Security Pact

Security Pact
Free Assessment
Security Pact

Overview of the PDPL

Saudi Arabia has introduced a new Personal Data Protection Law (PDPL) and the aim of this is to bolster the privacy and protection of personal data within the kingdom. You have to understand that the primary objective of law is to safeguard the personal data of the individuals and also to establish regulations for how the organizations are processing, disclosing, and storing the data.

Initially, the Saudi Data and Artificial Intelligence Authority (SDAIA) was responsible for the management of law, however, there was a possibility that the oversight might be shifting to the National Data Management Office (NDMO) in the future.

Now this is aligning with the Saudi Vision 2030 which is solely focused on modernizing the digital infrastructure of the kingdom and also fostering a robust digital economy. This will address key aspects of the protection of records which will include principles for the processing of information, the rights of the individuals, the obligations of the organizations as well as penalties if someone fails to comply.

Applicability of the PDPL in Saudi Arabia

This is applicable to a wide range of entities that are based on where and how the details are processed.

1.   Material Scope:

Now, this will be covering the processing of confidential and sensitive information of the individuals that are within Saudi Arabia. This is not going to apply to the personal details that are processed for non-business purposes.

2.   Territorial Scope:

This affects both the public as well as private entities that handle the private stuff that is within Saudi Arabia. It also applies to foreign organizations if they process the information that is related to the residents.

Penalties for Non-compliance of PDPL

If there is failure to adhere to this law, it can result in some significant penalties.

  • The transfers outside the kingdom that are unauthorized can lead to you getting imprisoned for about a year and/or a fine of SAR 1 million which is approximately USD 267,000.
  • The disclosure of sensitive information that is unauthorized can lead to imprisonment of up to two years and/or a fine of SAR 3 million.
  • SDAIA can also impose fines of up to SAR 5 million for the violation of PDPL.

PDPL Compliance Requirements

To comply with this law, the organizations need to meet a number of requirements.

1. The Requirements of Consent:

The organizations are required to obtain explicit consent from the individuals before they process their unique details, except in the specific circumstances that are outlined in the SDAIA’s Implementing Regulations. The consent is supposed to be obtained for each distinct purpose of processing and the individuals also have the right to withdraw the consent at any time.

Services should only be conditional on consent requirements which include situations where processing is beneficial and contacting the subject is impractical, legal obligations, public security or judicial purposes, scientific, research, or statistical purposes compliant with the law, and processing necessary for legitimate interests. However, you should know that these exceptions do not apply to sensitive confidential information.

2. The Creation of Privacy Policy:

The organization is supposed to create and maintain a clear privacy policy that is accessible to individuals before the collection of their details. The policy should explain the purpose of collection, the types of information that are collected, how it shall be stored, processed, and destroyed, and also the rights of the subjects and how they can exercise them.

When the collection of the information is done directly, the organizations are supposed to inform the individuals about the legal basis for processing and the purpose of the collection (whether mandatory or optional), the identity of the collector (unless it is for security reasons), the entities that will be receiving this and all the other relevant details that are based on the activities of the organization.

3. Essential Security Standards:

This also emphasizes the importance of the implementation of the necessary organizational, administrative, and technical measures that will protect the confidential information, especially during the transfers. Compliance with SDAIA’s Implementing Regulations and Personal Data Transfer Regulations is quite crucial.

4. Data Breach Disclosure Guidelines:

If a breach in this is occurring, the organizations are supposed to notify the supervisory authority within 72 hours of the detection of it. If the breach is posing a significant risk to any confidential details, immediate notification is required. The controller is also responsible for providing the contact information of the data protection officer for inquiries regarding the compromised information.

5. Appointment of a Protection Officer:

The organizations must be appointing a data protection officer that is going to be responsible for overseeing the implementation of protection measures. The Implementing Regulations detail the criteria for these appointments and also outline the specific responsibilities of this protection officer.

6. Impact Assessments for Protection:

The organizations are supposed to evaluate the potential risks that are associated with the processing of personal information particularly for the products or services that are available to the public. The Implementing Regulations are also supposed to pinpoint the minimum requirements that are there for the conduction of data protection impact assessments.

7. Processing Activity Records:

The entities are supposed to maintain the records of their processing activities for five years after the period of processing. The record must contain these things:

  • The details of the contract
  • The objectives that are linked with this
  • The types of subjects
  • The recipients of this particular collection
  • Types of the subjects
  • Recipients of personal data disclosures.
  • Any details that are around the international transfers or disclosures
  • Also, the expected retention time for personal data.

8. Third-Party Vendor Evaluation:

Organizations are supposed to select the processors carefully, someone who can ensure compliance with the regulations. Regular verifications of the processors’ adherence to the instructions of the organization on data protection are also required.

9. Cross-Border Transfer Conditions:

Personal information can be transferred out of Saudi Arabia only if the destination countries are having adequate protection measures in place. Now, the SDAIA here is going to do an evaluation of the countries, companies, and also sectors that are based on the Personal Data Transfer Regulations, considering factors such as supervisory authority presence, protective laws, and accessible channels for data subject complaints.

10. Registration in the National Register of Controllers:

SDAIA is also expected to issue the guidelines for the process of registration in the national register of Controllers. The registration is going to outline which controllers are required to comply with this requirement as per the Implementing Regulations. Previously cross-border transfers were restricted to special cases such as the protection of a subject’s vital interests with each transfer needing individual approval by SDAIA after a case-by-case review.

Rights of Data Subjects Under the PDPL

This is granting several key rights to subjects, which organizations are supposed to inform their users about and also facilitate their exercise within 30 days. The rights are mentioned below.

  • The Right to Know:

This involves the understanding of the legal or functional basis for the processing of personal data.

  • The Right to Access:

The individuals have the right to access their information and also can receive a copy that is free of charge.

  • The Right to Correction:

The individuals have the liberty to request a correction to their unique records if it is not accurate or incomplete.

  • The Right to Destruction:

They can also request the deletion of their personal records.

Roadmap for PDPL Compliance

The companies are supposed to be following the guidelines that will ensure their compliance with PDPL.

1.   Understanding of the requirements:

You have to familiarize yourself with the scope and obligations of this law, and this is applied to all the entities that are handling the personal details of the residents of Saudi Arabia.

2.   Obtain Consent and Provide Privacy Policies:

You have to secure explicit consent for the processing of records and also need to clearly inform everyone how the information that you have is going to be used.

3.   Reporting of Any Breaches:

You also have to notify the authorities and the affected individuals if there is an event of a breach of these or access that is unauthorized.

4.   Adhere to Processing Principles:

You have to follow the principles that come with accuracy of details, security, and individual consent, especially for the stuff that is sensitive.

5.   Respect Subjects’ Rights:

The rights of the people have to be ensured – the access, corrections, deletion as well as transference of their records are upheld.

6.   Maintain Processing Records:

Detailed records of the activities revolving around this processing are supposed to be held which also include purposes as well as retention periods.

7.   Conduct Privacy Risk Assessments:

The assessment for risks which is linked with personal stuff is to be done for all the services and products.

8.   Implement Protection Safeguards:

Protection of this all from getting any access which is unauthorized as well as complying with notifications regarding any breach of this.

9.   Regulate The Transfers:

Ensuring compliance with PDPL standards for transfers which is going to include the obtaining of consent and minimized transference of details.

10.   Stay Informed and Use Technology Aids:

Stay updated with the changes in any of this and also use technology in order to secure the information and ensure any ongoing compliance.

What are the Best Practices for PDPL?

If you want to comply with PDPL in an effective manner, the companies should be able to follow the best practices:

  • Accountability:

Someone should be assigned the responsibility for upholding the policies regarding privacy and procedures to the head of the entity or any assigned person.

  • Transparency:

There should be a clear and comprehensive notice of privacy which is going to explain the entire purpose of the collection of personal information.

  • Choice and Consent:

Explicit consent should be obtained before you make a collection, use, or disclose any of the personal stuff.

  • Minimization:

You have to make limitations to the collection of records to what is necessary in order to achieve the intended purpose.

  • Purposeful Use, Retention, and Destruction:

You have to use, retain, and destroy any of the private things that are only present for specified purposes and also are in accordance with the relevant laws.

  • Give Them Access:

The subjects should also be able to review and make updates and corrections to their private information.

  • Disclosure Limitations:

The information should only be disclosed for the purposes that are outlined in the privacy notice and also authorized by the subject.

  • Security of it:

You also have to implement robust measures for security which is necessary for the protection of the private stuff and protects it from things such as damage, theft, misuse, leakage, loss, or unauthorised access.

  • Quality of it:

You have to verify and maintain the timeliness and accuracy of the personal information on a regular basis.

  • Monitoring and Compliance:

You also have to oversee the policies of privacy and address disputes and related issues continuously.

By adhering to these practices, the companies can ensure they meet the requirements of the PDPL and protect the privacy and security of personal information effectively.

Leave a Reply

Your email address will not be published. Required fields are marked *