The Saudi Personal Data Protection Law (PDPL) gives companies doing business in Saudi Arabia until March of 2023 to comply with its requirements. Over the next few months, EMME Advisory Services® will be sharing our thoughts to help companies doing business in Saudi Arabia prepare for these requirements. This article focuses on the scope and application of the PDPL.
What to expect from the PDPL?
When it goes into effect, the PDPL will apply to every company that processes personal data in Saudi Arabia and regulates the processing of personal data.
Starting with the scope of the PDPL, it applies to:
· all processing of personal data in Saudi Arabia and
· of individuals in Saudi Arabia.
Processing[i] includes all activities performed on data, from its collection, use, and storage to its destruction. Examples of processing include collecting data on employment applications, through vendor registration processes or processing data to complete online purchases.
Personal data[ii] is also broadly defined as any information in any format that can be used to identify an individual directly or indirectly.
· Direct information can include physical IDs like iqamas, passports, and driver’s licenses; electronic identifiers such as an individual’s cell phone or computer network ID; and biometric data like thumbprints and facial recognition.
· Indirect information refers to anything that makes it possible to identify an individual, such as contact numbers, addresses, bank accounts, and credit card numbers.
The PDPL will also impose obligations, requirements, and controls on the processing of all personal data generally and additional or heightened requirements on the processing of Sensitive Data,[iii] which includes Genetic Data,[iv] Health Data,[v] Health Services,[vi] and Credit Data.[vii]
What can companies do now?
To meet the upcoming obligations, requirements, and controls imposed by the PDPL, companies doing business in Saudi Arabia should start identifying the activities that require the processing of personal data and the types of personal data processed.
Activities that require personal data processing
Activities that require personal data processing include all activities and interactions with individuals. For example, all companies in Saudi Arabia need to interact with individuals to recruit and hire employees. Therefore, companies must collect and process personal data from job applicants (e.g., contact information, resumes/CVs, and government IDs) to identify qualified candidates.
Once hired, contact, family, and banking information are also required to administer employee benefits and payroll.
Companies also need to process personal data (e.g., contact, personnel, and banking information) to facilitate business with contractors, suppliers, and other business partners. They may also need personal data to identify and market to clients, customers, and website users.
Is sensitive data included?
After identifying activities that require the processing of personal data, companies need to determine if it includes sensitive data. While all companies will have to follow the general requirements for processing personal data, companies that provide certain services or perform certain activities may also have to follow additional controls and procedures imposed on sensitive personal data.
For example, companies that provide financial services process credit data that is subject to additional processing controls and procedures.[viii] The same applies to companies that process credit data to facilitate commercial transactions. Similarly, Healthcare providers process Health Data, Genetic Data or provide Health Services that are subject to additional processing controls and procedures.[ix] Even companies that use biometric data for authentication purposes, or location data in their operations, will be subject to the additional processing controls and procedures that apply to sensitive data.
Companies that learn and understand how they collect and use personal data early in the process will be able to identify and build the policies, procedures, and controls required by the PDPL.
EMME Advisory Services
EMME Advisory Services® (EMME) has the policies, procedures, controls, and training that companies doing business in Saudi Arabia will need to comply with the Saudi Personal Data Protection Law. For more information contactus@emme-advisory.com or visit www.emme-advisory.com.
[i] Processing: Any process performed on personal data by any means, whether manual or automated, including process of collection, recording, archiving, indexing, arranging, formatting, storing, modifying, updating, merging, retrieving, using, disclosing, transferring, publishing, data sharing or interconnecting, blocking, erasing and destroying.
[ii] Personal Data: Every data – of whatever source or form – that would lead to the identification of the individual specifically, or make it possible to identify him directly or indirectly, including: name, personal identification number, addresses, contact numbers, license numbers, records, personal property, bank account and credit card numbers, fixed or moving pictures of the individual, and other data of personal nature.
[iii] Sensitive Data: Every personal data that includes a reference to an individual’s ethnic or tribal origin, or religious, intellectual or political belief, or indicates his membership in nongovernmental association or institutions, as well as criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that both parents of an individual or one of them is unknown.
[iv] Genetic Data: Every personal data related to the genetic or acquired characteristics of a natural person, uniquely identifying the physiological or health characteristics of such person, and extracted from the analysis of a biological sample of the person, such as the analysis of nucleic acids or the analysis of any other sample that leads to the extraction of genetic data.
[v] Health Data: Every personal data related to an individual’s health status, whether physical, mental, psychological, or related to his health services.
[vi] Health Service: Services related to the individual’s health, including preventative, curative and rehabilitative services, hospitalization and drug provision.
[vii] Credit Data: Every personal data related to an individual’s request for, or obtainment of, financing, whether for a personal or family purpose, from an entity that practices financing, including any data related to his ability to obtain credit, his ability to pay it, or his credit history.
[viii] Article Twenty-Four, Personal Data Protection Law
[ix] Article Twenty-Three, PDPL