Let's Talk Data Security

Navigating data privacy in Saudi Arabia: A path to compliance

Written by James Watson | Jul 17, 2024 1:52:33 PM

In a move towards comprehensive data protection, the Kingdom of Saudi Arabia (KSA) has introduced the Personal Data Protection Law (PDPL). The law came into effect on 14 September 2023, and is set to be fully enforceable from 14 September 2024, marking the end of the one-year grace period.

PDPL marks an important step in aligning Saudi Arabia's data privacy framework with global standards. Organisations in Saudi Arabia must leverage this window to solidify their data privacy strategies and ensure they are compliant.

In a move towards comprehensive data protection, the Kingdom of Saudi Arabia (KSA) has introduced the Personal Data Protection Law (PDPL) through the Saudi Data and Artificial Intelligence Authority (SDAIA). The law came into effect on 14 September 2023, and is set to be fully enforceable from 14 September 2024, marking the end of the one-year grace period.

 

PDPL marks an important step in aligning Saudi Arabia's data privacy framework with global standards. Organisations in Saudi Arabia must leverage this window to solidify their data privacy strategies and ensure they are compliant.

Understand the PDPL

The PDPL is Saudi Arabia's first comprehensive privacy legislation. The law mandates robust protection of personal data and imposes stringent penalties on organisations for non-compliance, which can include:

  • Fines up to SAR 5 million. Additionally, in cases of repeat offences, fines can be increased up to double the maximum amount.
  • Imprisonment for up to two years.
  • Confiscation of funds gained as a result of violations of the law.
  • Publication of the judgement at the offender's expense.

The PDPL emphasises obtaining explicit consent from data subjects for the processing of personal data, and adopts a restrictive approach to data transfers outside Saudi Arabia, with the above penalties coming into play upon non-compliance.

 

Current cybersecurity landscape in Saudi Arabia

Saudi Arabia's cybersecurity landscape is becoming increasingly complex, with advanced persistent threats (APT) becoming more frequent and sophisticated. In the past two years, 16 APT groups have targeted the Middle East, with Saudi Arabia being a focus of these attacks.

 

From ransomware attacks and phishing, to insider threats and APTs aimed at stealing information or disrupting operations, there are a number of cyber threats impacting the region. The need for data security to protect sensitive information is becoming increasingly more important.

How to prepare for Saudi Arabia’s PDPL

To meet the PDPL's compliance requirements, organisations must adopt a two-pronged approach: immediate compliance, and long-term strategic planning.

Initial compliance: Implementing foundational privacy principles

Achieving initial compliance with the PDPL involves embedding foundational privacy principles into the company’s operational processes. This will ensure demonstrable compliance and establish a strong privacy culture within the organisation from the get-go. Initial compliance needs to consist of:

1. Data security:

Controllers must adhere to the relevant controls issued by the National Cybersecurity Authority (NCA) or, if not subject to these controls, follow internationally recognised best practices. Ensuring robust data security measures is critical to protecting personal data from unauthorised access, breaches, and cyber threats.

 

For SAP non-production environments with copies of your personal data, Data Secure™, part of the EPI-USE Labs’ Data Privacy Suite for SAP solutions, is a comprehensive solution that gives you control over sensitive data within your organisation. Data Secure is the first step towards compliance, allowing you to scramble data on non-production environments using out-of-the-box configuration (masking rules) to accelerate the implementation process.

2. Breach notification:

In the event of a personal data breach that may harm personal data or the data subject, controllers are required to notify the SDAIA within 72 hours.

3. Data Protection Impact Assessments (DPIAs):

Conducting DPIAs for specific processing activities is mandatory, particularly those involving:

  • sensitive personal data
  • data related to children
  • continuous monitoring of data subjects
  • new technologies
  • automated decision-making.

For your SAP environments, EPI-USE Labs provides specific discovery technology to find and map the Personally Identifiable Information (PII) catalogue of sensitive fields, and document these. We can also complete an SAP Access Risk Assessment to confirm who has access to the critical PII data, and provide recommendations on reducing the risk in Production.

4. Health and credit data:

When processing health and credit data, organisations must obtain explicit consent from data subjects and restrict access to a minimal number of employees.

5. Direct marketing:

Consent is the sole legal basis for processing personal data for marketing purposes. Organisations must implement robust consent mechanisms and provide easy opt-out options for recipients to comply with the PDPL's requirements on direct marketing.

6. Official ID documents:

Photographing official ID documents is prohibited unless required by law or requested by a government authority.

7. Data Protection Officer (DPO):

Organisations must appoint a DPO if they engage in regular and continuous monitoring of individuals on a large scale, or process sensitive data as a core activity. The DPO should be independent, adequately resourced, and responsible for overseeing data protection activities and ensuring compliance with the PDPL.

8. Record of Processing Activities (ROPA):

Maintaining a ROPA, which includes details such as contact information, the purpose of data processing, data categories, disclosures, and data retention periods, is essential. This record must be provided to SDAIA upon request, ensuring transparency and accountability in data processing activities.

Long-term planning: Standardising and automating privacy and security processes

Achieving higher maturity levels in data privacy requires organisations to standardise and automate privacy and security processes, preparing organisations to adapt to evolving data protection regulations.

 

We understand the complexities of managing data privacy within large ERP systems like SAP. Our Data Privacy Suite for SAP solutions is designed to help organisations comply with global data privacy legislation, including GDPR, CCPA, POPIA and now, the PDPL in Saudi Arabia.

 

Focus areas should include:

1. Data privacy assessment:

Understand and map your PII within your SAP environment. A thorough technical assessment helps identify data privacy relevant data in SAP, advising on the inherent risks and recommending appropriate measures are in place to safeguard PII.

2. Data anonymisation and scrambling:

Use Data Secure for direct in-place anonymisation or in combination with the rest of the Data Sync Manager™ (DSM) Suite for scrambling data when copying to your non-production environment. These solutions ensure that sensitive data is protected in test environments.

3. Handling Data Subject Access Requests (DSARs):

Efficiently process individual requests for data access and removal with our Data Disclose™ solution (part of the Data Privacy Suite). Timely and accurate responses to DSARs are crucial for compliance and maintaining data subject trust.

4. Data removal requests:

Using Data Redact™ (part of the Data Privacy Suite), PII is redacted from records in SAP while maintaining referential integrity – managing your privacy risk while protecting your business data. This ensures that sensitive information is protected, and that all the PII data has been picked up.

5. Roles and authorisations:

Leverage Soterion for SAP to manage a clear business-centric GRC (Governance, Risk management and Compliance) solution. To comply with the PDPL’s requirement to minimise access to the employees who require specific access to perform a job function. With delivered standard rulesets to cater for the segregation of duties and privacy risk, accelerate your road to compliance with our specialist software and consulting.

6. Proactive risk management:

Conduct ongoing audits and reviews to manage your data privacy and security risks effectively. Proactive risk management helps identify and address potential vulnerabilities before they become significant issues.

 

Our solutions are very effective, because we have a deep understanding based on many years of experience of SAP environments; and we have experience with privacy regulations and laws worldwide, based on working with numerous global clients to support their compliance. We can work with you to make sure that you can comply with the PDPL and other global data privacy regulations effectively.

 

As the September deadline approaches, Saudi organisations must prioritise data privacy compliance to avoid penalties and enhance their cybersecurity protection. EPI-USE Labs is ready to assist you in this data privacy journey.