James is responsible for the global line of business for EPI-USE Labs' data privacy and SAP IS-* Solutions, supporting all regions and key accounts running Data Sync Manager (DSM) for these complex requirements. With a functional and business background of over 20 years, James provides the bridge between Development, Basis, Test/Competency Centres and leadership teams to provide guidance and advise on the route to data privacy compliance. His history includes SAP specialisms in non-production data management and anonymisation, Production data removal or redactions, System Landscape Optimisation (SLO) and SAP industry solutions.
In a move towards comprehensive data protection, the Kingdom of Saudi Arabia (KSA) has introduced the Personal Data Protection Law (PDPL). The law came into effect on 14 September 2023, and is set to be fully enforceable from 14 September 2024, marking the end of the one-year grace period.
PDPL marks an important step in aligning Saudi Arabia's data privacy framework with global standards. Organisations in Saudi Arabia must leverage this window to solidify their data privacy strategies and ensure they are compliant.
In a move towards comprehensive data protection, the Kingdom of Saudi Arabia (KSA) has introduced the Personal Data Protection Law (PDPL) through the Saudi Data and Artificial Intelligence Authority (SDAIA). The law came into effect on 14 September 2023, and is set to be fully enforceable from 14 September 2024, marking the end of the one-year grace period.
PDPL marks an important step in aligning Saudi Arabia's data privacy framework with global standards. Organisations in Saudi Arabia must leverage this window to solidify their data privacy strategies and ensure they are compliant.
The PDPL is Saudi Arabia's first comprehensive privacy legislation. The law mandates robust protection of personal data and imposes stringent penalties on organisations for non-compliance, which can include:
The PDPL emphasises obtaining explicit consent from data subjects for the processing of personal data, and adopts a restrictive approach to data transfers outside Saudi Arabia, with the above penalties coming into play upon non-compliance.
Saudi Arabia's cybersecurity landscape is becoming increasingly complex, with advanced persistent threats (APT) becoming more frequent and sophisticated. In the past two years, 16 APT groups have targeted the Middle East, with Saudi Arabia being a focus of these attacks.
From ransomware attacks and phishing, to insider threats and APTs aimed at stealing information or disrupting operations, there are a number of cyber threats impacting the region. The need for data security to protect sensitive information is becoming increasingly more important.
To meet the PDPL's compliance requirements, organisations must adopt a two-pronged approach: immediate compliance, and long-term strategic planning.
Achieving initial compliance with the PDPL involves embedding foundational privacy principles into the company’s operational processes. This will ensure demonstrable compliance and establish a strong privacy culture within the organisation from the get-go. Initial compliance needs to consist of:
Controllers must adhere to the relevant controls issued by the National Cybersecurity Authority (NCA) or, if not subject to these controls, follow internationally recognised best practices. Ensuring robust data security measures is critical to protecting personal data from unauthorised access, breaches, and cyber threats.
For SAP non-production environments with copies of your personal data, Data Secure™, part of the EPI-USE Labs’ Data Privacy Suite for SAP solutions, is a comprehensive solution that gives you control over sensitive data within your organisation. Data Secure is the first step towards compliance, allowing you to scramble data on non-production environments using out-of-the-box configuration (masking rules) to accelerate the implementation process.
In the event of a personal data breach that may harm personal data or the data subject, controllers are required to notify the SDAIA within 72 hours.
Conducting DPIAs for specific processing activities is mandatory, particularly those involving:
For your SAP environments, EPI-USE Labs provides specific discovery technology to find and map the Personally Identifiable Information (PII) catalogue of sensitive fields, and document these. We can also complete an SAP Access Risk Assessment to confirm who has access to the critical PII data, and provide recommendations on reducing the risk in Production.
When processing health and credit data, organisations must obtain explicit consent from data subjects and restrict access to a minimal number of employees.
Consent is the sole legal basis for processing personal data for marketing purposes. Organisations must implement robust consent mechanisms and provide easy opt-out options for recipients to comply with the PDPL's requirements on direct marketing.
Photographing official ID documents is prohibited unless required by law or requested by a government authority.
Organisations must appoint a DPO if they engage in regular and continuous monitoring of individuals on a large scale, or process sensitive data as a core activity. The DPO should be independent, adequately resourced, and responsible for overseeing data protection activities and ensuring compliance with the PDPL.
Maintaining a ROPA, which includes details such as contact information, the purpose of data processing, data categories, disclosures, and data retention periods, is essential. This record must be provided to SDAIA upon request, ensuring transparency and accountability in data processing activities.
Achieving higher maturity levels in data privacy requires organisations to standardise and automate privacy and security processes, preparing organisations to adapt to evolving data protection regulations.
We understand the complexities of managing data privacy within large ERP systems like SAP. Our Data Privacy Suite for SAP solutions is designed to help organisations comply with global data privacy legislation, including GDPR, CCPA, POPIA and now, the PDPL in Saudi Arabia.
Focus areas should include:
Understand and map your PII within your SAP environment. A thorough technical assessment helps identify data privacy relevant data in SAP, advising on the inherent risks and recommending appropriate measures are in place to safeguard PII.
Use Data Secure for direct in-place anonymisation or in combination with the rest of the Data Sync Manager™ (DSM) Suite for scrambling data when copying to your non-production environment. These solutions ensure that sensitive data is protected in test environments.
Efficiently process individual requests for data access and removal with our Data Disclose™ solution (part of the Data Privacy Suite). Timely and accurate responses to DSARs are crucial for compliance and maintaining data subject trust.
Using Data Redact™ (part of the Data Privacy Suite), PII is redacted from records in SAP while maintaining referential integrity – managing your privacy risk while protecting your business data. This ensures that sensitive information is protected, and that all the PII data has been picked up.
Leverage Soterion for SAP to manage a clear business-centric GRC (Governance, Risk management and Compliance) solution. To comply with the PDPL’s requirement to minimise access to the employees who require specific access to perform a job function. With delivered standard rulesets to cater for the segregation of duties and privacy risk, accelerate your road to compliance with our specialist software and consulting.
Conduct ongoing audits and reviews to manage your data privacy and security risks effectively. Proactive risk management helps identify and address potential vulnerabilities before they become significant issues.
Our solutions are very effective, because we have a deep understanding based on many years of experience of SAP environments; and we have experience with privacy regulations and laws worldwide, based on working with numerous global clients to support their compliance. We can work with you to make sure that you can comply with the PDPL and other global data privacy regulations effectively.
As the September deadline approaches, Saudi organisations must prioritise data privacy compliance to avoid penalties and enhance their cybersecurity protection. EPI-USE Labs is ready to assist you in this data privacy journey.
© 2024 EPI-USE Labs
Trafford House, 11th Floor, Chester Road, Stretford, Manchester, United Kingdom, M32 0RS •Other Office Locations
Leave a Comment: