Privacy Law in the Kingdom of Saudi Arabia

In September 2021, the Personal Data Protection Law (PDPL) was published by the KSA Official Gazette. However, enforcement was delayed until March 2023 and recent amendments have been published, which will be the focus of this post.

The Personal Data Protection Law (PDPL)

The PDPL introduced a number of requirements for businesses operating in the Kingdom handling personal data and established data subject rights to individuals. The law also applies to entities outside the Kingdom who process personal data of individuals resident in Saudi Arabia in any way.

As with similar legislation, the law requires businesses to establish consent for data processing, which must also align with a permitted legal basis. Data controllers are required to maintain records of personal data processing. Further, businesses must complete impact assessments to identify data protection risks, publish a privacy notice and report breaches to the regulatory authority, the Saudi Data and Artificial Intelligence Authority (SDAIA).

Individuals are granted rights of access, to request corrections and to have their data destroyed. They are also permitted to withdraw consent at any time, as well as raise complaints with the regulator.

The Latest Changes to the PDPL

In March this year, several amendments to the PDPL were approved, including:

  • Definitions — “sensitive data” under the law has been restricted, removing credit data and location data from scope. The “personal data owner” is limited to the individual to whom the data relates, and no longer includes legal representatives or guardians.
  • Processing — “legitimate interest” has been added as a permitted legal basis for data processing, but not for sensitive personal data. Some types of processing require explicit consent to perform.
  • Data transfer — rules for international data transfers have been weakened so they are now permitted if they meet specific criteria, and where there is a defined purpose.
  • Subject data rights — individuals have the right to data portability under the amendments in addition to those granted in the original law.
  • Enforcement action — retained from the original PDPL, unlawful disclosure of sensitive personal data could result in imprisonment for up to 2 years. However, the amendments remove custodial penalties for breach of data transfer rules. Monetary fines for violations have been increased to up to 5 million SAR and new provisions allow fines to be doubled for repeat offenses.

These changes have further delayed the enforcement of the law, which will now come into force from September 14, 2023.

How to Comply With the PDPL

For organizations looking to prepare for the updated PDPL, understanding their data is the best place to start.

Among the most important steps for businesses to take is a periodic inventory of all personal information across the organization, specifically identifying information that relates to residents of Saudi Arabia.

Ground Labs’ Enterprise Recon simplifies this process by automating the discovery process and focusing on specific targets based on over 300 pre-packaged data types from over 50 countries, as well as supporting custom data patterns.

To find out how Enterprise Recon can support your PDPL compliance journey, book a demo with one of our experts today.

Want to keep up with all our blog posts? Subscribe to our newsletter!