The PDPL has broad extraterritorial scope and substantial penalties for non-compliance, with full enforcement expected to start in September.

The Personal Data Protection Law (PDPL) is the first comprehensive data protection law in Saudi Arabia. The Saudi Data and Artificial Intelligence Authority (SDAIA) is expected to start full enforcement of the PDPL from 14 September 2024, after the current compliance transition period ends. SDAIA emphasised that it expects entities to take measures to achieve compliance with the PDPL by the September deadline.  

Scope

The PDPL has a very wide scope and applies to all entities operating in Saudi Arabia, as well as entities outside Saudi Arabia who process the personal data of individuals in Saudi Arabia (without a requirement to be targeting or monitoring the individuals). All in-scope entities will need to carry out a compliance programme before 14 September 2024.

Penalties

Non-compliance with the PDPL may result in fines of up to $1.3 million (which can be doubled for repeat offences), possible imprisonment for certain disclosures of sensitive personal data, warnings, confiscation of funds obtained as a result of the violation, and compensation claims from individuals. Non-compliance may also result in reputational damage and contractual claims.

Transfers of personal data outside of the Kingdom

The PDPL contains detailed requirements for transferring personal data outside the Kingdom, which apply in addition to sector-specific data localisation requirements. The compliance steps required to transfer personal data outside of the Kingdom vary depending on the recipient jurisdiction and the nature of the personal data transferred. We are awaiting SDAIA’s issuance of a list of “adequate” jurisdictions for personal data transfers, as well as further details on alternative transfer mechanisms, such as standard contractual clauses, which may be relied on for transfers to non-adequate jurisdictions.

High-priority compliance steps

The steps an entity must take to become compliant with the PDPL will depend on their existing global data protection compliance programme, and whether this programme can be extended to personal data in scope of the PDPL. For example, the PDPL uses the same concepts and principles as the EU General Data Protection Regulation (GDPR), with areas of divergence. If an entity already has a GDPR compliance programme in place, this programme could be extended to apply to data in scope of the PDPL, with amends and additions specific to Saudi Arabia.

Below is a non-exhaustive list of initial high-priority steps that entities should take, based on the status of their existing data protection compliance programme.

Limited data protection compliance programme

Entities with a limited data protection compliance programme will need to take more significant compliance steps, which may require substantial resources and more time to implement. Initial high-priority steps include:

1. Identifying suitable individuals or teams to assist with and be responsible for data protection
2. Understanding and documenting personal data processing activities, in a Record of Processing Activities, which also includes understanding the organisation’s role as a controller or processor
3. Mapping international transfers of personal data outside the Kingdom, in preparation for implementing a valid transfer mechanism, once SDAIA issues further details
4. Drafting privacy notices for relevant individuals (e.g., website visitors, customers, employees)
5. Implementing processes to recognise, action, and respond to data subject rights requests, such as the ability to search for, retrieve, update, and delete personal data
6. Identifying high risk processing activities and carrying out impact assessments, and assessing whether a Data Protection Officer is required
7. Implementing processes to detect, handle, and respond to personal data breaches, including notifying SDAIA and individuals
8. Reviewing direct marketing activities and the legal basis relied on, to ensure appropriate consents are obtained
9. Reviewing and updating agreements with data processors to ensure they include mandatory contractual requirements (and international transfer provisions, when applicable)

Mature GDPR compliance programme  

Entities with a GDPR programme may be able leverage existing materials and processes for compliance with the PDPL, however, these materials and processes will need to be reviewed and updated to account for areas of divergence between the GDPR and PDPL. Initial high-priority steps include:

1. Assessing the personal data that is in scope of the PDPL
2. Undertaking a gap analysis of the GDPR vs. PDPL requirements
3. Extending the GDPR programme to personal data in scope of the PDPL (subject to the gap analysis conducted), for example, extending the Record of Processing Activities to also cover in-scope PDPL data and the data subject rights processes to also include individuals in Saudi Arabia
4. Mapping international transfers of personal data outside the Kingdom, in preparation for implementing a valid transfer mechanism, once SDAIA issues further details
5. Reviewing the legal basis for processing and for disclosures of personal data, to account for divergences with the GDPR
6. Reviewing processing carried out as a joint controller, to ensure that all compliance requirements are fulfilled independently, given there is no joint controller concept under the PDPL
7. Reviewing and updating agreements with data processors (and intra-group agreements) to ensure these include mandatory contractual requirements (and international transfer provisions, when applicable), given divergences with the GDPR
8. Reviewing thresholds for conducting a Data Protection Impact Assessment (DPIA), given that DPIAs are required for all processing of sensitive personal data under the PDPL, and reviewing requirements for providing DPIAs to data processors
9. Reviewing and updating data breach response procedures, given the lower breach notification threshold under the PDPL (“potentially causes harm”)

For more information on the PDPL, and in particular international data transfer requirements, see Latham’s previous article.