Abdulaziz Al-Bosaily, Masha Ooijevaar, and Dino Wilkinson of Clyde & Co write:
Saudi Arabia has issued its first comprehensive national data protection law to regulate the collection and processing of personal information. In this article we consider the implications of this important development for organisations operating in the Kingdom.
What is the new law?
The Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021). It was published in the Official Gazette on 24 September 2021.
The Saudi Data & Artificial Intelligence Authority (SDAIA) will supervise the implementation of the new legislation for the first two years, following which a transfer of supervision to the National Data Management Office (NDMO) will be considered.
Read more on Clyde & Co.. Of note, their breach notification provision requires people be notified “immediately.” And the disclosure or publication of sensitive data contrary to the PDPL may result in penalties of imprisonment for up to two years or a fine of up to SAR 3,000,000 (US$ 800,000). Let’s see if they really enforce that.