The Kingdom of Saudi Arabia has published its first-ever comprehensive data protection law.
The Personal Data Protection Law (PDPL) aims to protect individuals’ personal data privacy and regulate organizations’ collection, processing, disclosure, or retention of personal data.
The Saudi Authority for Data and Artificial Intelligence will supervise the initial implementation and enforcement of the law – set to take effect on March 17, 2023 – for two years. Then the National Data Management Office will supervise.
The law introduces several requirements that can greatly affect how companies operate in the Kingdom, such as registration, data localization requirements, and others.
Companies must make several changes to comply with the law. They must understand the nature of the data they maintain, Identify how to control them, and create policies and procedures for handling data.
Businesses shall start preparing for the law by identifying the kind of services they provide and what kind of internal policies and procedures they need. They also need to document what personal data they hold, its source, and with whom it is shared.
They are also required to implement and test what happens in case of data violations and identify how to transfer data internationally.
Companies will also need to test plans in the event of a data violation as soon as possible. Finally, they need to qualify the appropriate staff and think carefully about who will be assigned as the data protection officer; as this position will take responsibility for failing to comply with the PDPL.