Saudi Arabia's personal data protection law (PDPL)

Privacy vs security vs protection

Although the terms “data privacy”, “data security”, and “data protection” are often used interchangeably, there are some key differences:

• Data privacy concerns the ability of an individual to control when, how and to what extent their personal data is disclosed or communicated to others.
• Data security is about safeguarding data against unauthorised access, use or destruction by implementing technical controls, measures and procedures.
• Data protection covers both data privacy and data security.

The evolution of data protection laws

We often think of our right to privacy as a modern notion, however, it’s only when we dig deeper that we realise that it stems from the late 1800s:

• 1888: the Kodak camera became commercially available
• 1890: an article was published in The Harvard Law Review, discussing the important of getting consent before taking any person’s picture
• 1973: Sweden became the first country in the world to introduce a data protection law
• 1984: The United Kingdom published the Data Protection Act
• 2016: The European Union introduced the General Data Protection Regulation (GDPR)
• 2018: Bahrain published its personal data protection law
• 2019 – 2021: many other countries including India, the UAE, Brazil and Saudi Arabia introduced their own data protection legislation

Data protection in Saudi Arabia?

Saudi Arabia’s personal data protection law (PDPL) – which comes into effect on 17 March 2023 – will drive a raft of changes to the way business process personal data in the kingdom. The PDPL applies to any entity – including public and private companies and their affiliates within and outside Saudi Arabia – that processes the personal data of residents of Saudi Arabia, governing the collection, processing, transferring, storing, usage and handling of personal data by organisations and individuals.

Generally, data protection laws minimise the impact of a data breach on individuals and enforce accountability and – for businesses – lessen operational disruption, help prevent reputational damage and reduce the likelihood of financial loss (due to compensation for damages or the settlement of legal penalties). The Saudi PDPL - designed to support data subjects - gives individuals the right to:

• Be informed about the processing of their personal data
• Have access to their personal data
• Correct their personal data if its incomplete, inaccurate or outdated
• Withdraw consent for their data to be processed – or delete their personal data
• Any other rights set out in executive orders

What can be done with personal data?

Saudi Arabia’s PDPL focuses on protecting any personal data - personal IDs, contact details,?addresses, economic status, photos or media, bank account details, online identifiers,?intellectual data, physical attributes and social identity – and sensitive personal data – including race or ethnicity, political opinions, philosophical or religious beliefs, criminal records, health status and genetic and biometric data - that is collected, processed, transferred, stored, used or handled by organisations and individuals. The transfer of personal data is a particular focus area – and is only allowed to preserve data subjects’ interests; to prevent, examine or treat a disease; to fulfil an agreement; to serve the kingdom’s interests or for other purposes where the data authority consents, national security isn’t harmed and data is limited and safeguarded.

How we can help

Our data protection professionals can:

1.????Assess the impact of the PDPL on your business

• Assessments of current frameworks and documented processes
• Data privacy requirements for IT systems and employees
• Privacy by design

2.????Develop PDPL compliance frameworks

• Data protection policies and procedures
• Data protection impact assessments

3.???Second data protection officers

• Coordination with internal and external stakeholders
• Monitoring and audits of compliance with PDPL policies
• Maintenance of data protection frameworks

4.????Deliver awareness sessions and e-learning

• Customised, flexible and current training programmes

5.?????Audit data privacy frameworks

• Internal audits of frameworks against relevant privacy standards?