Personal Data Protection Law in KSA

Personal Data Protection Law in KSA

insight featured image
The Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021). It was published in the Official Gazette on 24 September 2021.
In this article

The Saudi Data & Artificial Intelligence Authority (SDAIA) will supervise the implementation of the new legislation for the first two years, following which a transfer of supervision to the National Data Management Office (NDMO) will be considered.

According to SDAIA’s announcement, the PDPL is intended to ensure the privacy of personal data, regulate data sharing and prevent the abuse of personal data in line with the goals of the Kingdom’s Vision 2030 to develop a digital infrastructure and support innovation to grow a digital economy.

What are the penalties for non-compliance?
The disclosure or publication of sensitive data contrary to the PDPL may result in penalties of imprisonment for up to two years or a fine of up to SAR 3,000,000 (US$ 800,000). Violation of the data transfer provisions could result in imprisonment for up to one year and a fine of up to SAR 1,000,000 (US$ 266,600). In respect of all other provisions of the PDPL, the penalties are limited to a warning notice or a fine of up to SAR 5,000,000 (US$ 1,333,000).

Any of the fines could also be increased up to double the stated maximums for repeat offences and the court may order confiscation of funds gained as a result of breaching the law and/or require publication of the judgment in a newspaper or other media at the offender’s expense. Parties affected by the offences may be able to claim compensation.

The need to be prepared:
The PDPL is stated to take effect 180 days after its publication in the Official Gazette, which means that it will be effective from 23 March 2022. The executive regulations supplementing the Law should also be issued within this period.

All businesses operating in Saudi Arabia or processing the data of Saudi residents will now need to start assessing their activities and making changes to align with the PDPL. Controllers will be required to hold training for staff on the terms and principles of the PDPL and will need time to ensure that a culture of data protection is suitably embedded into the organisation.

How we can help.
The team at Grant Thornton have supported several businesses to comply with the regulations, our specialist team apply the data protection framework which includes identification of gap analysis through to ensuring you have a future ready process embedded to protect both your firm and its reputation.

Download the detailed report [ 1692 kb ]which has been co-authored by Clyde & Co.

To discuss how we can support your firm further, contact Ahmad Al Zoubi