1 / 3

Understanding the KSA Personal Data Protection Law Safeguarding Privacy Rights in Saudi Arabia

KSA's Personal Data Protection Law (PDPL) was enacted to protect the privacy and personal information of individuals in Saudi Arabia.

tsaaro
Download Presentation

Understanding the KSA Personal Data Protection Law Safeguarding Privacy Rights in Saudi Arabia

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Understanding the KSA Personal Data Protection Law: Safeguarding Privacy Rights in Saudi Arabia INTRODUCTION Data security and privacy are quickly becoming one of the most pressing concerns in an era marked by advancements in technology and a paradigm shift in our interactions with one another and the world of technology in general. Individual rights are inextricably linked to data protection, which is a fundamental component of defending individual rights. Data protection and confidentiality are not only the duties of a nation-state; organisations must also have a strong privacy framework in place. The KSA’s New Personal Information Protection Law has the objective of securing people’s “sensitive information” in a systematic manner. After 180 days from the date of publication, the legislation will take effect on March 23, 2022, and data controllers will be required to guarantee compliance. The Sultanate of Saudi Arabia’s 2030 Agenda responsibility resulted in substantial changes to the regulatory environment of communication, media, and technology. For the deployment of PDPL, the Saudi Information and Artificial Intelligence Authority (“SDAIA”) will work with the Central Bank of the Kingdom alongside other information technology departments. It was made available in the Saudi Official Gazette on September 24, 2021. Numerous national laws have been based on the European structures of privacy and protection of data legislation in order to preserve people’s private rights and the actual execution of data protection standards in day-to-day operations. As a result, considering the Sultanate of Saudi Arabia’s revised regulations in light of the GDPR, or General Data Protection Regulation, is critical. The fundamental concepts, principles, and standards established by the legislation will serve as the foundation for its efficient operation and execution in Saudi Arabia. GOAL AND CHANGES BROUGHT IN BY PDPL The PDPL’s goal is to protect individual information privacy, regulate data exchange, and prevent personal misuse of information. Notably, the PDPL addresses essential concepts such as objective limitation and data minimization, controller requirements such as the registration and upkeep of information-processing records, the data subject’s rights, and penalties for violations. The PDPL is going to bring Saudi Arabia more in line with its Middle Eastern neighbours as well as globally accepted standards. Meanwhile, the National Data Management Office has created the National Data Governance Interim Rules, which include the Personal Data Protection Interim Regulations and the Data Sharing Interim Regulations. The Data Security Interim Regulations address fundamental ideas such as transparency, responsibility, disclosure of information, and information subject rights, while the Data Cooperation Interim Regulations focus on data security, legal foundation, and responsible data usage.

  2. FUNDAMENTAL PRINCIPLE OF PDPL The Law on the Protection of Personal Data as well as its executive regulations determine the legal foundation for the safeguarding of one’s rights in relation to the absorbing of personal data by every organisation in the Kingdom, in addition to all entities outside the borders of the Kingdom who process private information related to individuals staying in the Kingdom through any method whatsoever, including electronically processed personal data. The following are the fundamental features and concepts of PDPL guidelines that a firm needs to adhere to: Accountability by the organisation’s leader (or his designate) for the Privacy Controller’s protection policies and procedures is one of the core components of our data protection policy. Visibility is brought about by a privacy notice that outlines the objectives for which individual information is gathered. Before collection, choice and consent are requested through implicit or explicit permission for the collection, use, and dissemination of personal data. Limiting the gathering of data to only what is necessary to achieve the goals Use, retention, and destruction must be strictly in accordance with the purpose, retained for as long as necessary to fulfil the intended functions or as needed by laws and regulations, and destroyed safely to avoid leakage, loss, theft, abuse, or unauthorised access. Data access allows any data subject to inspect, update, and rectify their personal information. The data subject-approved data access restriction prohibits external parties for the reasons mentioned in the privacy notice. Data security is achieved by safeguarding personal data from rupture, harm, disappearance, misuse, modification, or illicit access in compliance with the National Cybersecurity Authority and all other applicable authorities. Data quality becomes apparent after the data has been verified for correctness, completeness, and timeliness. Reviewing and implementing the data controller’s protection policies and processes, as well as any security-related questions, grievances, and disputes. Arabia, who handle Saudi residents’ private information. WHAT IS PERSONAL DATA AS PER PDPL? Personal data is defined under the PDPL as any knowledge that directly identifies a person or potentially leads to their identity, including (but not limited to) name, driver’s licence number, cell phone number, website location, and social security card number. PDPL does not apply to sensitive information used for individual or domestic reasons. The legislation also safeguards deceased persons’ personal data if their information might lead to the identity of the person who died or their closest relatives in particular The PDPL, like the GDPR, classifies particular types of personal information as “sensitive.” According to the PDPL, sensitive personal data is any information derived from an individual’s “ethnic or tribal birth, religious, intellectual, or political orientation, or indicates his participation in civil associations or institutions.” It also contains criminal and security information.

  3. STEPS FOR THE COMPLAINT OF PDPL IN SAUDI ARABIA Following is an 11-step protocol for adherence to the Personal Information Protection Law (PDPL) of Saudi Arabia: Do not gather personal data unless there is a legal reason to do so, and avoid deceiving people. Collect just the personal data required for an initial objective. Collect or communicate confidential information without authorization from users, unless otherwise indicated for those reasons listed. Establish a confidentiality agreement for your company that explains how you manage confidential data and why and when you share this information with third-party sources. Maintain the accuracy and timeliness of personal information. Personal data should not be disclosed to other individuals unless specifically requested for the reasons indicated. Do not transmit personal data outside of the Kingdom of Saudi Arabia unless the relevant procedures specified in the rule are followed. Take the necessary precautions to keep sensitive data safe. Keep a record of your own personal information processing procedures to submit to authorities if necessary. Notify authorities as quickly as feasible about data breaches, and notify impacted users promptly if the danger is serious. Conduct impact evaluations on the processing of personal data, particularly sensitive data. PENALTY FOR NON COMPLAINCE Following are the penalty provisions for non-compliance: Anyone who publishes or distributes sensitive data in contravention of the legislation faces a maximum punishment of two years in jail and a monetary penalty that cannot exceed SAR three million dollars (USD 800,000), or both. Anyone who breaches the regulations of cross-border data transmission faces up to a year in prison and a fine of up to SAR 1 million (USD 267K), or both of these punishments. Businesses that violate any of the other conditions are going to be issued a reprimand or a fine of up to SAR fifty million (USD 1.3 million). For repeated violations, the penalties may be quadrupled (up to SAR 10 million). The Public Prosecution’s Office is in charge of investigating and bringing charges against the violation.

More Related