Saudi Arabia issues Implementing Regulations to the Personal Data Protection Law

The Saudi Data & Artificial Intelligence Authority (SDAIA) published the Implementing Regulations to the Kingdom’s Personal Data Protection Law (PDPL) on 7 September 2023, one week before the PDPL comes into force and effect on 14 September 2023. These new Regulations clarify many of the measures that organisations will need to implement to comply with the PDPL before the end of the grace period.

The Implementing Regulations and the Personal Data Transfer Regulations (together the Regulations) both expand on the general principles and obligations outlined in the PDPL (as amended in March 2023) and introduce new compliance requirements for data controllers. In this article, we provide an overview of the key requirements introduced by the Regulations and some specific considerations for all organisations doing business in the Kingdom of Saudi Arabia (KSA).

What are the key requirements introduced by the Regulations?

The Regulations introduce additional conditions and requirements with respect to a number of data protection compliance areas, including:

• Adequacy system for data transfers: The Personal Data Transfer Regulations enable the transfer of personal data outside the Kingdom to countries that have been evaluated by SDAIA as providing an appropriate level of data protection. The Regulations set out the evaluation criteria and the procedure for determining and reassessing adequacy, but a list of adequate countries has not yet been issued. Exemptions for transfers to non-adequate countries include measures that are familiar under other data protection regimes, such as Binding Corporate Rules for intra-group data transfers or Binding Rules of Conduct approved by SDAIA, standard contractual clauses (to be issued by SDAIA) and certificates of compliance issued by an entity licensed by SDAIA. In the absence of an adequacy decision and the inability of the controller to use any of the other stated measures, there are certain exemptions that may allow for transfers in limited circumstances, including where the transfer is necessary to conclude or implement an agreement to which the data subject is a party. However, when relying on the safeguards or exemptions, or where the transfer involves ongoing or large-scale sensitive data, controllers must conduct a risk assessment to determine whether the transfer could result in a high risk to data subjects. 
• Additional bases for international data transfers: The Personal Data Transfer Regulations introduce additional bases for transferring personal data outside of the KSA, including providing a service or benefit to the data subject and carrying out operational processes to enable the controller to carry out its activities (including the operations of the central administration).
• Consent: Where an organisation relies on the consent of an individual to process their personal data, such consent must be given freely, the purposes for processing must be clear and specific, and independent consent must be obtained for each purpose of processing. Consent must also be documented and it must be given by a person who has full legal capacity. There are circumstances when “explicit” consent is necessary, including where the processing involves sensitive data, credit data and decisions based entirely on automated processing.
• The legitimate interest basis for processing data: The Regulations require controllers to meet specific conditions when relying on their legitimate interests as the legal basis for processing, including balancing the rights and interests of the data subject against the legitimate interests of the controller. Controllers must also conduct a legitimate interest assessment when relying on this ground to process personal data.
• Data processors: Controllers must enter into agreements with third party processors which contain specific information, including a commitment from the processor to notify the controller of a personal data breach without undue delay and confirmation of any subcontractors engaged by the data processor or any other party to whom the personal data will be disclosed. The processor must meet specific conditions when contracting with sub-processors, including obtaining prior approval from the controller. The controller is responsible for verifying the processor’s compliance with the PDPL and the Regulations.
• Data subject rights: The Regulations set out new details and requirements in respect of data subject rights and require that controllers respond to data subject requests within 30 days. This can be extended by an additional 30 days where responding to the request requires unexpected or unusual additional effort or where the controller receives multiple requests from the data subject. Multinational organisations should note that this is a shorter time period than under the GDPR, which allows a maximum of three calendar months for complex or multiple requests.
• Data breach notifications: The Regulations confirm that controllers must notify personal data breaches to SDAIA within 72 hours of becoming aware of the breach and must notify data subjects without undue delay. The threshold for reporting a breach to SDAIA and data subjects appear similar: a breach is reportable to SDAIA and data subjects where it may cause harm to the personal data (or data subject, in the case of notifications to SDAIA), or conflicts with their rights or interests.
• Data Protection Impact Assessments (DPIAs): The Regulations specify further circumstances when a DPIA is required. DPIAs must be completed where the processing involves sensitive data; where the controller collects, compares or links two or more sets of personal data obtained from different sources; the activity of the controller includes systematic large scale processing of personal data of individuals who fully or partially lack legal capacity; the activity involves processing operations that by their nature require continuous monitoring of data subjects; the activity involves processing personal data using new technologies; the activity involves making decisions based on automated processing of personal data; and the processing involves the provisions of a product or service that involves processing of personal data that is likely to cause serious harm to the privacy of data subjects. The Regulations also specify the information that should be included as a minimum in DPIAs.
• Advertising and direct marketing: Consent is required to process personal data for advertising and direct marketing purposes. Controllers must also provide an easy and simplified mechanism to enable data subjects to stop receiving advertising and marketing materials at any time.
• Data Protection Officers (DPOs): The Regulations specify when controllers must appoint one or more persons responsible for the protection of personal data (i.e. a DPO). The circumstances include where the controller is a public entity that provides services that include large scale data processing; where the primary activities of the controller are based on processing operations that require regular and systematic monitoring of data subjects; and where the main activities of the controller are based on the processing of sensitive data. The DPO can be an official or employee of the controller or an external contractor. Organisations therefore can either appoint internally or engage a third party company that provides DPO services. The Regulations do not specify, however, whether a DPO should be based in the Kingdom. Further rules for the appointment of DPOs are expected.
• National register of controllers: The Regulations re-introduce the requirement for registering controllers with SDAIA (which was previously removed from the amended PDPL). SDAIA will issue the rules for registration in the National Register and will specify which controllers will have to register.
• Record of processing activities (ROPA): Unlike other data protection regimes, the Regulations specify that controllers must keep a ROPA during the period it engages in the relevant processing activities and a further five years after the end of the processing activity. The Regulations also set out the information that should be included in a ROPA, such as a description of the organisational, administrative and technical measures taken by the controller.

Additional controls and requirements have also been introduced for processing data for scientific and research purposes, and for the processing of health data and credit data, including adopting and applying requirements and controls issued by the relevant regulatory authorities (such as the Ministry of Health and the Central Bank of Saudi Arabia).

What should companies do next?

The PDPL incorporates a 12-month grace period for organisations to become compliant after the effective date, so full enforcement of the PDPL should start from 14 September 2024. With the Regulations now in place to supplement the framework established by the Law, there is a clearer path to compliance for all organisations seeking to do business in or with KSA. Early steps should be taken to:

• Assess data processing activities relating to KSA with a view to understanding the impact of the PDPL and the Regulations and any operational changes that will be necessary to align with them.
• Obtain senior management buy-in to implement the changes that may be required to adopt new or updated data protection frameworks. This can be a complex exercise and it is important that senior management understands the risks that may arise from non-compliance with the PDPL, including financial sanctions (such as potential fines and compensation claims), criminal penalties and reputational damage.
• Policies, processes, and contracts will either need to be developed or reviewed to assess whether updates are required to take account of new rights and obligations, particularly the statutory deadlines for responding to data subject requests.
• Controllers will need to assess whether they are required to appoint a DPO and, if so, ensure that they do so before the end of the grace period.
• Firms should document the personal data that they hold in order to implement and maintain a ROPA and comply with other governance requirements under the PDPL.
• Security breach policies and procedures need to be put in place or updated to ensure compliance with the breach notification deadlines highlighted.
• Controllers will be required to train staff on the terms and principles of the PDPL and the Regulations. Organisations will need time to embed data protection within the business culture and operational processes.

We have worked with many organisations to help them understand and implement the required measures for compliance with data protection laws around the world. Our team of data privacy and cybersecurity specialists in the Middle East have closely monitored the development of the PDPL (and other regional legislation) to help our clients navigate the compliance challenge.

If you would like further information on how to create an effective privacy framework or advice on the PDPL and the Regulations, please contact us.