Updates to Saudi Arabia Data Protection Law
Saudi Arabia’s data protection law, known as the Saudi Data and Artificial Intelligence Authority (SDAIA) has recently undergone some updates that companies operating in the Kingdom must be aware of. This article will cover the changes to the law and what they mean for businesses in Saudi Arabia.
Saudi Arabia has been focusing on data protection as part of its Vision 2030 plan, which aims to create a modern, thriving economy. The Kingdom has made significant strides in implementing regulations to protect data and artificial intelligence. In recent years, Saudi Arabia’s data protection law, SDAIA, has undergone significant updates to ensure that it aligns with international standards.
CHANGES TO SDAIA
In 2019, SDAIA was established to regulate and develop the country’s data and artificial intelligence sectors. In September 2020, the SDAIA issued a new data protection law that replaced the previous law that was enacted in 2012. The new law, which is called the Personal Data Protection Law (PDPL), is based on the General Data Protection Regulation (GDPR) of the European Union.
The PDPL imposes new obligations on businesses operating in Saudi Arabia, including the need to obtain explicit consent from individuals before collecting, processing, or transferring their personal data. The law also requires companies to appoint a data protection officer (DPO) to ensure compliance with the PDPL.
Another significant change introduced by the PDPL is the establishment of a data protection authority, which will have the power to enforce the law and impose penalties for non-compliance. The authority will also have the power to investigate and audit companies’ data protection practices.
What Does the New Law Mean for Businesses?
The PDPL applies to all businesses operating in Saudi Arabia, including those based outside the Kingdom that process the personal data of Saudi Arabian residents. The law applies to any information that can be used to identify an individual, including names, addresses, email addresses, and phone numbers.
Companies that collect and process personal data will need to obtain explicit consent from individuals before doing so. The consent must be freely given, specific, informed, and unambiguous. Companies must also provide individuals with information about how their data will be used and who will have access to it.
The PDPL also requires companies to appoint a data protection officer (DPO) who will be responsible for ensuring compliance with the law. The DPO must have expert knowledge of data protection and be able to advise the company on its obligations under the PDPL. The DPO will also be responsible for communicating with the data protection authority and responding to any inquiries.
The establishment of a data protection authority means that companies that fail to comply with the PDPL could face significant penalties. The authority has the power to impose fines of up to SAR 10 million (USD 2.67 million) for serious violations of the law. Companies that do not appoint a DPO or fail to provide individuals with the required information could also face penalties.
The updates to Saudi Arabia’s data protection law are an essential step in protecting individuals’ personal data and ensuring that businesses operate in a transparent and responsible manner. The PDPL imposes significant obligations on companies operating in the Kingdom, including the need to obtain explicit consent from individuals and appoint a data protection officer. Companies must ensure that they are aware of their obligations under the PDPL and take steps to comply with the law to avoid penalties.
As always, the legal experts at Tasheel Law Firm are here to help businesses navigate the complexities of the Personal Data Protection Law (PDPL) and ensure that they are compliant with the law. Contact us today to learn more about how