Ever since the General Data Protection Regulation (GDPR) was adopted in the European Union in 2016, data protection laws have been like an unstoppable train which next station will be Saudi Arabia, where the Personal Data Protection Law (PDPL) will come into effect on March 23.
The PDPL is meant to ensure the privacy of personal data, regulate data sharing, and prevent the abuse of personal data, to help develop a digital infrastructure and support innovation in order to grow a digital economy in KSA. It applies to any processing by businesses or public entities of personal data performed in Saudi Arabia, including the processing of the personal data of Saudi residents by entities located outside the Kingdom. Personal data means any information through which a person may be directly or indirectly identified. This expressly includes an individual’s name, identification number, addresses, and contact numbers.
What the law says
Many of the features of the PDPL are similar to those of other international data protection laws, for example:
- Controller obligations: Organizations that collect and use personal data (controllers) will be required to register on an electronic portal. They will need to maintain the accuracy, completeness, and relevancy of personal data before processing it by suitably trained staff and maintain a record of processing for a set period. Controllers should limit collection to the minimum amount required to achieve the intended purpose.
- Privacy policy: Controllers are required to implement and publish a privacy policy.
- Consent: Data subjects may withdraw their consent to the processing of personal data at any time, without the provision of service or benefit being linked to that consent. Consent is not required under certain conditions.
- Data subject rights: Individuals will have the right to be informed of personal data processing and the reason for it, and the right to access, correct, update, or delete their personal data.
- Marketing: Personal data may not be used for marketing purposes without the consent of the recipient or after the use of opt-out mechanisms.
- Breach notification: Data breaches, leakages, or unauthorized access to personal data must be notified to the supervising authority and incidents that cause material harm to the data subject must be notified to data subjects.
There are some differences, however:
- Data sovereignty: Controllers will not be able to transfer personal data outside Saudi Arabia except under certain conditions and with specific approvals.
- Personal data disclosures: There is a caveat to the usual permitted disclosures of personal data by the controller for limited reasons.
- Breach notifications: These must be shared immediately rather than within a specified period.
Who will need to comply when
A grace period will be in place to give organizations the time to adapt. It could be up to five years for entities that process the personal data of Saudi residents but are located outside Saudi Arabia. Both entities with a Saudi presence and those that are targeting Saudi residents will be covered by the PDPL and will have to comply. In most cases, the personal data of Saudi residents will have to be collected, stored, and processed in the Kingdom. The recent fracas between Meta and the EU on international data transfers after the abolition of Privacy Shield shows how complex an issue this can be.
If a media agency, for example, buys a regional digital plan for a client, there is a strong possibility that some of those publishers and data sources are subjected to PDPL regulations. When we look at the complex chain of relationships between the brand and the consumers, including agencies, publishers, various DSPs, and others, advertisers cannot guarantee that all of these links do not expose the transactions to databases covered by the PDPL.
As a data processor working with providers around the world, MEmob+ is well accustomed to such regulations and requirements. We rely on data mapping to identify the data we process, store, transfer, and use. We do not have access to PII (personally identifiable information), as it is hashed. We also have data protection policies and procedures in place and regularly review our existing contracts with partners and data sources, ensuring clear consents are in line with current requirements. We also provide training to our staff working with data. GDPR compliance has prepared us well for the raft of new regulations in the GCC.
How we can help
Our experience has also prepared us well to assist organizations in Saudi Arabia with their own plan to become compliant. These include:
- A data mapping exercise to help organizations understand where their data comes from, why they need it, where they store it, how they use it, and with whom they share it. This will provide them with a snapshot of how their data is collected and managed. It will highlight the gaps that must be closed in order to comply with the new law.
- A record of processing activity (ROPA) to structure the information into a format that can be easily accessed by the organization. Data controllers must keep such records and the benefits for doing so are substantial. The ROPA will help develop data protection policies, data subject right processes, data processing agreements, data transfer processes, and policies.
- The consent language used to collect and record data, as it must be appropriate for the purposes of the organization.
- Personal data protection policies that reflect the organization’s approach to personal data management.
- A review of contracts with suppliers and customers to identify and update any data protection clauses that exist.
- Data security provisions, be they technical or organizational, to protect data and avoid breaches.
But being compliant is merely the beginning; you need to remain so. Like any law, PDPL is fluid and will evolve through its application. Experience will lead to amendments and enhancements based on stakeholders’ feedback and issues that will appear. Its predecessors, like GDPR, are broadly seen as successful and having met their goals but the goalpost will keep on moving as the technological ecosystem transforms. The development of blockchain will certainly prove interesting in this context.