Tag: PDPL

Saudi Arabia’s New Data Protection Law Comes into Force on Saturday

Saudi Arabia’s first ever comprehensive  Personal Data Protection Law (PDPL) comes into force this Saturday (14th September 2024). The new law regulates the collection, handling, disclosure and use of personal data. The Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, has now finalised the following documents following a period of consultation:  

Guidelines for Binding Common Rules: These guidelines aim to specify the obligations of the parties involved in the transfer when personal data is transferred or disclosed to a country or international organisation that does not have an adequate level of protection for personal data. 

Standard Contractual Clauses (SCCs) for Personal Data Transfer: These clauses are one of the appropriate safeguards that Controllers and Processors may use in addition to the Binding Common Rules (BCR) and accreditation certificates from a body licensed by the Competent Authority. 

There are other useful guidelines on the SDAIA website including on personal data destruction, anonymization and pseudonymisation as well as data processing activities records. 

Training for the Data Protection Officer 

The draft rules for the appointment of a DPO have also been finalised. Article 5 of the rules states that the following Data Controllers need to appoint a DPO: 

  • A Public Entity that provides services involving processing of personal data on a large scale 
  • A Controller whose core activities are based on processing operations that, by their nature, require regular and systematic monitoring of data subjects 
  • A Controller whose core activities are based on processing of sensitive personal data. 

Whilst there is no requirement for others to appoint a DPO, in our view, it is good practice to do so as it will help drive compliance forward especially in the initial phases of implementing the new law. 

The rules places great importance on training for and by the DPO. Article 9(6) states: 

“The Controller shall work on training and developing DPO’s in the fields of Personal Data protection and support them in obtaining professional certificates in this field to ensure raising their efficiency.” 

This has to be read alongside Article 4 and Article 8 (above). The latter states that one of the roles of the DPO is: 

“Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.” 

Through our  KSA privacy programme, Act Now Training offers comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses.  

New Dates for KSA Data Protection Officer Certificate Course

Act Now is pleased to announce new public dates for the KSA Data Protection Officer Certificate. This is a unique course curated by data protection experts designed to train individuals to fulfil the role of data protection officer under Saudi Arabia’s new Data Protection law. The new law becomes fully enforceable on 14th September 2024.

The Personal Data Protection Law (PDPL) regulates the collection, handling, disclosure and use of personal data. Like many data protection laws around the world, including the UK GDPR, the PDPL contains a requirement for some Data Controllers to appoint a Data Protection Officer (DPO). On 8th July 2024 the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, published draft rules for the appointment of a DPO under the PDPL.

Article 5 of the draft rules states the following Data Controllers need to appoint a DPO:

  • A Public Entity that provides services involving processing of personal data on a large scale
  • A Controller whose core activities are based on processing operations that, by their nature, require regular and systematic monitoring of data subjects
  • A Controller whose core activities are based on processing of sensitive personal data.

Whilst there is no requirement for others to appoint a DPO, in our view, it is good practice to do so as it will help drive compliance forward especially in the initial phases of implementing the new law. The draft rules places great importance on training for and by the DPO. Article 9(4) states:

“The Controller shall work on training and developing DPO’s in the fields of Personal Data protection and support them in obtaining professional certificates in this field to ensure raising their efficiency.”

This has to be read alongside Article 4 and Article 8 (above). The latter states that one of the roles of the DPO is:

“Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.”

Organisations doing business in the Middle East need to carefully consider the impact of the new rules on. Thought must be given to the appointment and training of a suitably qualified DPO. Through our KSA Data Protection Officer Certificate, Act Now Training offers comprehensive and cost-effective training for the DPO enabling them to ready to implement the new law.

This course has been offered as in in house course previously with a requirement of a minimum of 8 delegates. Our new public courses  will allow organisations  to train any number of employees making it easier for them to start their compliance journey.

KSA DPO Appointment Rules Published

Saudi Arabia’s first ever data protection law becomes fully enforceable on 14th September 2024. The Personal Data Protection Law (PDPL) regulates the collection, handling, disclosure and use of personal data. Like many data protection laws around the world, including the UK GDPR, the PDPL contains a requirement for some Data Controllers to appoint a Data Protection Officer (DPO). On 8th July 2024 the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, published draft rules for the appointment of a DPO under the PDPL.

Who needs to appoint a DPO?

Article 5 of the draft rules states the following Data Controllers need to appoint a DPO:

  • A Public Entity that provides services involving processing of personal data on a large scale
  • A Controller whose core activities are based on processing operations that, by their nature, require regular and systematic monitoring of data subjects
  • A Controller whose core activities are based on processing of sensitive personal data.

Whilst there is no requirement for others to appoint a DPO, in our view, it is good practice to do so as it will help drive compliance forward especially in the initial phases of implementing the new law.

What skills does a DPO require?

Art 4 states that, when appointing a DPO, a Controller must ensure that the following requirements are met:

  • Having appropriate academic qualifications and experience in the field of Personal Data protection
  • Having sufficient knowledge of the Controller’s business and activities that involve processing of Personal Data
  • Having sufficient knowledge of Personal Data breach risks
  • Having sufficient knowledge of regulatory measures for Personal Data protection and other relevant organisational measures for performing DPO tasks.
  • Honesty and integrity, and not having been convicted of any offence involving dishonesty or breach of trust.

Who can be a DPO?

The DPO may be an executive, employee of the Controller or an external contractor. They must be appointed in writing and publicised within the Controller’s organisation.  Their contact details must be published in the Controller’s Privacy Notice.

Article 7 of the draft rules requires the Controller to immediately provide the regulator with contact details of the DPO upon their appointment through the National Data Governance Platform. Interestingly, the regulator has the power  to request replacement of a DPO if it is found that he/she is not competent.

Role and Task

DPO shall be responsible for the following tasks set out in Article 8:


1.     Providing support and advice regarding all aspects of Personal Data protection, including contributing to developing policies and internal procedures related to Personal Data protection at Controller.
2.     Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.
3.     Contributing to reviewing plans of response to Personal Data Breach incidents, and ensuring that such plans are adequate and effective.

4.     Preparing periodic reports regarding Controller activities related to processing of Personal Data, and providing recommendations to ensure compliance with provisions of the Law and its Regulations.
5.     Maintaining the confidentiality of Personal Data and its level of sensitivity, based on its classification and relevant regulatory requirements to determine the adequate level of protection and processing mechanism.
6.     Monitoring the Competent Authority’s issued laws, regulations and instructions and the equivalent, implementing any amendments thereto and informing the relevant departments of the same to ensure compliance therewith.
7.     Collaborating with individuals responsible for implementing activities related to AI ethics to ensure that the requirements of Personal Data protection and Data Subjects’ privacy are met.

Training for the DPO

The draft rules places great importance on training for and by the DPO. Article 9(4) states:

“The Controller shall work on training and developing DPO’s in the fields of Personal Data protection and support them in obtaining professional certificates in this field to ensure raising their efficiency.”

This has to be read alongside Article 4 and Article 8 (above). The latter states that one of the roles of the DPO is:

“Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.”

Organisations doing business in the Middle East need to carefully consider the impact of the new rules on. Thought must be given to the appointment and training of a suitably qualified DPO. Through our  KSA privacy programme, Act Now Training offers comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses

Act Now in Dubai: Season 2 

On the 2ndand 3rd October 2023, the UAE held the first ever privacy and data protection law conference; a unique event organised by the Dubai International Financial Centre (DIFC) and data protection practitioners in the Middle East. The conference brought together data protection and security compliance professionals from across the world to discuss the latest developments in the Middle East data protection framework.  

Data Protection law in the Middle East has seen some rapid developments recently. The UAE has enacted its first federal law to comprehensively regulate the processing of personal data in all seven emirates. Once in force (expected to be early next year) this will sit alongside current data protection laws regulating businesses in the various UAE financial districts such as the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. Jordan, Oman, Bahrain and Qatar also have comprehensive data protection laws.  Currently what is causing most excitement in the Middle East data protection community is Saudi Arabia’s Personal Data Protection Law (PDPL) which came into force on 14th September 2022.  

The conference agenda covered various topics including the interoperability of data protection laws in the GCC, unlocking data flows in the region, smart cities, the use of facial recognition and data localisation. The focus of day 2 was on AI and machine learning. There were some great panels on this topic discussing AI standards, transparency and the need for regulation.   

Speakers included the UAE Minister for AI, His Excellency Omar Sultan Al Olama, as well as leading data protection lawyers and practitioners from around the world. Elisabeth Denham, former UK Information Commissioner, also addressed the delegates alongside data protection regulators from across the region. Act Now’s director, Ibrahim Hasan, was invited to take part in a panel discussion to share his experience of GDPR litigation and enforcement action in the UK and EU and what lessons can be drawn for the Middle East. 

Alongside Ibrahim, the Act Now team were at the conference to answer delegates’ questions about our UAE and KSA training programmes.
Act Now has delivered training  extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. We were pleased to see there that there was a lot of interest in our courses especially our DPO certificates.  

Following the conference, Ibrahim was invited to deliver a guest lecture to law students at Middlesex University Dubai. This is the biggest university in Dubai with over 4500 students from over 118 countries. Ibrahim talked about the importance of Data Protection law and job opportunities in the information governance profession. He was pleasantly surprised by the students’ interest in the subject and their willingness to consider IG as an alternative career path. A fantastic end to a successful trip. Our thanks to the conference organisers, particularly Lori Baker at the DIFC Commissioner’s Office, and our friends at Middlesex University Dubai for inviting us to address the students.  

Now is the time to train your staff in the new data protection laws in the Middle East. We can deliver online as well as face to face training. All of our training starts with a free analysis call to ensure you have the right level and most appropriate content for your organisation’s needs. Please get in touch to discuss your training or consultancy needs.  

Data Protection Law in Saudi Arabia: Implementing Regulation Published  

On 11th July 2023, the much-anticipated Implementing Regulation for Saudi Arabia’s first ever data protection law was published in draft form for public consultation. The regulation is the final step towards the implementation of the new law which will now officially come into force on 14th September 2023. Organisations will have until 13th September 2024 to comply to become fully compliant. At the same time, the draft regulation on the transfer of personal data outside Saudi Arabia was published. With a very short deadline for comments (31st  July 2023), those organisations doing businesses in the Middle East need to carefully consider the impact of the new law on their personal data processing activities.

Background

The Personal Data Protection Law (PDPL) of Saudi Arabia was implemented by Royal Decree on 14th September 2021. It aims to regulate the collection, handling, disclosure and use of personal data. It will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) which has published the aforementioned regulations. PDPL was originally going to come fully into force on 23rd March 2022. However, in November 2022, SDAIA published proposed amendments which were passed after public consultation.  

Key Points to Note

The Implementing Regulation and the Data Transfer Regulation provide further guidance and clarity regarding the application of the new law.  

Like the GDPR, Data Controllers in Saudi Arabia may now rely on “legitimate interests” as a lawful basis to process personal data; this does not apply to sensitive personal data, or processing that contravenes the rights granted under PDPL and its regulations. The Implementing Regulation states that, before processing personal data for legitimate interests, a Data Controller must conduct an assessment of the proposed processing and its impact on the rights and interests of the Data Subject.
No doubt guidance on this assessment will follow but for now the UK Information Commissioner’s website is a good starting point.

The Implementing Regulation also fleshes out the detail of the various Data Subject rights under PDPL including access, correction and destruction. More detail is also provided about consent as a lawful basis of processing and when it can be withdrawn. The obligations of a Data Controller when appointing a Data Processor are also addressed in detail. 

 The Implementing Regulation introduces some new elements into PDPL, including a reference to a Legal Guardian, the definition of “Actual Interest”, and a National Register of Controllers. According to Article 37, the Competent Authority (SDAIA) will also set the rules for licensing entities to issue accreditation certificates for Controllers and Processors. 

Certain areas of the new law still require clarity. For example, according to Article 34 of the Implementing Regulation, the Competent Authority (SDAIA) is expected to issue additional rules, including circumstances under which a Data Protection Officer shall be appointed. Just like under the GDPR, PDPL permits data transfers outside of Saudi Arabia in certain circumstances and subject to various conditions, including to countries that have an appropriate level of protection for personal data which shall not be less than the level of protection established by PDPL. The Data Transfer Regulation covers, amongst other things, adequate countries and situations where, absent of any adequacy decision, personal data may still be transferred outside of Saudi Arabia. 

The Implementing Regulation is the final step towards the implementation of the new law. 13th September 2024 is not far away. Work needs to start now to implement systems and processes to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage.
The following should be part of an action plan for compliance: 

  1. Training the organisation’s management team to understand the importance of PDPL, the main provisions and changes required to systems and processes.  
  1. Training staff at all levels to understand PDPL at how it will impact on their role. 
  1. Carrying out a data audit to understand what personal data is held, where it sits and how it is processed. 
  1. Reviewing how records management and information risk  is addressed within the organisation. 
  1. Drafting Privacy Notices to ensure they set out the minimum information that should be included. 
  1. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification. 
  1. Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure. 
  1. Appointing and training a  Data Protection Officer. 
     

The UAE Federal Law

In November 2021, the United Arab Emirates enacted its first comprehensive national data protection law to regulate the collection and processing of personal data. Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data was published by the Cabinet Office on 27th November 2021 but to come into force regulations are required.
Whilst the two legal regimes are different, UAE is likely to follow Saudi Arabia’s lead and publish its detailed Executive Regulations very soon.  


Act Now in the Middle East  

Act Now Training can help your businesses prepare for PDPL and the UAE federal law. We have delivered training extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. Check out our UAE privacy programme. To help deliver this and other courses, Suzanne Ballabás, an experienced Dubai based data protection specialist, recently joined our team of associates.  We can also deliver customised in house training both remotely and face to face. Please get in touch to discuss your training or consultancy needs.