Saudi Arabia’s New Data Protection Law Comes into Force on Saturday

Saudi Arabia’s first ever comprehensive  Personal Data Protection Law (PDPL) comes into force this Saturday (14th September 2024). The new law regulates the collection, handling, disclosure and use of personal data. The Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, has now finalised the following documents following a period of consultation:  

Guidelines for Binding Common Rules: These guidelines aim to specify the obligations of the parties involved in the transfer when personal data is transferred or disclosed to a country or international organisation that does not have an adequate level of protection for personal data. 

Standard Contractual Clauses (SCCs) for Personal Data Transfer: These clauses are one of the appropriate safeguards that Controllers and Processors may use in addition to the Binding Common Rules (BCR) and accreditation certificates from a body licensed by the Competent Authority. 

There are other useful guidelines on the SDAIA website including on personal data destruction, anonymization and pseudonymisation as well as data processing activities records. 

Training for the Data Protection Officer 

The draft rules for the appointment of a DPO have also been finalised. Article 5 of the rules states that the following Data Controllers need to appoint a DPO: 

  • A Public Entity that provides services involving processing of personal data on a large scale 
  • A Controller whose core activities are based on processing operations that, by their nature, require regular and systematic monitoring of data subjects 
  • A Controller whose core activities are based on processing of sensitive personal data. 

Whilst there is no requirement for others to appoint a DPO, in our view, it is good practice to do so as it will help drive compliance forward especially in the initial phases of implementing the new law. 

The rules places great importance on training for and by the DPO. Article 9(6) states: 

“The Controller shall work on training and developing DPO’s in the fields of Personal Data protection and support them in obtaining professional certificates in this field to ensure raising their efficiency.” 

This has to be read alongside Article 4 and Article 8 (above). The latter states that one of the roles of the DPO is: 

“Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.” 

Through our  KSA privacy programme, Act Now Training offers comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses.  

Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Leave a Reply

Discover more from Your Front Page For Information Governance News

Subscribe now to keep reading and get access to the full archive.

Continue reading