Transition period for Saudi Arabia's data protection law ends
Saudi Personal Data Protection Law fully enforceable from September 14th
#Saudi #PDPL - The transition period for Saudi Arabia’s Personal Data Protection Law (PDPL) announced last year comes to an end today, September 14th 2024. The new law developed by the Saudi Data and Artificial Intelligence Authority (SDAIA), became effective on September 14th 2023, but organisations in the kingdom were given one year to work on their compliance before any enforcement of the PDPL would take place. There has been no official re-confirmation that today’s deadline applies, but legal and compliance professionals in the Kingdom assume that the transition period ends today.
SO WHAT? - Saudi Arabia’s PDPL is the country’s first comprehensive national data protection law to regulate the collection and processing of personal information. Compliance is required by all organisations that collect personal data of Saudi residents and citizens in and is particularly relevant to financial institutions and service providers that collect large volumes of personal data. Compliance with the PDPL is mandatory and so its something that all organisations in the Kingdom must understand and take appropriate measures for. According to global technology services and consulting company Cognizant, it’s critical for organisations to make the effort to understand the new Saudi law and not give in to complacency because their systems are compliant with other data protection laws, such as Europe’s GDPR. The Saudi PDPL has its own characteristics that must be understood and planned for.
Here's a timeline showing key milestones in Saudi Arabia's PDPL journey:
📅 Aug-19 - The Saudi Data and Artificial Intelligence Authority (SDAIA) is formed by royal decree No. (74167) on 29/12/1440 AH (30 August 2019)
📅 Oct-20 - The National Strategy for Data and AI (NSDAI) is published by the SDAIA, proposiing a strong regulatory framework for data protection and AI.
📅 Oct-20 - The SDAIA publishes National Data Governance Interim Regulations to govern the management of data, plus the collection and use of personal data by government entities. These include Personal Data Protection Interim Regulations.
📅 Sep-21 - The Personal Data Protection Law (PDPL) was issued by Royal Decree M/19 of 9/2/1443H (16 September 2021). According to standard procedure, the new law will come into effect 180 days later (23-Mar-22).
📅 Mar-22 - SDAIA announces that the implementation of the Saudi Personal Data Protection Law is postponed until 17 March 2023, in light of the feedback received from public and private sector stakeholders.
📅 Nov-22 - SDAIA launches a second public consultation on the PDPL via the Saudi government Public Consultation Platform, inviting comments on a new draft version of the law, which includes significant revisions to the original.
📅 Mar-23 - On March 21st the Saudi Cabinet of Ministers approves an amended Saudi Personal Data Protection Law submitted by SDAIA.
📅Apr-23 - The Saudi government announces that the PDPL will take effect from September 14th, 2023, which is 720 days after the publication of the original law in the Official Gazette.
📅 Sep-23 - The final PDPL Implementing Regulations and Data Transfer Regulations are published in the Official Gazette. A 12 month grace period for full compliance is also confirmed.
📅 Jul-24 - SDAIA launches ‘Understand Your Data’ public awareness campaign.
📅 Aug-24 - SDAIA publishes the rules for organisations appointing a personal data protection officer (DPO).
📅 Sep-24 - SDAIA publishes updated Data Transfer Regulations.
📅 Sep-24 - The transition period for the Saudi Personal Data Protection Law compliance ends and the law enters into full enforcement of compliance.
ZOOM OUT - It’s important to recognise that the end of the transition phase for the Saudi Arabia Personal Data Protection Law is a milestone in a journey that has so far taken years of study, consultation and work by SDAIA and other government departments. Awareness, levels of compliance and enforcement actions are all likely to increase over the coming year and so, according to Cognizant, the most important thing is for organisations to make sure they are on the right track. The level of transparency and proactive measures taken by organisations with regard to the PDPL is likely to affect their compliance risk heavily. Transparency and engagement with regulators is critical, as the PDPL does allow for case-by-case grace period extensions.
Read more about the Saudi Arabia Personal Data Protection Law:
Saudi data law revisited (Middle East AI News)
LINKS
Saudi Arabia Personal Data Protection Law (PDF English, April 2023)
Data Protection Law landing page (English, SDAI)
Data Protection Law landing page (Arabic, SDAI)
Implementing regulations for PDPL (PDF English)
Rules for appointing Data Protecion Officers (PDF English, August 2024)
Rules for appointing Data Protecion Officers (PDF Arabic, August 2024)
Guidelines for BCR For Personal Data Transfer (PDF English, September 2024)
Guidelines for BCR For Personal Data Transfer (PDF Arabic, September 2024)
Disclaimer: Nothing in the above article should be taken as legal advice and links provided are for general information only. Rules and regulations may be updated at anytime. Please check with your legal counsel if you have questions.