Today (14th September 2023), Saudi Arabia’s first ever data protection law comes into force. Organisations doing business in the Middle East need to carefully consider the impact of the new law on their personal data processing activities. They have until 13th September 2024 to prepare and become fully compliant.
The Personal Data Protection Law (PDPL) of Saudi Arabia was implemented by Royal Decree on 14th September 2021. It aims to regulate the collection, handling, disclosure and use of personal data. It will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) which has published the aforementioned regulations. PDPL was originally going to come fully into force on 23rd March 2022. However, in November 2022, SDAIA published proposed amendments which were passed after public consultation.
Following a consultation period, we also now have the final versions of the Implementing Regulations and the Personal Data Transfer Regulations; both expand on the general principles and obligations outlined in the PDPL (as amended in March 2023) and introduce new compliance requirements for data controllers.
Summary of the new law: https://actnowtraining.blog/2022/01/10/the-new-saudi-arabian-federal-data-protection-law/
Summary of the Regulations: https://actnowtraining.blog/2023/07/26/data-protection-law-in-saudi-arabia-implementing-regulation-published/
13th September 2024 is not far away. Work needs to start now to implement systems and processes to ensure compliance. Failure to do so could lead to enforcement action and also reputational damage. The following should be part of an action plan for compliance:
- Training the organisation’s management team to understand the importance of PDPL, the main provisions and changes required to systems and processes.
- Training staff at all levels to understand PDPL at how it will impact their role.
- Carrying out a data audit to understand what personal data is held, where it sits and how it is processed.
- Reviewing how records management and information risk is addressed within the organisation.
- Drafting Privacy Notices to ensure they set out the minimum information that should be included.
- Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification.
- Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure.
- Appointing and training a Data Protection Officer.
Act Now in Saudi Arabia
Act Now Training can help your businesses prepare for the new law.
We have delivered training extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. We have experience in helping organisations in territories where a new law of this type has been implemented.
Now is the time to train your staff in the new law. Through our KSA privacy programme, we offer comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses.
To help deliver this and other courses, Suzanne Ballabás, an experienced middle-east based data protection specialist, recently joined our team of associates. We can deliver Online or Face to Face training. All of our training starts with a FREE analysis call to ensure you have the right level and most appropriate content for your organisations needs. Please get in touch to discuss your training or consultancy needs.
Click on the Link Below to see our full Saudi Privacy Programme.