What does compliance with the PDPL look like?

When the Personal Data Protection Law (PDPL) goes into effect this September, it will give Saudi citizens and residents (i.e., Data Subjects) enforceable rights over their Personal Data and regulate how Saudi organizations collect and process Personal Data in Saudi Arabia.

Data Subjects will be able to enforce rights that include the right to be informed of the legal basis and purpose of collecting their personal data, access, and request copies of their personal data, and the right to correct, complete, update, and delete their personal data.[i]

The PDPL will apply to all organizations that collect and process personal data in Saudi Arabia,[ii] regardless of their size or the amount of personal data processed. The national registry (published on the National Data Governance Platform) confirms this by encouraging “all entities that collect and process the personal data of Saudi citizens and residents” to register, and the Guide to the Saudi Personal Data Protection Law clearly states that “small and medium-sized businesses are also subject to compliance with the PDPL.”

Saudi organizations that have already built regulatory compliance programs know how to find the policies, procedures, and tools they will need in the language of the PDPL and the Regulations.? For companies building their first regulatory compliance program, this article will walk you through the development process for some of the policies explicitly required by the language of the Law and the Regulation.

Privacy Policy

Saudi organizations must develop a Privacy Policy by September and make it available to individuals before collecting their personal data.[iii]? Saudi organizations can start by having their Human Resources, Marketing, and other operations identify when and where they engage with individuals and collect personal information.? For example, does HR engage with Job applicants and employees to collect names, phone numbers, and other personal information?? Do they use paper or online applications to collect their information?? The answers to these questions will help you identify where to make your Privacy Policy available to Data Subjects.

Once you determine where to make your Privacy Policy available, the Law requires that the policy specify the purposes for collecting Personal Data and the Personal Data collected.? The policy must describe how Personal Data will be collected, processed, stored, and destroyed.? Finally, the policy must include information about the Data Subjects’ rights and how to exercise them.[iv]

Because Saudi organizations may only collect Personal Data that directly relates to the collection purpose,[v]? you must identify your purposes for collecting personal data to determine what personal data is required and should be listed in your Privacy Policy.? For example, educational and work history may be necessary for recruitment and human resources functions to evaluate and select qualified job applicants, but personal relationships and group affiliations may not be.? Healthcare providers may need family history, blood type, and lifestyle to diagnose patients, but they may not need their credit history or copies of their passports.

After identifying the purposes for collecting personal data, you should work with your IT department, Human Resources, and other departments to identify and document how the personal data will be collected, processed, stored, and destroyed.? Questions to consider might include:? Does Marketing collect client and customer names and phone numbers through online or paper registration processes?? Does IT store electronic information on-site or in the cloud?? Do you have procedures for destroying hard copy and electronic documents?? The answers to these questions will help you describe how personal data is collected, processed, stored, and destroyed.

The last section of the Privacy Policy must include information about the Data Subject’s rights and how to exercise them.

Data Subject Rights

The Regulations tell us the procedures Saudi Organizations must follow regarding Data Subject rights.? General procedures include providing Data Subjects with adequate methods (i.e., email, text messages, and national addresses) for making requests about their personal data,[vi] verifying the requester's identity,[vii]and responding to their requests without delay.[viii]

Specific procedures depend on the nature of the request.? For example, when Data Subjects request copies or access to their Personal Data, Saudi organizations must ensure that the access provided does not disclose the personal data of any other individuals.[ix]? For requests to correct, update, or complete their personal data, the procedures must include stopping the processing of personal data while its accuracy is being contested, requesting supporting evidence to verify the request, and notifying the parties to whom the Personal Data was previously disclosed.[x]

For requests to destroy personal data, Saudi organizations must destroy all copies of personal data, including backups, notify the individuals to whom the Personal Data was previously disclosed, and notify the Data Subjects when their personal data is destroyed.[xi]?

Withdrawing Consent

In addition to the Data Subject rights discussed above, the Law gives Data Subjects an independent right to withdraw their consent to process their data at any time.[xii]

The Regulations also require Saudi organizations to establish and implement procedures for allowing Data Subjects to withdraw their consent before they can ask for it.[xiii]

Because Data Subjects may withdraw their consent at any time, the procedures must be explained to them when asked for their consent and in conjunction with any subsequent communications.? Moreover, the procedures for withdrawing consent cannot be any more difficult than the procedures for collecting it.[xiv]? For example, If Data Subjects are allowed to provide consent by text message, they must be allowed to withdraw their consent by text message.

Developing a Data Subject Request Form can help Saudi Organizations comply with these requirements for exercising Data Subject rights and withdrawing consent.? A Data Subject Request form can include sections to allow the Data Subject to specify the nature of their request.? Do they want copies of their information or access to it?? Do they need to change their name because of marriage or other legal purpose?? Do they need to add a newborn to their family information?? Do they want to withdraw their consent to the cross-border transfer of their information?? The form can also be used to obtain information necessary to verify the identity of the person making a request or verify the validity of any change to the personal data being requested.

With approximately five (5) months left to enforcement, the templates for Privacy Policies and Data Subject Request developed by EMME Advisory Services can help reduce your time to PDPL program development and implementation.? We have developed policies, procedures, and tools you will need to collect, process, secure, and transfer personal data in and outside Saudi Arabia.? We can help your team build your PDPL program on-site or remotely.? We also provide live PDPL training or develop training that is tailored to your needs.? For more information, [email protected].

[i] PDPL Article 4

[ii] PDPL Article 2 The Law applies to any Processing of Personal Data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data related to individuals residing in the Kingdom by any means from any party outside the Kingdom.

[iii] PDPL Article 12 The Controller shall use a privacy policy and make it available to Data Subjects for their information prior to collecting their Personal Data.

[iv] PDPL Article 12 The policy shall specify the purpose of Collection, Personal Data to be collected, the means used for Collection, Processing, Storage and Destruction, and information about the Data Subjects rights and how to exercise them.

[v] PDPL Article 11.? The purpose for collecting the Personal Data shall have a direct relationship with the purposes of the Controlling Entity.

[vi] The Regulations Article 10: Means of Communication – The Controller is required to provide appropriate means to process requests related to Data Subject rights as stipulated in the Law.? The Data Subject shall have the choice to use one or many among the following means according to their preference considering options made available by the Controller: 1) email, 2) text messages, 3) the national address, 4) communication via electronic applications, 5) any other communication means provided by the Controller for this purpose.

[vii] The Regulations Article 3: General Provisions of Data Subject Rights – The Controller shall . . . c) take appropriate measures to verify the identity of the requester before executing the request in accordance with relevant legal requirements.

[viii] The Regulations Article 3: . . . a) act on the request of the Data Subject for exercising their rights under the Law within a period not exceeding (30) days and without delay.

[ix] The Regulations Article 5:? Right of Access to Personal Data . . . When enabling the Data Subject to access their Personal Data, the Controller shall ensure that it does not involve disclosing Personal Data that identifies another individual.? Article 6: Right to Request Access to Personal Data . . . When granting access to their Personal Data, the Controller shall ensure that it does not involve disclosing Personal Data that identifies another individual.

[x] The Regulations Article 7: Right to Request Correction of Personal Data 1) Data Subject shall have the right to obtain from the Controller a restriction of Processing when the accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the Personal Data. 2) Controller may request needed supporting documents or evidence to verity in order to update, correct, or complete the Personal Data, provided that such documents or evidence are destroyed once the verification process is completed. 3) Upon correcting the Personal Data, the Controller shall notify the parties to whom the Personal Data was previously disclosed without delay.

[xi] The Regulations Article 8: Right to Request Destruction of Personal Data 2) When destroying Personal Data, the Controller shall take the following steps: a) Take appropriate measures to notify other parties to whom the Controller disclosed the concerned Personal Data and request their Destruction. b) Take the appropriate measures to notify the individuals to whom the Personal Data has been disclosed by any means and request its Destruction. c) Destroy all copies of the Personal Data stored in the Controller’s systems, including backups, in accordance with the relevant regulatory requirements.

[xii] PDPL Article 5 2) In all cases, Data Subjects may withdraw [their] consent . . . at any time.

[xiii] The Regulations Article 12: Consent withdrawal 2- Before requesting consent from the Data Subject, the Controller shall establish procedures that allow for the withdrawal of that consent and take the necessary measures to ensure their implementation.

[xiv] The Regulations Article 12: Consent withdrawal 2- . . . with the procedures for withdrawing consent being similar to or easier than those for obtaining it.