In July 2023, Implementing Regulations to support the Kingdom of Saudi Arabia’s Personal Data Protection Regulation (PDPL) were released and subject to a one-month consultation period. The Implementing Regulations supplement recent amendments to the PDPL, which were approved in March 2023, and together these signal close alignment with the European Union’s General Data Protection Regulation (GDPR). Key principles to that end include similar adequacy and data transfer mechanisms, breach notification timelines and the introduction of a legitimate interest basis for processing personal data.
Organisations in the Kingdom of Saudi Arabia now face the requirement to implement compliance measures before the enforcement deadline of 14 September 2024. Doing so may be particularly challenging for companies operating in data-intensive industries like financial services.
While the clock may be ticking, there are several steps organisations can take to build compliance ahead of the enforcement deadline. With careful preparation, financial services firms should have sufficient time to build compliance and train their employees.
A crucial starting point for any financial services organisation is to conduct a comprehensive data mapping exercise to document how personal data is processed across the entire lifecycle in the form of a Records of Processing Activities (ROPA). A ROPA, at minimum, should identify how personal data is collected, how it is stored, how it is shared, through to how it is disposed of or archived, and document the protection and security measures in place. Not only is this a requirement of the PDPL, but it can also serve as an important source of truth in the unfortunate eventuality of a data breach, or if the organisation receives a request from an individual for the deletion of their personal data.
To support the ROPA, an asset inventory should be developed identifying the systems and applications processing personal data. The asset inventory should document how personal data is processed by each asset and define the technical and organisational measures that are in place to protect personal data.
Policies, Procedures and Privacy Notices
A range of policies —and supporting procedures — will need to be developed to outline the data protection and security standards of the organisation and the steps that employees should take to fulfil the respective data protection processes. The organisation should also review and update IT and technically-focused policies and procedures to ensure that data protection and security considerations are taken into account and documented accordingly.
One of the hot topics of the PDPL addressed in recent amendments concerns the transfer of personal data outside of the Kingdom to other jurisdictions. The amendments confirmed in March 2023, and the Implementing Regulations, soften the restrictions on international data transfers to a degree. However, financial services organisations should place emphasis on identifying international transfers of personal data and assessing whether they are compliant. To assess such transfers, a transfer impact assessment process and template should be developed.
Organisations should also develop a robust process for conducting data protection impact assessments (DPIA), which are required for all high-risk processing operations which may include the provision of innovative technology and services. All data protection and security risks identified during a DPIA should be documented in a treatment plan that identifies the individuals and teams who will be involved in resolving the risks.
Developing and implementing strong security controls can support an organisation’s response to the PDPL and its requirements. Financial services firms and insurance firms often process health data and other sensitive data to handle insurance claims, and in these instances, organisations should evaluate their needs for deploying encryption for data in transit and at rest and by reviewing access control models.
Sustaining compliance takes consistent effort and developing a data protection governance model is an important element of this process. Some organisations will also be required to appoint a data protection officer to help oversee compliance. However, even organisations not subject to this requirement may consider identifying a single point of contact, supported by privacy champions in each business function, to monitor compliance and communicate and escalate risks.
Training and Awareness
Training and awareness materials are often an effective tool to support the creation of a sustainable culture of compliance. Regular data protection training should be developed and included in the annual training curriculum to ensure that key standards outlined in policies and procedures are communicated and key contact points within the organisation are shared, so that employees feel empowered to handle data correctly.
Effective training and awareness can also help guard against accidental disclosure of personal data by employees which is a frequent cause of personal data breaches.
It is imperative that financial services organisations operating in the Kingdom of Saudi Arabia initiate data privacy compliance activities as early as possible to allow time to fully operationalise the required changes. While the deadline of 14 September 2024 provides organisations with a target date to aim for, it should not be viewed as the end point. Organisations should ensure that all compliance activities developed can also serve future needs and obligations under laws in other jurisdictions where they operate.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.