Your Roadmap to Saudi Arabia's PDPL Compliance

Sameer Ahirrao -

Overview of the PDPL

On September 14, 2023, Saudi Arabia's Personal Data Protection Law (PDPL) came into effect and organisations had one year for its compliance. However, many organisations are still in that process and are prioritizing the implementation of necessary measures to ensure compliance with the law.

The primary objective of the PDPL is to safeguard individuals' personal data while establishing rules for organizations on the processing, disclosure, and storage of this information.

Aligned with Saudi Vision 2030, the PDPL aims to modernize the kingdom's digital infrastructure and foster the growth of its digital economy. The law addresses critical aspects such as principles of data processing, the rights of individuals, organizational responsibilities, and penalties for non-compliance.

This article provides practical guidance on organizational, administrative, and technical cybersecurity controls that should be considered as a foundation for achieving PDPL compliance.

Applicability of the PDPL in Saudi Arabia

The Personal Data Protection Law (PDPL) applies based on the nature and location of data processing activities.

Material Scope

  • The PDPL governs the processing of confidential and sensitive personal information of individuals within Saudi Arabia.
  • It does not apply to personal data processed for non-commercial or private purposes.

Territorial Scope

  • The law applies to both public and private entities managing personal data within Saudi Arabia.
  • It also extends to foreign organizations that process data related to Saudi residents.

PDPL Compliance Requirements

Organizations operating under the Saudi Personal Data Protection Law (PDPL) must adhere to stringent compliance measures across several key areas:

1) Consent Requirements

  • Explicit consent from individuals is mandatory before processing their personal data, except in specific scenarios outlined in implementing regulations of PDPL.
  • Consent must be purpose-specific, and individuals retain the right to withdraw consent at any time.
  • Conditional consent is permissible only under circumstances such as legal obligations, public security or judicial requirements, scientific or research purposes, or legitimate interests—excluding sensitive confidential information, which remains strictly regulated.

2) Privacy Policy Creation

  • Organizations must establish and maintain a transparent privacy policy accessible to individuals prior to data collection.
  • The policy should clearly outline: The purpose of data collection, types of data collected, methods of storage, processing, and destruction, data subject rights and mechanisms to exercise these rights.
  • When collecting data directly, organizations must disclose: The legal basis for processing, purpose of collection (mandatory or optional), identity of the collector (unless restricted for security reasons), recipients of the data.

3) Security Standards

  • Organizations must implement robust organizational, administrative, and technical measures to secure personal data, particularly during transfers.
  • Compliance with Implementing Regulations of PDPL and Personal Data Transfer Regulations is critical.

4) Data Breach Disclosure

  • Any data breach must be reported to the supervisory authority within 72 hours of detection.
  • If the breach poses significant risks to personal data, immediate notification is required.
  • Controllers must provide the contact information of the Data Protection Officer (DPO) for inquiries related to the breach.

5) Data Protection Officer (DPO) Appointment

  • Organizations are required to appoint a DPO responsible for ensuring compliance with protection measures.
  • The Implementing Regulations detail the criteria for DPO appointments and their responsibilities.

6) Data Protection Impact Assessments (DPIA)

  • Organizations must assess potential risks associated with processing personal data, particularly for publicly available products or services.
  • The Implementing Regulations provide guidance on minimum requirements for conducting DPIAs.

7) Processing Activity Records

  • Entities must maintain detailed records of processing activities for a minimum of five years post-processing.
  • Records should include contract details, objectives of processing, categories of data subjects, data recipients and details of international transfers and expected retention periods.

8) Third-Party Vendor Management

  • Organizations must carefully evaluate and select processors who demonstrate regulatory compliance.
  • Regular audits of processors’ adherence to organizational data protection instructions are essential.

9) Cross-Border Data Transfers

  • Data may only be transferred outside Saudi Arabia if the destination country ensures adequate protection.
  • SDAIA evaluates destination countries, companies, and sectors based on the Personal Data Transfer Regulations, considering factors such as the presence of supervisory authorities, protective laws, and complaint mechanisms.

10) National Register of Controllers

  • Organizations must register with the National Register of Controllers as per SDAIA guidelines.
  • Previously, cross-border transfers required individual SDAIA approval on a case-by-case basis, which is now transitioning to more structured oversight.

Rights of Data Subjects Under the PDPL

The Personal Data Protection Law (PDPL) provides individuals with several key rights regarding their personal data. Organizations are required to inform users about these rights and ensure they can exercise them within 30 days.

  • Right to be Informed: Individuals have the right to understand the legal or functional basis for the processing of their personal data.
  • Right to Request Access: Individuals can access their personal information and request a copy, provided free of charge.
  • Right to Correction: Individuals can request corrections to their personal data if it is inaccurate or incomplete.
  • Right to Destruction: Individuals can request the deletion of their personal data.

These rights empower individuals to maintain control over their personal information and ensure its accuracy and security. Organizations must facilitate these rights transparently and efficiently.

Roadmap for PDPL Compliance

Organizations must follow these steps to ensure compliance with Saudi Arabia’s Personal Data Protection Law (PDPL):

  • Understand Requirements: Gain a thorough understanding of the PDPL’s scope and obligations, applicable to all entities handling the personal data of Saudi residents.
  • Obtain Consent and Provide Privacy Policies: Secure explicit consent for data processing and transparently communicate how collected information will be used.
  • Report Breaches: Notify authorities and affected individuals promptly in the event of a data breach or unauthorized access.
  • Adhere to Processing Principles: Ensure data accuracy, security, and individual consent, particularly for sensitive information.
  • Respect Data Subject Rights: Uphold individuals’ rights, including access, correction, deletion, and data transfer.
  • Maintain Processing Records: Keep detailed records of processing activities, including purposes and data retention periods.
  • Conduct Privacy Risk Assessments: Evaluate privacy risks associated with personal data processing for all products and services.
  • Implement Protection Safeguards: Protect data against unauthorized access and comply with breach notification requirements.
  • Regulate Data Transfers: Ensure data transfers comply with PDPL standards, including obtaining consent and minimizing unnecessary transfers.
  • Stay Updated and Leverage Technology: Keep up with changes in regulations and use technology to secure data and maintain ongoing compliance.

Penalties for Non-Compliance with PDPL

Non-compliance with the PDPL can result in severe penalties:

  • Unauthorized data transfers outside Saudi Arabia can lead to up to one year of imprisonment and/or a fine of SAR 1 million (approximately USD 267,000).
  • Unauthorized disclosure of sensitive personal information may result in up to two years of imprisonment and/or a fine of SAR 3 million.
  • The Saudi Data and Artificial Intelligence Authority (SDAIA) can impose fines of up to SAR 5 million for violations of the law.

Best Practices for PDPL Compliance

To ensure effective compliance with the Personal Data Protection Law (PDPL), companies should adopt the following best practices:

  • Accountability: Designate a responsible individual, such as the head of the organization or an assigned officer, to oversee privacy policies and procedures.
  • Transparency: Provide a clear and comprehensive privacy notice that explains the purpose of collecting personal information.
  • Choice and Consent: Obtain explicit consent before collecting, using, or disclosing personal data.
  • Data Minimization: Limit data collection to only what is necessary to achieve the intended purpose.
  • Purposeful Use, Retention, and Destruction: Use, retain, and destroy personal data solely for specified purposes and in compliance with relevant laws.
  • Access and Correction: Allow individuals to review, update, and correct their personal information.
  • Disclosure Limitations: Disclose personal data only for purposes outlined in the privacy notice and authorized by the individual.
  • Data Security: Implement robust security measures to protect personal data from damage, theft, misuse, leakage, loss, or unauthorized access.
  • Data Quality: Regularly verify and maintain the accuracy and timeliness of personal information.
  • Monitoring and Compliance: Continuously monitor privacy policies, address disputes, and resolve related issues proactively.

By following these best practices, organizations can align with PDPL requirements and effectively safeguard personal information, ensuring both privacy and security.

About Ardent Privacy

Ardent’s mission is to help enterprises implement meaningful security and privacy programs aligned to their business mission, building trust and protecting data assets. Ardent’s technology “TurtleShield” is a holistic software platform that empowers enterprise security, legal, and data teams to implement and manage data privacy within the organizations with rapid data asset visibility and actions to enable privacy compliance, govern AI risk, meaningful data protection, and reduce cost of compliance and data breaches. Our unique and patented ML/AI-powered technology helps organizations comply with evolving privacy and AI regulations and accelerates adoption of AI technologies. Ardent offers a low code platform to automate Privacy & AI governance, rapid discovery of data assets and consent management with regional focus for global regulations.