Saudi Arabia is not currently a global center for IT services and it is common practice to use IT services based outside the Kingdom. This would apply, for example, to call centers, which might be outsourced to companies in Pakistan or India. 

Cross-border activity

While PDPL is a little more tolerant of international data usage cooperation than GDPR, it does expand the definition of sensitive data that is subject to controls – it adds in data on national security.  

The Saudi government knows that it has less power over companies that are based outside the country. The penalties for data breaches that occur outside the country will fall more heavily on Saudi businesses than their overseas associates. Many of the requirements of PDPL aim to force data holders to act responsibly when choosing overseas partners.

Saudi businesses face risks when setting up data processing agreements with companies that cannot be prosecuted because of their location overseas. This problem is mitigated by controls over permitted overseas locations for data processing. 

The PDPL limits the places that Saudi businesses can deal with for data processing to those countries with which the government has signed a mutual agreement and where local data protection regulations would enable the SDAIA to pursue the offending overseas company in their local courts. The guidelines over which overseas countries are acceptable as the seats of associated companies are outlined in the Transfer Regulations that are included in the text of PDPL.

Compliance with the PDPL can be confusing. Let our expert product team guide you on best practices. Book a free 1-1 strategy call to learn more 👇