Saudi Arabia: Understanding the New Data Protection Law

​Dounia Aghdoube, an attorney at Schlüter Graf in Dubai, United Arab Emirates (UAE), has many clients in Saudi Arabia (KSA) whose companies process their payroll outside of the kingdom. But with the imminent arrival of the new Data Protection Law (DPL) in Saudi Arabia on March 23, payroll service providers and other data processing operations that take place outside of the country may need to figure out alternate arrangements, because the new law limits the ability to transfer personal data outside the country. 

There will be a one-year grace period before the DPL takes full effect on March 23, 2023. Before then, companies should prepare themselves for all the big and small changes to the way data is stored and processed. 

"The DPL provides for tight restrictions on cross-border data transfer outside of the KSA and only provides specific exceptions from this rule. For example, transfer is possible where the controller has the approval of the KSA data protection authority," said Anja Christine Adam, an attorney with Schlüter Graf in Dubai and Hamburg, Germany. "If none of the exceptions are applicable to businesses in the KSA, they may have to consider creating local data centers and using service providers that process data within the country in order to fulfill any data localization requirements in the KSA. The awaited implementing regulations may shed further light into this topic."

New Changes Regarding Personal Data

This is just one of many changes that will go into effect with the new DPL. The DPL draws on the similar General Data Protection Regulation (GDPR) in the European Union, defining personal data and regulating how personal data can be used, processed and retained. 

Personal data is any data related to a specific person or related to a person that can be identified directly or indirectly by linking the data, Aghdoube said. "This expressly includes an individual's name, address, contact number, picture or any other data of [a] personal nature."

The new law requires any organizations that control or process personal data to comply with certain principles and obligations relating to how they handle that data, said Dino Wilkinson, an attorney with Clyde & Co in Abu Dhabi, UAE. A data protection agency has been established in Saudi Arabia to oversee the DPL.

Similarities and Differences from the GDPR

The new law is similar to the GDPR but differs in notable ways. The restrictions on transferring data across borders are a key difference. 

In general, "you shouldn't transfer data outside the kingdom. But if you have to, then you need to comply with certain conditions. At the moment, we're still waiting for some implementing regulations to give us a better picture of what those conditions will be," Wilkinson said. "For companies that haven't had to worry about data transfers to subsidiaries or holding companies within the group or to third parties outside the kingdom, now they're going to have to make sure that it is done in compliance with the new law."

Another way the law differs from the GDPR is with regard to penalties. Along with fines of up to 5 million riyals (approximately $1.3 million), certain breaches of the DPL can be punished by imprisonment for up to two years. How that will be enforced is unclear.

"Certain breaches trigger criminal penalties, and given the nature of such penalties, it is in the interest of the management of every corporation to comply with the DPL," Aghdoube said.

"I think where the Saudi law is different, at least as compared to European law, is that there's more of a security focus," Wilkinson said. There are "references to national security concerns."

How Can HR Prepare? 

HR professionals will need to be aware of how data is being used and stored and will need to work to communicate about data rights with company employees. 

"In order to be compliant with the DPL, corporations need to start their HR data governance journey and work on creating a data privacy compliance framework," Aghdoube said. "Setting a standard ensures conformity with the DPL and provides a common approach on how employee and candidate data is processed, stored, used and protected. This minimizes the risk of breaches."

"In terms of preparation, the first thing HR departments do is process a lot of personal data regarding not only employees, but also different categories of data subjects" like candidates for employment, next of kin and beneficiaries, Wilkinson said. HR professionals "would be required to take stock of the personal data that they are processing and do an initial audit of what it is, where and how they store it, how they obtain it, and who has access to it."

Automation can help with both auditing previously collected data and processing data collected in the future. Manual processing can lead to errors, and data privacy by design technology can help streamline compliance with the DPL.

Employees will have the right to request access to their own data, so there also needs to be a framework in place to process those requests.

"It's going to have to be a big shift from 'we'll keep it just in case' to 'we'll only keep the very minimum that we need.' [That] is going to be a challenge," Wilkinson said. "But it's a challenge we've faced in other parts of the world and people have gotten used to it. It's something new that's coming to this region." 

Katie Nadworny is a freelance writer in Istanbul.