Did you know that you are constantly at risk for cyberattack and that’s not because of anything you posted recently? The real threat comes when you willingly give your details to businesses so that they can carry out your transactions. Be it your bank app or an e-commerce store, this threat is everywhere online and is looming over you even right this second.
However, if you’re a resident of the KSA or EU, there’s absolutely nothing to be worried about, because your data is in safe hands. Due to the tight defense and compliance policies of the KSA and EU countries, citizens stay safe from cyber attacks by third-party vendors and businesses.
Both the KSA PDPL and EU GDPR are world-renowned, recognized, and recommended structures that non-resident countries follow for building rigid defences. But which one of these two regulations is better? Let’s find out.
What is Saudi Arabia’s PDPL?
The Personal Data Protection Law (PDPL) is the first data security law in Saudi Arabia and was enforced on September 14, 2023. This law aims to tackle challenges like AI attacks, social engineering, and cloud attacks faced by KSA-based businesses with an IT structure or online presence. The rules and regulations of PDPL also apply to overseas corporations that handle info of KSA-resident individuals.
Companies registered or compliant with PDPL have to forward the rights to subjects along with a disclaimer of how to exercise their rights. Plus, organizations have to make sure that all principles are being met. Regular Data Protection Impact Assessments (DPIA) have to be carried out, and supervised by a Data Protection Officer (DPO).
What is GDPR?
The General Data Protection Regulation (GDPR) is a set of rules to overcome cyber risks internal and external to the European Union. This law was first passed in April 2016 and since being implemented in May 2018 has developed a great status worldwide. GDPR is applicable not only to EU-based corporations but also to organizations based outside the EU that deal with the private data of citizens in any of the EU countries.
The rigid structure of GDPR requires corporations to minimize and limit the storage of private data of the subjects. It suggests measures for safe management of the minimum information consumed by enterprises, protecting their citizens from the harms of breaches. GDPR also requires organizations to impose security operations supervised by a Data Protection Officer (DPO).
Key Differences Between Saudi Arabia’s PDPL and GDPR
Gatekeeping Records
GDPR requires registered enterprises to register with the European Data Protection Board (EDPB) but maintain the records themselves. PDPL, on the other hand, requires not only registration with the Saudi Authority for Data and Artificial Intelligence (SDAIA) but also directs companies to upload all records on their portal.
Notification to Authority
In case of a breach, GDPR-registered enterprises are required to notify GDPR within 72 hours after discovering the breach. As for PDPL, no specific time limit or deadline is mentioned after discovering the breach. This might indicate immediate notification or even notification as late as it can be.
Fines & Penalties
PDPL penalizes registered, non-complying organizations with $1.3 million. In case of leaking the private info of the subjects for revenge or business benefits results in a further penalty of $800000. Moreover, if the offence is repeated several times, the fine doubles.
On the other hand, non-compliance with GDPR principles leads to two types of fines depending on the seriousness of the infringement;
- Higher of $10 million or 2% of the previous year’s annual revenue
- Higher of $20 million or 4% of the previous year’s annual revenue
Registration Certificate and Representatives
GDPR requires non-EU-based companies complying with its regulation to have a European representative (resident). Non-KSA PDPL-compliant companies do not need a KSA-resident representative, though they must have a license approved by the Saudi Authority for Data and Artificial Intelligence (SDAIA).
Ambiguity of Non-Personal Data Use
Non-personal details like preferences and dislikes of audiences can be helpful for enterprises in many ways. While GDPR allows registered enterprises to use this non-personal data for their business interests, PDPL doesn’t fully allow this. While PDPL does allow it on paper, the ambiguity of guidelines doesn’t make it clear how to use non-personal data in proportion to businesses.
Consent from Data Subjects
The private data and recent activity through the internet help the algorithm to send marketing ads and promotions to consumers (subjects). GDPR, free-consent, allows organizations to send promotional material in case the subject’s recent activity hints his interest towards the product being promoted. On the contrary, PDPL requires organizations to obtain permission from data subjects.
Approval for Data Transfer
As for GDPR, the personal info of EU residents can be transferred to foreign GDPR-registered companies smoothly. However, the KSA PDPL has a strict procedure for the transfer of residents’ personal information. The PDPL has to approve the transfer of info application by the Saudi Authority for Data and Artificial Intelligence (SDAIA) which generally approves the transfer of details on a limited basis.
Similarities Between Saudi Arabia’s PDPL and GDPR
Rights to Data Subjects
Since both GDPR and PDPL are about safeguarding the details of individuals, it allows them rights over their private data. These rights relate to access to information, its amendment and even deletion. Plus, the subjects must be informed about how their information is going to be used.
Principles for Data Protection
GDPR features seven principles for data defense while PDPL features eleven. Despite the change in a number of principles, seven of them are the same which mostly relate to the retention, confidentiality, accuracy, accountability, and transparency of the information held.
Policies for Security
Both GDPR and PDPL require entities to inform subjects, using comprehensive guides, about their rights. The subjects should also be well aware of how their data will be processed and what the consequences of such transactions could be.
Motive & Legality
The main motive of both GDPR and PDPL is the safeguarding of data and in turn subjects from threats and cyber-consequences. However, after acquiring details both regulations require enterprises to reuse data with the consent of the subject, plus with a legal reason to do so.
Final Verdict
When it comes to personal data security, both PDPL and GDPR rank as a few of the world’s top-most recognized regulations. Even though they are pretty similar in structure, PDPL is a little more rigid as it involves its central authority for permissions. Moreover, ambiguity can be found in some clauses of PDPL, whereas GDPR is more precise.
Hence, for businesses GDPR is perfect to comply with, increasing credibility without undergoing long procedures and waiting times. PDPL is comparatively better for subjects as it double-checks enterprises before forwarding information.