8 December 2023
Share Print

Impact of the implementing regulations to the Saudi Personal Data Protection Law

To The Point
(13 min read)

On 7 September 2023, the Saudi Data & Artificial Intelligence Authority ("SDAIA") published the long-awaited implementing regulations to the KSA Personal Data Protection Law ("PDPL") as well as regulations governing personal data transfers. Now that the Implementing Regulations to the PDPL have been published, organisations located in the KSA, together with those that process the personal data of individuals located in the KSA, will have until 14 September 2024 to make organizational, procedural and policy changes to ensure compliance with the PDPL. In this article we discuss the key requirements that are set out in the Implementing Regulations and the impact these are likely to have on organisations. We also look at what organisations should be doing now to ensure compliance with the PDPL by 14 September 2024.

The Implementing Regulations to the PDPL flesh out and clarify a number of the provisions in the PDPL, and also impose some new obligations on controllers. SDAIA has also extracted the requirements that govern personal data transfers from the Kingdom of Saudi Arabia ("KSA") and set them out in separate Personal Data Transfer Regulations (the "Personal Data Transfer Regulations"). The Personal Data Transfer Regulations and the Implementing Regulations are collectively referred to in this article as the "Regulations".

Guidance on the requirements of the amended PDPL, issued in March 2023, can be found in our previous article (accessible here).

The Regulations and the PDPL came into effect on 14 September 2023 and organisations now have the benefit of a one-year grace period (until 14 September 2024) in which to bring their operations into compliance with the law. SDAIA has the right to extend this timeline but only on application from the relevant controller, which they will assess on a case-by-case basis.

In this article we provide an overview of the requirements under the Regulations and consider the impact they are likely to have on businesses.

Permitted international data transfers and exemptions
Consent to process personal data
Legitimate interests in processing data
Third party data processors
Data subject rights
Data breach notifications
Data protection impact assessments ("DPIAs")
Advertising and direct marketing
Data protection officers (DPOS)
Health data and credit data

What do the regulations mean for businesses?

The Regulations provide some much-needed clarity on SDAIA's expectations and the required level of compliance with the PDPL. We anticipate that the number and frequency of developments will increase as the clock runs down on the deadline to achieve compliance. At time of writing, for example, SDAIA has announced the launch of its new registration portal which provides a channel for raising queries directly with the regulator and a number of practical tools to aid compliance such as a template DPIA.

As the KSA strives to meet its Vision 2030 objectives, data regulation will continue to be a strategic priority. Data regulation, like the PDPL and its Regulations are tools that will be used to support the creation and protection of the required economic environment, together with technology and sector-specific regulation.

In order to ensure compliance by 14 September 2024, organisations that are (1) incorporated in the KSA, or (2) either providing services into the KSA or supporting service delivery in the KSA and in each case require the processing of personal data, will need to take certain steps, including:

  • Training: Ensuring that internal stakeholders and personnel are made aware of their obligations under the PDPL. This will likely involve deployment of training programs, the implementation of appropriate data protection policies, and, in certain cases, the appointment and training of a DPO.
  • Changes to business practices: Conduct a gap analysis to baseline existing practices against the PDPL and its Regulations (or the relevant sector requirements as the case may be). For example, audits of all personal data processing activities should be undertaken in order to prepare ROPAs. DPIAs should be carried out in respect of new processing activities, and (to the extent they are not in place already) appropriate technical and organisational measures must be put in place to prevent breaches, enable effective responses to data subject requests and ensure that personal data that is no longer required is deleted. In addition, contracts with processors will need to be reviewed and appropriate data processing addendums executed.
  • Transfer assessments: Where controllers will be transferring personal data outside of the business, they will need to consider whether that third country is an Adequate Country or whether Safeguards will need to be adopted or a derogation relied on.
  • Monitor and Review: Additional clarification and sectoral laws are expected to be published as the grace period runs down. It is therefore critical for businesses to continue to monitor legal developments in this space.

Next steps

If you have any queries on the PDPL, including the Regulations, or require support in achieving compliance with data protection laws in the KSA, please contact one of our specialists.

To the Point 

Subscribe for legal insights, industry updates, events and webinars to your inbox

Sign up now