Navigating data privacy in Saudi Arabia: A path to compliance

17 July 2024
Written by James Watson

James is responsible for the global line of business for EPI-USE Labs' data privacy and SAP IS-* Solutions, supporting all regions and key accounts running Data Sync Manager (DSM) for these complex requirements. With a functional and business background of over 20 years, James provides the bridge between Development, Basis, Test/Competency Centres and leadership teams to provide guidance and advise on the route to data privacy compliance. His history includes SAP specialisms in non-production data management and anonymisation, Production data removal or redactions, System Landscape Optimisation (SLO) and SAP industry solutions.

In a move towards comprehensive data protection, the Kingdom of Saudi Arabia (KSA) has introduced the Personal Data Protection Law (PDPL). The law came into effect on 14 September 2023, and is set to be fully enforceable from 14 September 2024, marking the end of the one-year grace period.

PDPL marks an important step in aligning Saudi Arabia's data privacy framework with global standards. Organisations in Saudi Arabia must leverage this window to solidify their data privacy strategies and ensure they are compliant.

Navigating-data-privacy-in-Saudi-Arabia_A-path-to-compliance-Hearer-Image

In a move towards comprehensive data protection, the Kingdom of Saudi Arabia (KSA) has introduced the Personal Data Protection Law (PDPL) through the Saudi Data and Artificial Intelligence Authority (SDAIA). The law came into effect on 14 September 2023, and is set to be fully enforceable from 14 September 2024, marking the end of the one-year grace period.

 

PDPL marks an important step in aligning Saudi Arabia's data privacy framework with global standards. Organisations in Saudi Arabia must leverage this window to solidify their data privacy strategies and ensure they are compliant.

Understand the PDPL

The PDPL is Saudi Arabia's first comprehensive privacy legislation. The law mandates robust protection of personal data and imposes stringent penalties on organisations for non-compliance, which can include:

  • Fines up to SAR 5 million. Additionally, in cases of repeat offences, fines can be increased up to double the maximum amount.
  • Imprisonment for up to two years.
  • Confiscation of funds gained as a result of violations of the law.
  • Publication of the judgement at the offender's expense.

The PDPL emphasises obtaining explicit consent from data subjects for the processing of personal data, and adopts a restrictive approach to data transfers outside Saudi Arabia, with the above penalties coming into play upon non-compliance.

 

Navigating-data-privacy-in-Saudi-Arabia_Skyline

Current cybersecurity landscape in Saudi Arabia

Saudi Arabia's cybersecurity landscape is becoming increasingly complex, with advanced persistent threats (APT) becoming more frequent and sophisticated. In the past two years, 16 APT groups have targeted the Middle East, with Saudi Arabia being a focus of these attacks.

 

From ransomware attacks and phishing, to insider threats and APTs aimed at stealing information or disrupting operations, there are a number of cyber threats impacting the region. The need for data security to protect sensitive information is becoming increasingly more important.

How to prepare for Saudi Arabia’s PDPL

To meet the PDPL's compliance requirements, organisations must adopt a two-pronged approach: immediate compliance, and long-term strategic planning.

Initial compliance: Implementing foundational privacy principles

Achieving initial compliance with the PDPL involves embedding foundational privacy principles into the company’s operational processes. This will ensure demonstrable compliance and establish a strong privacy culture within the organisation from the get-go. Initial compliance needs to consist of:

1. Data security:

Controllers must adhere to the relevant controls issued by the National Cybersecurity Authority (NCA) or, if not subject to these controls, follow internationally recognised best practices. Ensuring robust data security measures is critical to protecting personal data from unauthorised access, breaches, and cyber threats.

 

For SAP non-production environments with copies of your personal data, Data Secure™, part of the EPI-USE Labs’ Data Privacy Suite for SAP solutions, is a comprehensive solution that gives you control over sensitive data within your organisation. Data Secure is the first step towards compliance, allowing you to scramble data on non-production environments using out-of-the-box configuration (masking rules) to accelerate the implementation process.

2. Breach notification:

In the event of a personal data breach that may harm personal data or the data subject, controllers are required to notify the SDAIA within 72 hours.

3. Data Protection Impact Assessments (DPIAs):

Conducting DPIAs for specific processing activities is mandatory, particularly those involving:

  • sensitive personal data
  • data related to children
  • continuous monitoring of data subjects
  • new technologies
  • automated decision-making.

For your SAP environments, EPI-USE Labs provides specific discovery technology to find and map the Personally Identifiable Information (PII) catalogue of sensitive fields, and document these. We can also complete an SAP Access Risk Assessment to confirm who has access to the critical PII data, and provide recommendations on reducing the risk in Production.

4. Health and credit data:

When processing health and credit data, organisations must obtain explicit consent from data subjects and restrict access to a minimal number of employees.

5. Direct marketing:

Consent is the sole legal basis for processing personal data for marketing purposes. Organisations must implement robust consent mechanisms and provide easy opt-out options for recipients to comply with the PDPL's requirements on direct marketing.

6. Official ID documents:

Photographing official ID documents is prohibited unless required by law or requested by a government authority.

7. Data Protection Officer (DPO):

Organisations must appoint a DPO if they engage in regular and continuous monitoring of individuals on a large scale, or process sensitive data as a core activity. The DPO should be independent, adequately resourced, and responsible for overseeing data protection activities and ensuring compliance with the PDPL.

8. Record of Processing Activities (ROPA):

Maintaining a ROPA, which includes details such as contact information, the purpose of data processing, data categories, disclosures, and data retention periods, is essential. This record must be provided to SDAIA upon request, ensuring transparency and accountability in data processing activities.

Long-term planning: Standardising and automating privacy and security processes

Achieving higher maturity levels in data privacy requires organisations to standardise and automate privacy and security processes, preparing organisations to adapt to evolving data protection regulations.

 

We understand the complexities of managing data privacy within large ERP systems like SAP. Our Data Privacy Suite for SAP solutions is designed to help organisations comply with global data privacy legislation, including GDPR, CCPA, POPIA and now, the PDPL in Saudi Arabia.

 

Focus areas should include:

1. Data privacy assessment:

Understand and map your PII within your SAP environment. A thorough technical assessment helps identify data privacy relevant data in SAP, advising on the inherent risks and recommending appropriate measures are in place to safeguard PII.

2. Data anonymisation and scrambling:

Use Data Secure for direct in-place anonymisation or in combination with the rest of the Data Sync Manager™ (DSM) Suite for scrambling data when copying to your non-production environment. These solutions ensure that sensitive data is protected in test environments.

3. Handling Data Subject Access Requests (DSARs):

Efficiently process individual requests for data access and removal with our Data Disclose™ solution (part of the Data Privacy Suite). Timely and accurate responses to DSARs are crucial for compliance and maintaining data subject trust.

4. Data removal requests:

Using Data Redact™ (part of the Data Privacy Suite), PII is redacted from records in SAP while maintaining referential integrity – managing your privacy risk while protecting your business data. This ensures that sensitive information is protected, and that all the PII data has been picked up.

5. Roles and authorisations:

Leverage Soterion for SAP to manage a clear business-centric GRC (Governance, Risk management and Compliance) solution. To comply with the PDPL’s requirement to minimise access to the employees who require specific access to perform a job function. With delivered standard rulesets to cater for the segregation of duties and privacy risk, accelerate your road to compliance with our specialist software and consulting.

6. Proactive risk management:

Conduct ongoing audits and reviews to manage your data privacy and security risks effectively. Proactive risk management helps identify and address potential vulnerabilities before they become significant issues.

 

Our solutions are very effective, because we have a deep understanding based on many years of experience of SAP environments; and we have experience with privacy regulations and laws worldwide, based on working with numerous global clients to support their compliance. We can work with you to make sure that you can comply with the PDPL and other global data privacy regulations effectively.

 

As the September deadline approaches, Saudi organisations must prioritise data privacy compliance to avoid penalties and enhance their cybersecurity protection. EPI-USE Labs is ready to assist you in this data privacy journey.

 

Ensure your organisation is ready for the PDPL-CTA

 

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act SAP data privacy and compliance POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data Sync Manager (DSM) Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP RISE SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data RISE BRIDGE Managed Services Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP Data Processing Agreement SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SAP system refresh SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: