Implementing Data Protection Laws In KSA

The local laws and regulations for personal private information are hardening day after day globally.

Governments may have adopted different approaches for the Data Protection or Individual Privacy but all of them are stressing on the importance of electronic security.   

One recent example on the importance of controlling and processing personally identifiable information is the Kingdom of Saudi Arabia.

It has newly issued its first comprehensive national data protection law.  The Personal Data Protection Law will enter into force on March 23, 2022, and regulates the collection, processing and use of personal data in the Kingdom.

Organizations with operations in the Kingdom or those processing data of Saudi residents will have one year to comply with the new requirements.

Businesses should note several important requirements contained in the new law affecting different aspects for any Saudi resident – whether national or expat.

Those aspects are defined as below:  

• Extraterritoriality: Any processing of Saudi resident data performed in the Kingdom or by entities located outside the Kingdom is subject to the law’s requirements.
• Restrictions on Cross-Border Transfers: Transfers of data outside of the Kingdom may be made for limited explicit purposes, as set out in the law, or for “other purposes” subject to the forthcoming regulations. Even if the transfer falls into a permitted category, further conditions must be satisfied, including approval by the competent government authority, with exceptions granted on a case-by-case basis only.
• Registration: Data controllers must register with SDAIA and pay an annual fee.
• Consent: Consent is the primary legal basis for processing personal data and must be obtained in writing (subject to further requirements in the forthcoming regulations). Personal data may only be processed without consent in very limited circumstances.
• Local Representative: Any foreign company without a legal presence in the Kingdom that processes the personal data of Saudi residents must appoint a local representative, licensed for that purpose. SDAIA will determine when this requirement will come into effect.
• Sensitive Data: All sensitive personal data, which includes genetic, health, and credit and financial data, will now be governed under the new law, but will also be subject to further regulation. The law contemplates a process of “reconciliation” with existing data regimes implemented by other regulators in the Kingdom.
• Breach Notification: Breaches, leakages, or other unauthorized access to personal data must be notified to SDAIA “immediately,” as well as to data subjects.
• Records of Processing Activities: Data controllers must prepare and register data processing activities with SDAIA.
• Criminal Penalties: The law contains criminal penalties, including up to two years’ imprisonment and fines of up to SAR 3 million (approximately USD 800,000). Administrative penalties may be imposed with higher fines.

It is recommended that all businesses operating in the Kingdom or processing the data of Saudi residents to start assessing their activities and security systems in preparation of the law’s implementation.

Being compliant with the required changes may look either as a challenge to some or an opportunity for others. We can help to turn it to an opportunity and secure your relationship with all stakeholders.