Recognizing the increasing threat of cyberattacks, Saudi Arabia developed a data protection law in 2021. Personal Data Protection Law (PDPL) is the Kingdom’s first data protection law designed to maintain data security and consumer privacy. PDPL was published in the Official Gazette on September 24, 2021, and went into force on September 14, 2023. 

 

Source

 

The Saudi Data & Artificial Intelligence Authority (SDAIA) was selected for PDPL’s initial execution and enforcement for the first two years, after which the National Data Management Office (NDMO) will serve as the supervisory authority. 

 

Let us take a closer look at PDPL, including who must comply with it and the concepts and benefits it provides to organizations and individuals.

 

What is PDPL? 

 

The PDPL is a data protection law that seeks to protect individuals’ data and prohibits the abusive or illegal use of private data. It secures the organization’s data and oversees data sharing. 

 

The royal decree passed the law in September 2021, and SDAIA amended and revised it on March 23, 2023, with effect on September 14, 2023. Compliance enforcement will begin one year later, on September 13, 2024.

 

Who has to comply with Saudia Arabia’s Personal Data Protection Law?

 

According to Article 2, the PDPL applies to the following: 

 

• Any entity processing Saudi citizens’ data must comply with the Personal Data Protection Law. 

 

• Both private and public organizations that come under the umbrella of Saudi citizen’s service providers.

 

• Any foreign organization that processes the personal data of Saudi nationals.

 

PDPL also safeguards the data of the deceased, especially when its disclosure could lead to the identification of the deceased or family members. However, processing personal data for domestic purposes is exempt from the PDPL, provided that the data subject has not published or disclosed it to others. 

 

Principles covered by Personal Data Protection Law

 

PDPL has various aspects that other international data protection standards also include. Let’s look at its principles, which will aid any Saudi individual with data protection.

 

• Data subjects’ rights: According to the PDPL, people have many rights over the data that is processed, including:

 

• Right of access: Individuals have the right to inquire about processed personal information about them.

 

• Right to rectification: Individuals can correct inaccurate or incomplete personal information.

 

• Right to erasure: Individuals can request to delete their personal information under certain conditions.

 

• Right to object: People can object when their personal data proceeds for specific purposes, such as direct marketing.

 

• Purpose limitations and data minimization: Data managers are required to gather personal data for specific and stated goals. Data collection must be done for the intended purpose. Moreover, personal data must be adequate, pertinent, and limited to the specified reason.

 

• Registration: Controllers of personal data must register on an electronic portal to keep a national record of their purposes and processing methods. Executive regulations will determine the annual registration fee (issued in due course).

 

• Controller’s obligation: Controllers must verify that personal data is accurate, complete, and relevant before processing it, retain a record of processing for the duration provided by executive regulations, and ensure staff expertise and data protection principles. Controllers must keep complete records of all data processing activities to ensure accountability and transparency.

 

• Consent: Users require consent before processing their data or changing the initial aim of processing. Individuals may revoke their consent at any time. Businesses must ensure that consent is not required to supply goods and services. 

 

 

• Non-consent-based processing: The PDPL clarifies that data processing does not necessarily require the data subject’s consent, despite procedures for withdrawing consent. Consent is not required for processing if there is a clear benefit and contacting the data subject is impossible or impractical if required by law or agreement. Alternatively, if the controller is an official body and the processing is required for security or legal reasons.

 

• Privacy policy: Controllers must provide data subjects with a privacy policy before collecting their personal data. The PDPL specifies the minimal information required in privacy policies, even when personal data is collected directly from the subject.

 

• Marketing: Personal data usage for marketing is not allowed without the recipient’s consent or through opt-out options.

 

• Breach notification: Notify the supervising authority of any data breaches, leakages, or unauthorized access to personal data. Report the Incidents that cause material harm to data subjects.

 

The importance of the Saudi Arabia’s Personal Data Protection Law

 

Following are a few of the ways the PDPL positively affects the nation:

 

• Conformity to global norms: The PDPL has helped Saudi Arabia better comply with international data protection rules, particularly the European Union’s General Data Protection Regulation (GDPR).

 

• Promoting the digital economy: Saudi Arabia’s Vision 2030 emphasizes the importance of digital transformation in diversifying the economy and instilling trust in digital firms and consumers.

 

• Citizens’ rights protection: For digital services to prosper, users must believe that their data is secure. The PDPL demonstrates Saudi Arabia’s commitment to protecting its citizens’ rights and privacy by giving them control over their personal data. 

 

• Interest of foreign investors: A strong data protection system can make Saudi Arabia more appealing to overseas investors, particularly technology firms that manage large volumes of personal data.

 

• Meeting current challenges: With the rise of big data, AI, and advanced analytics, the risk of personal data misuse has increased. The PDPL is a proactive step by Saudi Arabia that ensures technology advancements to handle these modern concerns and to preserve individuals’ rights.

 

• Cultural and social factors: The PDPL is more than just a carbon copy of international law. It is tailored to Saudi Arabia’s unique cultural and societal context, and it aligns with the Saudi people’s values and perspectives.

 

Automate Personal Data Protection Law for streamlined compliance

 

PDPL has complex compliance requirements that can compromise the reputation of the organization, resulting in penalization. Such incidents can make you bear a huge loss. Automate PDPL for streamlined compliance. 

 

Compliance automation platforms like CyberArrow can help you in this regard. Manual compliance processes require significant time and effort. Professional services cost a significant amount of money as well. CyberArrow GRC reduces time spent on GRC initiatives by automating evidence monitoring and risk management. 

 

You can receive instant alerts for unauthorized access, allowing for a quick response in conformity with PDPL standards. You can also generate automated reports for regulatory compliance that demonstrate your organization’s dedication to PDPL standards. 

 

If you are a business owner and want to automate compliance with PDPL, choose CyberArrow. 

 

Schedule a free demo to get started on your PDPL compliance journey! 

 

FAQs

 

 

Read how SiFi automates PDPL compliance with CyberArrow GRC.

 

See what SiFi has to say about CyberArrow GRC: