Eye on PDPL - Volume 1 - Avoid these five pitfalls at the beginning of your PDPL journey

Eye on PDPL – Introduction to the Article Series

“Eye on PDPL” will be a series of articles that help you understand and implement PDPL with a focus on providing practical solutions to the complexities of the PDPL implementation. These solutions will allow you to jumpstart your PDPL implementation journey and will help you navigate the complexities of the law.

The Personal Data Protection Law (PDPL) of Saudi Arabia issued its final version issued earlier this year. The Kingdom aspiration is to start aligning the data protections and national data governance standards issued by SDAIA’s NDMO to safeguard the privacy and security of individuals' personal data. Following global data protection standards such as GDPR, the PDPL places strict obligations on organizations that collect, process, and handle personal, sensitive, data. Companies will have to comply with the PDPL articles by September 2024, which allows organizations to navigate the complexities of the law, especially those who did not have to comply with data protection and privacy standards before.

Volume #1 – Avoid these five pitfalls at the beginning of your PDPL journey - Lessons Learned from GDPR

In this Eye on PDPL post, we will discuss the common pitfalls that I have seen my clients get into when executing their Data Privacy and Protection journey. We will explore the key factors leading to these common pitfalls, and provide ideas to help mitigate these common pitfalls right at the start of the PDPL journey.

Key Highlights:

• PDPL mandates ongoing compliance with critical functional and technical elements. It goes beyond one-time implementations, requiring consistent adherence to standards.
• Inadequate understanding of PDPL poses risks such as misinterpretations and incomplete efforts. Conducting detailed Data Privacy Impact Assessments, guided by external consultants, is crucial. A rigid, one-size-fits-all mindset can lead to neglecting key elements of PDPL; flexibility is key.
• Classic waterfall approaches limit adaptability; embrace agile methodologies for PDPL. Concurrent work streams enhance efficiency, emphasizing flexibility, collaboration, and responsiveness.

1) Having a Checkbox Mentality with PDPL compliance journey

The Personal Data Protection Law (PDPL) mandates the implementation of critical functional and technical elements. Unlike a one-time technology implementation or a digital transformation initiative, PDPL establishes an ongoing compliance process. Companies are required to consistently adhere to its standards, especially when executing key sensitive data processing activities.

While some perceive PDPL as a compliance program with a point-in-time reporting, the reality is that its effectiveness starts in September 2024, and its compliance will be a continuous requirement thereafter.

Drawing from my experience with GDPR, it's crucial to recognize that viewing PDPL compliance merely as a regulatory obligation risks a superficial implementation. This can lead to a checkbox mentality, where the focus is on meeting legal requirements rather than fostering a genuine commitment to data privacy on an ongoing basis, which is what PDPL is all about.

Keep in mind: To avoid this common pitfall, you should understand that PDPL compliance is not just a legal requirement but an essential aspect of building trust with customers and stakeholders. A comprehensive approach involves integrating privacy principles into your organizational culture and values is a must. The journey will not end with the effective date of the law or when your consultants say, “they have implemented PDPL”. It will be an ongoing process that you need to abide by every single day.

2. Not Fully Comprehending the Law and its Requirements.

Inadequate understanding of the PDPL and its detailed requirements is a significant risk, especially when the law that comes in effect is new. The lack of understanding and having a rigid mindset of one-size-fits-all can lead to misinterpretations, incomplete compliance efforts, and the inadvertent neglect of key functional and technical elements of the PDPL Articles.

To mitigate this pitfall, companies should invest in conducting detailed Data Privacy Impact Assessment guided by outside consultants including legal counsellors.

Keep in mind: The PDPL does not prescribe a fixed set of controls or processes for direct implementation. Instead, it outlines a set of requirements (articles) for interpretation by the involved parties, enabling them to tailor compliance strategies that suit their operating model. While flexibility is emphasized, adherence to established frameworks and structured designs is very important.

3. Giving Too Much or Too Little Attention to Supporting Technology

Automation and Continuous monitoring enabled by Data Privacy Technology plays a crucial role in PDPL compliance, however an imbalance in attention can be let you steer away from implementing the law (i.e. the actual process) and treating the program as a technology implementation.

Overemphasis on technology implementation will lead the organization to a belief that the technology will and can solve all compliance issues, disregarding the importance of processes and people elements of the process. On the contrary, neglecting technological solutions can result in inefficiencies and an increased risk of data breaches.

Keep in mind: The PDPL program is comprised of various foundational elements, encompassing data protection policies, the introduction of key technologies, regulated data collection procedures, and a cultural shift. When addressing the technological aspect, it is crucial to strike a balance tailored to your specific needs. This involves the implementation of technology requirements that not only cater to your organization's unique context but also align seamlessly with the overarching compliance strategy.

4. Engaging consultants without the right expertise to support your goal

Engaging consultants without the right expertise in Data Privacy and Data Protection compliance activities will be detrimental to your progress towards complying with the PDPL requirements. It's crucial to select consultants who not only understand the legal requirements but can tailor solutions to your organizational context including its size, operations and technology-appetite to be implemented.

When selecting a consulting partner, sometimes companies tend to go with a vendor that overpromises the delivery, thus giving a cheaper rate. Companies should not underestimate the assumptions placed by their partners/vendors and should focus on the quality of the execution.

Keep in mind: The PDPL is a new legal framework, and its details will be untangled by your partners, who will have the responsibility of guiding you toward accurate interpretations. To ensure compliance with the PDPL, sparking a detailed dialogue with your vendors during the tendering process is imperative. Seek a collaborative partner who can guide you effectively—this is achieved through the presence of a robust and capable team dedicated to supporting your PDPL compliance program.

5. Not Embracing Agile Methodologies for Streamlined PDPL Implementation

Adopting a classic waterfall approach to PDPL implementation, characterized by a sequential process (Assess, Design , Implement) with limited adaptability, will not allow you to be responsive to the evolving requirements. A more effective strategy is to embrace agile methodologies that allow for iterative adjustments based on feedback and changing circumstances. Speed-to-implement is key to allow the shift in the cultural mindset of doing business. The agile approach of concurrent work streams (e.g. Design <> Implement) is recommended to achieve maximum efficiency and ensure that you will realize measurable results in short order.

The agile delivery approach emphasizes flexibility, collaboration, and responsiveness to quickly jumpstart your Privacy Program; in future posts I will highlight the framework I use to jumpstart the Data Privacy and Protection implementation programs.

Keep in mind: PDPL might require you to add layers and re-engineer how you do business. Agile approaches allow you to quickly collect the feedback and try the proposed solutions quickly. PDPL should not disrupt your business operations, however, it should be an enabler to connect and gain trust of your stakeholder. In my view, a classic waterfall approach is unlikely to facilitate the achievement of this goal.

Bringing it all together,

Avoiding these common pitfalls at the start of your PDPL journey will need you to have a holistic and proactive approach to PDPL compliance. Companies should follow privacy-by design principles, educate both internal and external stakeholders, and integrate privacy considerations into their broader 2024+ business strategies.

________________________________________

Signify Originals – Eye on PDPL:?At Signify Solution, we believe in providing advisory and assurance services that help our clients better plan and solve their business problems. “Eye on PDPL” is our way to share our knowledge, allowing us to have a bigger reach and impact to our clients.

Please contact me directly at [email protected] to connect, chat, or share your feedback.