Saudi data law deadline: Is your organisation ready?

You have been tracking developments surrounding the Personal Data Protection Law (PDPL) for several years. Will you summarise the requirements and explain the current status of the regulation?

Over the last several years, the law was developed, revised, opened up to public comment, and ultimately amended to closely align with the requirements within the European Union’s General Data Protection Regulation.

Key principles to that end include similar adequacy and data transfer mechanisms, individual data rights, breach notification timelines and the introduction of a legitimate interest basis for processing personal data. That’s a summary of course, but those are some of the key foundational elements.

The law took effect in September 2023, with a compliance transition period of one year. That period will end in several months, at which time the Saudi Data and Artificial Intelligence Authority (SDAIA) will begin to enforce and potentially seek penalties against any organisations that have not fully implemented compliance.

Are most Saudi organisations ready for that deadline?

It’s a mix. Some of the larger organisations in the country have already had to establish compliance with GDPR and other global privacy laws, so their programmes are more sophisticated and more easily adapted to fulfil the requirements of the PDPL.

At the same time, these organisations (especially those in financial services) will also need to balance any disparities or contradictions between requirements in the PDPL and other national laws to which they are subject.

This will require a pragmatic approach to harmonise certain aspects of other regulations with the PDPL’s guidance. We often recommend that clients create their gold standard of privacy compliance, tailored to their obligations, risk tolerance, priority compliance areas and business needs.  Separately are the organisations that are partially ready or underprepared; these are now under time pressure to be ready for enforcement. At this point, organisations that are obligated under the PDPL should already have implemented their record of processing activities and foundational policies and procedures.

The policies should either be operationalised now or at least have a supporting plan for integrating them into company operations over the next several months. For example, organisations should have a robust process established for conducting data protection impact assessments, which are required for all high-risk processing operations.

All data protection and security risks identified during an assessment should be documented in a treatment plan that identifies the individuals and teams who will be involved in resolving the risks.

We are also seeing many companies struggle to find and appoint a data protection officer (DPO) with sufficient experience to effectively fulfil the role. Some organisations are pushing DPO responsibilities to employees in their legal or compliance functions, however, care should be taken to ensure that these individuals are not overburdened, and fundamentally are equipped to perform the necessary tasks.

Organisations who are struggling to appoint a DPO should consider outsourcing the role of the DPO as a short- to medium-term solution.

What other high-priority programmatic steps do organisations need to take by September but may not have implemented yet?

Training across the business is important to help organisations establish a culture of compliance, as well as identify and report risks or data exposures they may not otherwise be aware of. Regular data protection training should be developed and included in the annual training curriculum to ensure that key standards outlined in policies and procedures are communicated and key contact points within the organisation are shared so that employees feel empowered to handle data correctly.

Effective training and awareness can also help guard against accidental disclosure of personal data by employees, which is a common cause of personal data breaches. Everything should be robust yet easy to follow so compliance is as straightforward as possible for employees.

Organisations that are still maturing in their privacy journey should also integrate their data protection officer’s role and PDPL framework into a global framework to help strengthen privacy compliance in other regions. Developing reporting processes and metrics to help measure data subject rights requests is another important aspect of preparedness.

Past the September deadline, what are the long-term considerations organisations should be thinking about regarding privacy compliance?

Sustaining compliance takes consistent effort. Developing and continually adjusting a data protection governance model is an important element of this process. In addition to building a culture of compliance and educating employees, identifying a single point of contact, supported by privacy champions in each business function, to monitor compliance and communicate and escalate risks can help with upholding strong data privacy long term and being responsive to the evolving regulatory landscape.

Read Dubai: DIFC amends data protection regulations