Unlike European and North American businesses, the MENA region, in general, has not had to deal with complex data protection legislation.
However, the newly enacted Personal Data Protection Law (PDPL) on September 24, 2021, which will come into effect on March 23, 2022, has led to the imposition of national regulation on businesses across the Kingdom of Saudi Arabia for data protection.
There is now one year for data controllers in Saudi Arabia; to comply with the provisions of the PDPL and the implementing regulations that may be implemented in the future.
In this article, we discuss how companies required to comply with the PDPL can prepare for the application of it, and how this law interfaces with existing legislation such as the Temporary Personal Data Protection Regulations (PDPIR).
Saudi Arabia Company Data Protection Compliance Checklist
Before the effective date, Saudi businesses should look to prepare a data protection framework that is fully PDPIR compliant, as it will significantly assist in future compliance with the PDPL, once it comes into force, and to achieve this, they should take the following actions:
Training: All employees must undergo a high-level training program, to learn the main data protection issues and risks associated with breaches, since all employees are likely to deal with personal data in some form, their training is needed.
Data planning exercise: Businesses must identify the following information: (1) personal data that is collected, processed, stored, and transferred (as the case may be); (2) what is the origin of this data; (3) the reason for its collection; and (4) where it is stored, how it is transmitted, and to whom it is disclosed.
As for the conditions of data transfers, they include: not affecting the national security, having guarantees to maintain the confidentiality of data that are not less than the standards of the PDPL; Ensuring that disclosure of personal data is limited to what is strictly necessary and that the competent authority
approves the transfer/disclosure as specified by the implementing regulations.
The PDPL states that the implementing regulations will include additional restrictions for some specific data. For example, for credit card data, there must be necessary procedures to verify the availability of written consent from the data provider and any change in the purpose of data collection and
The use of personal data for marketing by data controllers without first obtaining consent and an opportunity to opt-out is prohibited.
Prohibition on photocopying official documents
This common practice is prohibited Under the PDPL except for implementing its provisions or if specifically requested by the relevant authority.
The Personal Data Protection Act (PDPL) gives individuals rights concerning their data, including the rights to access, rectify, and destroy/delete it, and the right to be informed of the legal or practical justification and purpose of collecting their data.