PDPL – New data protection law in KSA
Personal Data Protection Law (PDPL), published on 24 September 2021 is due to come into effect on 23 March 2022. This law defines a set of policies to process personal data and sets out rights of the personal data owners as well. It will require businesses to make significant changes in how they collect, process, and store personal information of clients. This law is applicable to personal information of all the residents of Kingdom of Saudi Arab, whether this information is being processed by entities that reside inside the KSA or by any outside entity. The processing of personal data includes collecting, modifying, disclosing, storing, transferring, destroying, or blocking personal individual data.
The PDP Law has defined a simple process consisting of two main entities: The Controlling party, responsible to define the scope, purpose and manner of processing data, and The Processing Party, responsible for the actual processing of data. This law is applicable to all public and private businesses, organizations and individuals that process personal data except for the individual use of personal data that is restricted to and does not exceed family use. How the system works, is a simple process. First the Controlling party must register to an authenticated entity (which will initially be Saudi Data and Artificial Intelligence Authority (SDAIA)), Secondly the data owner’s rights must be respected and advocated, as per the Law the data owners can seek correction and even ask to destroy their data. The process must be as transparent as it can be, do that the data owners can see and understand how and why their data is collected, stored, and processed. The controlling party will also be responsible for reporting data breeches, collecting the minimum possible data, and building a secure policy for handling of personal data. Processing of data will also require consent from the personal data owner unless it is impossible to reach the owner. Any entity in the Kingdom will not share personal information of any individual with any outside party unless it is in the Kingdom’s best interest or if it is for critical medical purposes. All the transfers of personal data to external entities will probably be approved by the regulatory authority before any of the discussed exceptions are acted upon.
Furthermore, the PDP Law categories data into different sets, such as: health data, credit data, direct marketing, official documents, etc. It also applies criminal penalties and administrative fines on unlawful disclosure of data or illegal transfer of data to an entity outside of KSA. The penalty can be jail time for up to 2 years with SAR 2 million fine. The data owners can even seek compensation for any kind of violation to the PDP Law