News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Saudi Arabia publishes final Personal Data Protection Law Related reading: European Commission establishes anonymous DSA, DMA reporting tools

rss_feed

On 7 Sept., the Saudi Data and Artificial Intelligence Authority formally released the Kingdom of Saudi Arabia Personal Data Protection Law. Enforcement of the law will begin 14 Sept. 2024, which gives organizations one year to prepare for compliance.

This law is the first privacy law in the KSA that aligns the kingdom with international privacy laws, in particular, the EU General Data Protection Regulation, along with some localization that addresses the Middle Eastern culture and adopts the latest guidelines and mechanisms toward the proper implementation of the law through its published regulations.

Personal data cross-border transfer regulation

Although the final wording of Cross-Border Data Transfer Article 29 in the final KSA PDPL was complicated, the regulation outlines the corresponding mandates to Article 29 in a simple and organized manner in line with the GDPR, where it allows the transfer of data on three grounds.

The transfer of data is allowed on:

  1. The adequacy decision for countries, other sectors and international organizations (Articles 3 and 4) shall be determined and issued by the competent authority and concerned entities, along with explaining the adequacy process, highlighting the assessment criteria and frequency or revision mandates.
  2. Transfers are subject to appropriate safeguards (Article 5) if there is no adequacy decision for the destination country, along with listing the different types of approved safeguards from the competent authority, e.g., binding corporate rules, standard contractual clauses, compliance certification mechanism, and the use of enforceable code of conduct.
  3. Derogations for specific situations (Article 6) where there is no adequacy decision meanwhile infeasibility to rely on appropriate safeguards per Article 5, different scenarios of derogations have been listed in line with Article 49 of the GDPR except for not explicitly requiring the data subject's consent. 

There are four scenarios when a transfer should be stopped or prohibited: if it impacts national security or the kingdom's interests, the results of a transfer impact assessment show a high risk to the privacy of data subjects, the invalidity of appropriate safeguards adopted by data controllers, or inability of data controllers to comply with the adopted appropriate safeguards. If one of those scenarios occurs, the transfer will need to be stopped, and the TIA must be redone. The regulation has considered the latest mechanisms introduced after the "Schrems II" decision, i.e., mandating a TIA to transfer data to countries without adequate decisions (Article 8).

PDPL implementing regulation

The PDPL implementing regulation is considered the main regulation besides the Cross-Border Data Transfer Regulation. It clarifies and adds further requirements in the law separate from Article 29 of data transfer.

Data subject rights

The regulation has included verbal requests to data subject request's under the authentication mandate. This is believed to be a burden on data controllers to comply with, especially regarding the operational and accountability aspects. Under the implementing regulation, there is no guidance on the definition of data scope under any of the rights that used to be one of the challenges faced with GDPR that may lead to data controllers receiving an infeasible amount of requests or complaints. Finally, there is no allowance under the new regulation for data controllers to charge data subjects for DSRs deemed excessive or repetitive. However, they can reject requests with justification.

The lawfulness of processing data

Article 16 of the implementing regulation provides guidance on the processing of data under legitimate interest, where it is now introduced with restrictions and precise criteria for using it as a lawful basis. Additionally, data controllers must conduct legitimate interest assessments before processing data in line with Articles 6 and 35 of the GDPR. 

Sub-processing

Under the PDPL, data controllers are required to periodically conduct compliance assessments of selected data processors to ensure they are in compliance with the law. This may create a burden on data controllers as they will assume sole accountability for all data processing activities conducted by the data processor before the competent authority and the data subject.

Information security

Article 23 identifies the mandates of securing personal data by referring to National Cybersecurity Authority measures, standards, controls, or best cybersecurity international standards if the NCA does not regulate the data controller. Additionally, the regulations added a significant word to point (a) of the article not stated in the law — necessary. "Data Controllers to implement the necessary security and technical measures to mitigate potential risks on personal data." The addition is impactful as data controllers are mandated to implement information security controls defined by the NCA on all personal data processing activities equally, regardless of scope. Without the ability to prioritize, this may place undue cost and time implications for data controllers.

Data breach notification 

The regulation introduced almost equal criteria that organizations must notify the competent authority and data subject that a data breach has occurred within 72 hours and immediate notification, respectively. This may be a cause for concern with regards to notifying the data subject mandate as it would have been more relevant to be in case of confirmed impact or potentially high impact on the data subject to avoid the possible reputational effect on data controllers.

Privacy impact assessments

The implementing regulation mandates data controllers conduct documented privacy impact assessment in nine different scenarios of personal data processing including, whenever data processing involves anonymization, sensitive personal data, use of new technologies, etc. This is in line with Article 35 of the GDPR. 

Processing health and credit data 

Articles 26 and 27 add more restrictive and specific measures for processing health and credit data. For example, organizations must adopt a restrictive and limited "need to know basis" approach to minimize accessibility, documentation of all processing stages with specifying an owner for each stage when processing health data.

However, more challenging requirements require data controllers to adopt all relevant measures and standards issued by other competent authorities in the health and financial sectors when processing health and credit data. It is an additional responsibility for data controllers to cross-check data protection requirements from different laws and regulations from other authorities than the data protection competent authority.

Processing data for promotional awareness; direct marketing purposes 

Article 28 of the implementing regulation requires data controllers to collect consent from data subjects before processing their data for promotional and awareness purposes. Under the article, there is an important indirect exemption for data controllers if there was a previous interaction between the data controller and data subject. This is similar to Article 21 of the GDPR, allowing data controllers to rely on legitimate interest with the right to object for profiling and direct marketing purposes when data controllers promote their products and services.

On the other hand, Article 29 of the implementing regulation introduced similarities with Article 28 of the Implementing Regulation, which covers the processing of direct marketing purposes, including sending promotional communications to data subjects. However, Article 29 mandates data controllers collect consent from data subjects before processing data without including the indirect exemption mentioned in Article 28.

If Article 29 requires consent collection in direct marketing processing in terms of profiling and analytics, i.e., not for sending promotional communications to the data subject, then this is a more significant challenge as sending them will be allowed for the mass audience, while targeted audience won't be permitted without consent. Hence, this would require further clarification and guidance from the competent authority.

What is next? 

It is important to note the consequences of noncompliance per the law are intolerable in two instances: In the event of the deliberate unlawful disclosure of sensitive personal data, an individual could receive up to two years in prison and/or a fine of SAR3 million. An organization that violates the law could receive a warning or a fine of SAR5 million. If it receives a fine, the court or competent authority could require the organization's data controller to publish it in one or more local newsletters at their expense.

Organizations must design their privacy programs carefully to ensure compliance within the first year, while planning for advanced maturity levels in the following years. They should implement foundational principles and, when applicable, incorporate those requirements into their operational processes at the bare minimum to prove compliance before the competent authority. Finally, instead of prioritizing tooling and automation in the first year of compliance, they should become part of the maturity roadmap to achieve standardization and efficiency in subsequent years.


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Osama El-Masry, CIPP/E, CIPM, FIP IAPP Member Contributor
Tags
Middle East
Privacy Law
Privacy Opinion
6 Comments

If you want to comment on this post, you need to login.

  • comment Natasa McAllister • Oct 24, 2023 
    That is a very informative and greatly explained summary of the Saudi Data Protection Law.
  • comment Osama El-Masry • Oct 24, 2023 
    Thanks Natasa! Glad that you found it useful...
  • comment Mohammad Hamza Saghir • Oct 25, 2023 
    Osama, a really useful summary with focus on points of particular interest.  

Would be useful to get further insights on how the competent authority would handle large volumes of incident notifications and focus on areas of high risk?  Notifying data subjects at the same time as the competent authority can be quite cumbersome and organisations wouldn't necessarily have the operational footprint to handle queries from worried data subjects.

Also, any insights on how the legislation perceives the role and responsibility of the Personal Data Protection Officer vs. the Data Controller?
  • comment Osama El-Masry • Oct 26, 2023 
    Thanks Mohammad Hamza for your comment, exactly that is another concern besides the reputational impact which is how to manage such amount of notifications by both the organizations and competent authority specially that the excessiveness in reporting is always believed to have a distractive impact not allowing to focus on the real incidents with the high impact, and in that regards we believe that some operational efficiencies can be introduced for certain types of incidents that are repetitive and don't entail significant impact on data subjects that would reduce the workload on both sides, on the other hand, what is assuring is that SDAIA is leading by example in all aspects of establishing the PDPL in the Kingdom and we can clearly see how they are adopting an understanding and considerate approach in enforcing this law as seen when they postponed the issuance of the law and releasing both the law and regulations for public consultation and considering majority of the concerns raised by experts and different business sectors, hence we are expecting a very collaborative environment driven by SDAIA that would include issuance of further guidance and to an extent (where permissible) some modifications to address such concerns as they arise during the actual implementation by organizations.

As for the role and responsibility of the Personal Data Protection Officer vs. the Data Controller, KSA PDPL is pretty much inline with EU GDPR in that regards, where DPO is having more of a compliance monitoring role within the organization vs the full accountability of compliance with the law and its regulations imposed on the organization acting as data controller, this is for example is not the case in Egypt PDPL where DPO is going beyond compliance monitoring and held by law partial accountability of compliance and can be fined in his individual capacity up to EGP 2M.
  • comment Mary Han • Oct 31, 2023 
    Hello, Osama. Great summary! Do you have any insight into when we can expect the competent authority to issue adequacy decisions under PDPL? Do you expect them to follow the EU's list of adequate countries?
  • comment Osama El-Masry • Nov 9, 2023 
    Hi Mary, No confirmed information about the timeline but I would assume before end of year or maximum by first quarter of 2024. As for following the EU's list of adequate countries, I wouldn't think so specially that adequacy decision qualification criteria are not 100% the same as in EU but definitely there shall be common countries there.
Related Stories
FTC updates Health Breach Notification Rule
The U.S. Federal Trade Commission updated the Health Breach Notification Rule. The revised rule includes updated definitions to "underscore application" to health apps and "similar technologies not covered by (the Health Insurance Portability and Accountability Act)." Changes to the consumer and age...
Read More queue Save This
UK enacts security rules for connected devices
The U.K. enacted new security rules featuring a "raft of transformative protections" related to Internet-of-Things devices and other connected products. Covered entities will be required to ensure strong device passwords while providing clear consumer incident reporting instructions to "increase the...
Read More queue Save This

Related Stories
Tags
Middle East
Privacy Law
Privacy Opinion
Recent Comments