Tag: Saudi Arabia

Saudi Arabia’s New Data Protection Law Comes into Force on Saturday

Saudi Arabia’s first ever comprehensive  Personal Data Protection Law (PDPL) comes into force this Saturday (14th September 2024). The new law regulates the collection, handling, disclosure and use of personal data. The Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, has now finalised the following documents following a period of consultation:  

Guidelines for Binding Common Rules: These guidelines aim to specify the obligations of the parties involved in the transfer when personal data is transferred or disclosed to a country or international organisation that does not have an adequate level of protection for personal data. 

Standard Contractual Clauses (SCCs) for Personal Data Transfer: These clauses are one of the appropriate safeguards that Controllers and Processors may use in addition to the Binding Common Rules (BCR) and accreditation certificates from a body licensed by the Competent Authority. 

There are other useful guidelines on the SDAIA website including on personal data destruction, anonymization and pseudonymisation as well as data processing activities records. 

Training for the Data Protection Officer 

The draft rules for the appointment of a DPO have also been finalised. Article 5 of the rules states that the following Data Controllers need to appoint a DPO: 

  • A Public Entity that provides services involving processing of personal data on a large scale 
  • A Controller whose core activities are based on processing operations that, by their nature, require regular and systematic monitoring of data subjects 
  • A Controller whose core activities are based on processing of sensitive personal data. 

Whilst there is no requirement for others to appoint a DPO, in our view, it is good practice to do so as it will help drive compliance forward especially in the initial phases of implementing the new law. 

The rules places great importance on training for and by the DPO. Article 9(6) states: 

“The Controller shall work on training and developing DPO’s in the fields of Personal Data protection and support them in obtaining professional certificates in this field to ensure raising their efficiency.” 

This has to be read alongside Article 4 and Article 8 (above). The latter states that one of the roles of the DPO is: 

“Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.” 

Through our  KSA privacy programme, Act Now Training offers comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses.  

International Transfers under Saudi Arabia’s New Data Protection Law

Saudi Arabia’s Personal Data Protection Law (PDPL) comes into force on 14th September 2024 and regulates the collection, handling, disclosure and use of personal data. Like many data protection laws around the world, including the UK GDPR, the PDPL contains strict rules about when personal data can be transferred outside the jurisdiction. 

Article 29 of PDPL states that when transferring personal data outside Saudi Arabia, Data Controllers must ensure that that the receiving country or international organisation has an appropriate level of personal data protection. The Regulation on the Transfer of Personal Data Outside the Kingdom (Transfer Regulation) provides more detail about the rules to be followed upon transfer. Two of the circumstances where personal data transfers are allowed outside the Kingdom is when Standard Contractual Clauses are used and where personal data is transferred among a group of multinational entities, provided that the Data Controller and its entities abide by Binding Common Rules (BCRs).

The Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, recently released the draft Standard Contractual Clauses (SCCs) for Personal Data Transfer and Guidelines for Binding Common Rules. Bothe are open for comment for the next 8 days. In July SDAIA also published draft rules for the appointment of a DPO under the PDPL.

SCCs and BCRs are vital safeguards, defining the obligations of Data Controllers and Data Processors involved in cross-border data transfers, thereby ensuring compliance and protecting personal data even beyond the Kingdom’s borders. Organisations doing business in the Middle East need to carefully consider the impact of the rules on international transfers under the PDPL. Thought must also be given to the appointment and training of a suitably qualified DPO. 

Through our  KSA privacy programme, Act Now Training offers comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

New Dates for KSA Data Protection Officer Certificate Course

Act Now is pleased to announce new public dates for the KSA Data Protection Officer Certificate. This is a unique course curated by data protection experts designed to train individuals to fulfil the role of data protection officer under Saudi Arabia’s new Data Protection law. The new law becomes fully enforceable on 14th September 2024.

The Personal Data Protection Law (PDPL) regulates the collection, handling, disclosure and use of personal data. Like many data protection laws around the world, including the UK GDPR, the PDPL contains a requirement for some Data Controllers to appoint a Data Protection Officer (DPO). On 8th July 2024 the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, published draft rules for the appointment of a DPO under the PDPL.

Article 5 of the draft rules states the following Data Controllers need to appoint a DPO:

  • A Public Entity that provides services involving processing of personal data on a large scale
  • A Controller whose core activities are based on processing operations that, by their nature, require regular and systematic monitoring of data subjects
  • A Controller whose core activities are based on processing of sensitive personal data.

Whilst there is no requirement for others to appoint a DPO, in our view, it is good practice to do so as it will help drive compliance forward especially in the initial phases of implementing the new law. The draft rules places great importance on training for and by the DPO. Article 9(4) states:

“The Controller shall work on training and developing DPO’s in the fields of Personal Data protection and support them in obtaining professional certificates in this field to ensure raising their efficiency.”

This has to be read alongside Article 4 and Article 8 (above). The latter states that one of the roles of the DPO is:

“Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.”

Organisations doing business in the Middle East need to carefully consider the impact of the new rules on. Thought must be given to the appointment and training of a suitably qualified DPO. Through our KSA Data Protection Officer Certificate, Act Now Training offers comprehensive and cost-effective training for the DPO enabling them to ready to implement the new law.

This course has been offered as in in house course previously with a requirement of a minimum of 8 delegates. Our new public courses  will allow organisations  to train any number of employees making it easier for them to start their compliance journey.

KSA DPO Appointment Rules Published

Saudi Arabia’s first ever data protection law becomes fully enforceable on 14th September 2024. The Personal Data Protection Law (PDPL) regulates the collection, handling, disclosure and use of personal data. Like many data protection laws around the world, including the UK GDPR, the PDPL contains a requirement for some Data Controllers to appoint a Data Protection Officer (DPO). On 8th July 2024 the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, published draft rules for the appointment of a DPO under the PDPL.

Who needs to appoint a DPO?

Article 5 of the draft rules states the following Data Controllers need to appoint a DPO:

  • A Public Entity that provides services involving processing of personal data on a large scale
  • A Controller whose core activities are based on processing operations that, by their nature, require regular and systematic monitoring of data subjects
  • A Controller whose core activities are based on processing of sensitive personal data.

Whilst there is no requirement for others to appoint a DPO, in our view, it is good practice to do so as it will help drive compliance forward especially in the initial phases of implementing the new law.

What skills does a DPO require?

Art 4 states that, when appointing a DPO, a Controller must ensure that the following requirements are met:

  • Having appropriate academic qualifications and experience in the field of Personal Data protection
  • Having sufficient knowledge of the Controller’s business and activities that involve processing of Personal Data
  • Having sufficient knowledge of Personal Data breach risks
  • Having sufficient knowledge of regulatory measures for Personal Data protection and other relevant organisational measures for performing DPO tasks.
  • Honesty and integrity, and not having been convicted of any offence involving dishonesty or breach of trust.

Who can be a DPO?

The DPO may be an executive, employee of the Controller or an external contractor. They must be appointed in writing and publicised within the Controller’s organisation.  Their contact details must be published in the Controller’s Privacy Notice.

Article 7 of the draft rules requires the Controller to immediately provide the regulator with contact details of the DPO upon their appointment through the National Data Governance Platform. Interestingly, the regulator has the power  to request replacement of a DPO if it is found that he/she is not competent.

Role and Task

DPO shall be responsible for the following tasks set out in Article 8:


1.     Providing support and advice regarding all aspects of Personal Data protection, including contributing to developing policies and internal procedures related to Personal Data protection at Controller.
2.     Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.
3.     Contributing to reviewing plans of response to Personal Data Breach incidents, and ensuring that such plans are adequate and effective.

4.     Preparing periodic reports regarding Controller activities related to processing of Personal Data, and providing recommendations to ensure compliance with provisions of the Law and its Regulations.
5.     Maintaining the confidentiality of Personal Data and its level of sensitivity, based on its classification and relevant regulatory requirements to determine the adequate level of protection and processing mechanism.
6.     Monitoring the Competent Authority’s issued laws, regulations and instructions and the equivalent, implementing any amendments thereto and informing the relevant departments of the same to ensure compliance therewith.
7.     Collaborating with individuals responsible for implementing activities related to AI ethics to ensure that the requirements of Personal Data protection and Data Subjects’ privacy are met.

Training for the DPO

The draft rules places great importance on training for and by the DPO. Article 9(4) states:

“The Controller shall work on training and developing DPO’s in the fields of Personal Data protection and support them in obtaining professional certificates in this field to ensure raising their efficiency.”

This has to be read alongside Article 4 and Article 8 (above). The latter states that one of the roles of the DPO is:

“Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.”

Organisations doing business in the Middle East need to carefully consider the impact of the new rules on. Thought must be given to the appointment and training of a suitably qualified DPO. Through our  KSA privacy programme, Act Now Training offers comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses

Saudi Arabia’s First Ever DP Law Comes into Force 

Today (14th September 2023), Saudi Arabia’s first ever data protection law comes into force. Organisations doing business in the Middle East need to carefully consider the impact of the new law on their personal data processing activities. They have until 14th September 2024 to prepare and become fully compliant. 

Background 

The Personal Data Protection Law (PDPL) of Saudi Arabia was implemented by Royal Decree on 14th September 2021. It aims to regulate the collection, handling, disclosure and use of personal data. It will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) which has published the aforementioned regulations. PDPL was originally going to come fully into force on 23rd March 2022. However, in November 2022, SDAIA published proposed amendments which were passed after public consultation.  

Following a consultation period, we also now have the final versions of the Implementing Regulations and the Personal Data Transfer Regulations; both expand on the general principles and obligations outlined in the PDPL (as amended in March 2023) and introduce new compliance requirements for data controllers. 

More Information  

Summary of the new law: https://actnowtraining.blog/2022/01/10/the-new-saudi-arabian-federal-data-protection-law/  

Summary of the Regulations: https://actnowtraining.blog/2023/07/26/data-protection-law-in-saudi-arabia-implementing-regulation-published/  

Action Plan 

13th September 2024 is not far away. Work needs to start now to implement systems and processes to ensure compliance. Failure to do so could lead to enforcement action and also reputational damage. The following should be part of an action plan for compliance: 
 

  1. Training the organisation’s management team to understand the importance of PDPL, the main provisions and changes required to systems and processes.  
  1. Training staff at all levels to understand PDPL at how it will impact their role. 
  1. Carrying out a data audit to understand what personal data is held, where it sits and how it is processed. 
  1. Reviewing how records management and information risk  is addressed within the organisation. 
  1. Drafting Privacy Notices  to ensure they set out the minimum information that should be included. 
  1. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification. 
  1. Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure. 
  1. Appointing and training a Data Protection Officer. 
     

Act Now in Saudi Arabia 

Act Now Training can help your businesses prepare for the new law.
We have delivered training  extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. We have experience in helping organisations in territories where a new law of this type has been implemented.  

Now is the time to train your staff in the new law. Through our  KSA privacy programme, we offer comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses.  

To help deliver this and other courses, Suzanne Ballabás, an experienced middle-east based data protection specialist, recently joined our team of associates. We can deliver Online or Face to Face training. All of our training starts with a FREE analysis call to ensure you have the right level and most appropriate content for your organisations needs. Please get in touch to discuss your training or consultancy needs. 

Click on the Link Below to see our full Saudi Privacy Programme.

Saudi Arabian Data Protection Law Update 

In September 2021, Saudi Arabia announced its first ever data protection law. The Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H approving Resolution No. 98 dated 7/2/1443H (14th September 2021). PDPL will regulate the collection, handling, disclosure and use of personal data and includes governance and transparency obligations. It will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA). 

PDPL was originally going to come fully into force on 23rd March 2022. However, in November 2022, SDAIA published proposed amendments for public consultation. On 21st March 2023, some of these amendments were passed by the Saudi Council of Ministers. PDPL will now officially come into force on 14th September 2023 and organisations will have till 13th September 2024 to comply. Much of the detail of the new law will be set out in the Executive Regulations which we are still waiting for, although a draft version was issued last year. 

The amendments to PDPL introduce several concepts that will align the new law more closely to the EU General Data Protection Regulation (GDPR) and the UK GDPR. These include: 

  • New Ground for Processing: Like the GDPR, Data Controllers may now rely on “legitimate interests” as a lawful basis to process personal data; this does not apply to sensitive personal data, or processing that contravenes the rights granted under PDPL and its executive regulations.  
     
  • Easier International Transfers: Like other data protection regimes, PDPL imposes limitations on the international transfer of personal data outside of the KSA. The strict prohibition on transfers outside Saudi Arabia has now been amended. Furthermore they no longer require approval from SDAIA. Data Controllers will need a specific purpose to transfer data outside the Kingdom and transfers appear to be limited to territories that SDAIA determines as having an appropriate level of protection for personal data, which will be further clarified once they issue evaluation criteria for this purpose. The pending executive regulations should set out exemptions from this condition.  
     
  • Removal of Controller Registration Requirements: The original law required Data Controllers to register on an electronic portal that would form a national record. This provision has now been removed. However, SDAIA has the mandate to license auditors and accreditation entities and create a national register if it determines that it would be an appropriate tool and mechanism for monitoring the compliance of controllers. 
  • Data Breach Notification Relaxed: Notifications of personal data breaches to SDAIA are no longer required “immediately.” However, controllers must now notify data subjects when a breach threatens personal data or contravenes the data subject’s rights or interests. The pending regulations are expected to provide additional specificity, such as particular dates for notifying data breaches and threshold requirements.  
     
  • Criminal Offences Reduced: The penalties for breaching PDPL will be a warning or a fine of up to SAR 5,000,000 (USD 1,333,000) that may be doubled for repeat offences. Criminal sanctions for violating the PDPL’s data transfer restrictions have been removed. There now remains only one criminal offence in relation to the disclosure or publication of sensitive personal data in violation of the law.  

Action Plan for Compliance 

Businesses established in Saudi Arabia, as well as those processing Saudi citizens’ personal data anywhere in the world, have sixteen months to prepare for PDPL. Considering that those covered by GDPR had four years, this is not a long time. Now is the time to put systems and processes in place to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage.  

The following should be part of an action plan for compliance: 

  1. Raising awareness about PDPL at all levels. Our GDPR elearning course can be tailored for frontline staff. 
  1. Carrying out a data audit and reviewing how records management and information risk is addressed. 
  1. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification
  1. Revising privacy policies in the light of the more prescriptive transparency requirements.  
  1. Writing policies and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access. 
  1. Appointing and training a Data Protection Officer.  

The new KSA data protection law is an important development in Middle East privacy law alongside the passing of the new UAE Federal DP law.
These laws, being closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR, open up exciting job opportunities for UK and EU Data Protection professionals. A quick scan of jobs sites shows a growing number of prospects. 

Act Now in the Middle East 

Act Now Training can help your businesses prepare for PDPL. We have delivered training extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. Check out our UAE privacy programme. We can also deliver customised in house training both remotely and face to face.
Please get in touch to discuss your training or consultancy needs.  

Our new Intermediate Certificate in GDPR Practice includes a module on worldwide data protection laws. 

The New Saudi Arabian Federal Data Protection Law 

The Middle East is fast catching up with Europe when it comes to data protection law. The Kingdom of Saudi Arabia(KSA) has enacted its first comprehensive national data protection law to regulate the processing of personal data. This is an important development alongside the passing of the new UAE Federal DP law. It also opens up opportunities for UK and EU Data Protection professionals especially as these new laws are closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR

The KSA Personal Data Protection Law (PDPL) was passed by Royal Decree M/19 of 9/2/1443H on 16 September 2021, approving Resolution No. 98 dated 7/2/1443H (14 September 2021). The detailed Executive Regulations are expected to be published soon and will give more details about the new law. It will be effective from 23rd March 2022 following which there will be a one year implementation period.

Enforcement 

PDPL will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA).The Executive Regulations will set out the administrate penalties that can be imposed on organisations for breaches. Expect large fines for non-compliance alongside other sanctions. PDPL could mirror the GDPR which allows the regulator to impose a fine of up to 20 million Euros or 4% of gross annual turnover, whichever is higher. PDPL also contains criminal offences which carry a term of imprisonment up to 2 years and/or a fine of up to 3 million Saudi Royals (approximately £566,000). Affected parties may also be able to claim compensation.

Territorial Scope

PDPL applies to all organisations that are processing personal data in the KSA irrespective of whether the data relates to Data Subjects living in the KSA. It also has an “extra-territorial” reach by applying to organisations based abroad who are processing personal data of Data Subjects resident in the KSA. Interestingly, unlike the UAE Federal DP law, PDPL does not exempt government authorities from its application although there are various exemptions from certain obligations where the data processing relates to national security, crime detection, statutory purposes etc.

Notable Provisions

PDPL mirrors GDPR’s underlying principles of transparency and accountability and empowers Data Subjects by giving them rights in relation to their personal data. We set out below the notable provisions including links to previous GDPR blog posts for readers wanting more detail, although more information about the finer points of the new law will be included in the forthcoming Executive Regulations. 

  • Personal Data – PDPL applies to the processing of personal data which is defined very broadly to include any data which identifies a living individual. However, unlike GDPR, Article 2 of PDPL includes within its scope, the data of a deceased person if it identifies them or a family member.
  • Registration  Article 23 requires Data Controllers (organisations that collect personal data and determine the purpose for which it is used and the method of processing) to register on an electronic portal that will form a national record of controllers. 
  • Lawful Bases – Like the UAE Federal DP law, PDPL makes consent the primary legal basis for processing personal data. There are exceptions including, amongst others, if the processing achieves a “definite interest” of the Data Subject and it is impossible or difficult to contact the Data Subject.
  • Rights – Data Subjects are granted various rights in Articles 4,5 and 7 of the PDPL which will be familiar to GDPR practitioners. These include the right to information (similar to Art 13 of GDPR), rectification, erasure and  Subject Access. All these rights are subject to similar exemptions found in Article 23 of GDPR.
  • Impact Assessments – Article 22 requires (what GDPR Practitioners call) “DPIAs” to be undertaken in relation to any new high risk data processing operations. This will involve assessing the impact of the processing on the risks to the rights of Data Subjects, especially their privacy and confidentiality.
  • Breach Notification – Article 20 requires organisations to notify the regulator, as well as a Data Subjects, if they suffer a personal data breach which compromises Data Subjects’ confidentiality, security or privacy. The timeframe for notifying will be set by the Executive Regulations.
  • Records Management – Organisations will have to demonstrate compliance with PDPL by keeping records. There is a specific requirement in Article 3 to keep records similar to a Record of Processing Activities(ROPA) under GDPR.
  • International Transfers – Like other data protection regimes PDPL  imposes limitations on the international transfer of personal data outside of the KSA. . There are exceptions; further details will be set out in the Executive Regulations.
  • Data Protection Officers – Organisations (both controllers and processors) will need to appoint at least one officer to be responsible for compliance with PDPL. The DPO can be an employee or an independent service provider and does not need to be located in the KSA. 
  • Training – After 23 March 2022, Data Controllers will be required to hold seminars for their employees to familiarise them with the new law.

Practical Steps

Organisations operating in the KSA, as well as those who are processing the personal data of KSA residents, need to assess the impact of PDPL on their data processing activities. Work needs to start now to implement systems and processes to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage. The following should be part of an action plan for compliance:

  1. Training the organisation’s management team to understand the importance of PDPL, the main provisions and changes required to systems and processes. 
  2. Training staff at all levels to understand PDPL at how it will impact on their role.
  3. Carrying out a data audit to understand what personal data is held, where it sits and how it is processed.
  4. Reviewing how records management and information risk  is addressed within the organisation.
  5. Drafting Privacy Notices to ensure they set out the minimum information that should be included.
  6. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification.
  7. Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure.
  8. Appointing and training a  Data Protection Officer.

Act Now Training can help your organisation prepare for PDPL. We are running a webinar on this topic soon and can also deliver more detailed in house training. Please get in touch to discuss you training needs. We are in Dubai and Abu Dhabi from 16th to 21st January 2022 and would be happy to arrange a meeting.