The Personal Data Protection Law in the Kingdom of Saudi Arabia (KSA PDPL) was amended in December 2022 to closely align to the requirements within the European Union’s (EU) General Data Protection Regulation (GDPR), and these amendments were accepted in March of this year with the new enforcement date being September 2023. With these latest developments, many multi-national organisations will need to develop new policies and procedures, conduct data protection impact assessments and implement updated governance models, among other compliance activities.
This may feel like déjà vu for organisations that went through the intensive process of building GDPR programmes in 2018. Fortunately, complying with the KSA PDPL does not require organisations to start from scratch, as many can use their existing GDPR programmes as a baseline for application in Saudi Arabia.
Using GDPR programmes as a springboard to build data protection compliance in KSA has several benefits, including that GDPR is considered as a “gold standard regulation,” and therefore serves as a robust compliance baseline for data protection. Another benefit is that the standardisation of policies and procedures across an organisation can promote uniform levels of compliance and make it easier for centralised compliance tracking and reporting.
Against that backdrop, what do organisations operating in KSA need to do to revise their privacy programmes for the new law?
Develop Records of Processing Activities
Organisations are still required to develop a comprehensive records of processing activities (ROPA) to document how personal data is processed across their organisation. This can often be a labour-intensive task and requires interacting with most (if not all) business functions to understand how personal data is processed. As such, early preparation is key.
The ROPA is a core data protection document and not only highlights the personal data your organisation holds but can also serve as a single source of truth in the event of a data breach. It can also be used to pinpoint personal data relevant to a data request from an individual and help organisations identify and document the lawful basis for processing personal data.
Tailor Policies and Procedures
Policies and procedures developed for GDPR purposes can be a good starting point for KSA. Organisations should perform a detailed review of these policies and procedures, should identify unique elements of the KSA PDPL, nuances of the local business unit and update policies and procedures accordingly.
Assess Data Localisation Requirements
Recent amendments to the KSA PDPL have brought the PDPL even more closely in alignment with GDPR and softened many of the prohibitive data localisation requirements. With the introduction of the amendments, personal data transfers may be permitted to jurisdictions that offer a level of data protection that is no less than is offered in KSA which represents a significant departure from the previous stance on international data transfers.
Nonetheless, restrictions on personal data transfers should still be assessed, for which organisations should use their ROPA as a foundational input to document transfers of personal data outside of KSA. Organisations should then consider if the transfer is likely to be permissible, and what safeguards and documentation are needed to proceed with data transfers in a compliant manner.
Data Protection Impact Assessments
Data protection impact assessment (DPIA) templates will need to be updated to reflect unique elements of the KSA PDPL. Once the templates have been updated, organisations should identify assessments that need to be conducted wherever the rights of personal data subjects may be adversely affected by the data processing. Organisations should review their business operations to identify instances in which assets or processing activities compromise the rights of data subjects and perform a DPIA.
DPIAs should be conducted as early as possible to provide organisations with sufficient time to identify and implement compliance measures.
Some multi-national organisations may have implemented technology to help manage data protection compliance in the EU and other jurisdictions. As with the EU and other regions, technology can be used in KSA to streamline compliance and to support employees in actioning data protection processes. Despite this, organisations will still need to carefully configure workflows and templates to accommodate for any variations in the KSA PDPL, including timelines and language adjustments.
Training should be used to build a culture of data protection and security among employees residing in KSA. Training should not only provide details on the KSA PDPL, but should also provide practical steps on how employees can ensure they protect data as part of their day-to-day responsibilities. Supporting materials, like reference guides to support the completion of DPIAs and other data protection processes, will help prepare employees to support the overall data privacy programme.
Organisations looking to respond to the requirements of the KSA PDPL will have a head start if they have already established GDPR-focused compliance programs. Notwithstanding this, there remains a detailed and nuanced exercise to tailor and implement compliance measures for use in the KSA PDPL, and this will require careful planning. Those organisations that take early steps to build data protection compliance in KSA are likely to be in a strong position and mark themselves as companies with data protection and security at their core.
Jack Fletcher is a Senior Director within the Technology segment of FTI Consulting, based in Dubai. FTI Consulting has a dedicated team of data protection experts who provide tailored compliance advisory support to a range of businesses in the Middle East and North Africa Region.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.