Finalised Saudi data protection law reforms should spur business action

The PDPL amendments, recently implemented by Saudi Arabia Royal Decree No. M/148 dated 5/9/1444 H approving Council of Ministers Resolution No. (604) dated 29/8/1444 H, confirm that the PDPL will come into force on 14 September 2023. Businesses will have one year from that date to comply with the updated legislation.

Martin Hayward of Pinsent Masons said a data mapping exercise will be vital to helping businesses prepare to comply with their new obligations under the PDPL.

Hayward said: “The PDPL has, to-date, not been a key focus of businesses operating in Saudi Arabia. With the amended PDPL finally issued businesses now need to be taking practical steps to ensure compliance. This will be particularly important for many Saudi companies who, unlike international companies operating in Saudi Arabia, are unfamiliar with similar data protection laws, such as the GDPR.”

“Core duties for data controllers under the PDPL will include issuing privacy policies, keeping records of personal data processing, putting in place processes for managing and notifying data breaches, meeting data minimisation requirements, handling subject access requests, as well as actioning flow down obligations to data processors. To be able to comply with these various obligations, businesses must first understand what personal data they hold. As a result, a data mapping exercise should be the first compliance step that businesses take,” he said.

Hayward said that the previous version of the PDPL predominantly provided for the processing of personal data on the basis of the data subject’s consent. Now, depending on the processing activity, businesses will have greater scope to rely on alternative lawful bases for processing under the updated regime.

Specifically, it will be lawful for businesses to process personal data in Saudi Arabia if it is necessary to achieve their, currently undefined, ‘legitimate interests’ – unless doing so prejudices or conflicts with the rights or interests of the data subject, and provided the data is not classed as ‘sensitive data’, such as health data, or information that concerns an individual’s ethnicity or religious or political beliefs. Hayward highlighted that the definition of ‘sensitive data’ has also been amended, notably to remove references to credit data and location data.

Hayward said, though, that while some of the previous restrictions on the transfer of personal data out of Saudi Arabia have been lifted under the amended PDPL, the amended data transfer provisions may well present some challenges, particularly for global businesses with Saudi operations.

Hayward said: “Further executive regulations are expected that will flesh out the detail on some aspects of the updated PDPL – including in relation to data transfers. Businesses will get a better understanding, when the executive regulations are issued, of exactly what types of data transfers will be permitted, the jurisdictions they will be able to transfer personal data to and in which circumstances.”