Recently, Saudi Authority for Data and Artificial Intelligence (SDAIA) released two sets of regulations for public consultation; one being the draft implementing regulation for KSA PDPL and the other being regulation for transfer of personal data outside the Kingdom of Saudi Arabia. Both these regulations come at a very crucial time, when the KSA PDPL will go into effect from Sept 14,2023 and organizations have only 1 year for demonstrating compliance. The implementing regulation outlines key requirements from the law such as breach reporting timeline, requirement of DPO, establishment of a competent authority, legal basis of processing of personal data etc.
In this blog, we will look at some of the key requirements outlined in the implementing regulation:
- The implementing regulation provides clarity regarding what all activities in family/personal aspects of processing of personal data are exempted from the law.
- Provides information on the legal basis of legitimate interest and how to classify a process under different legal bases of processing.
- Timeline for responding to DSAR requests is stipulated as 30 days, with a provision to extend this timeline on certain cases
- Clarity on steps to be taken by organization while responding to DSAR
- Different rights provided are:
- Right to be informed
- Right to access personal data
- Right to request correction of personal data
- Right to request destruction of personal data
- Conditions to be met while processing personal data on automated means are established in the regulation
- Going a step further, the regulation states conditions for meeting anonymization requirements for exemption from the regulation
- Recommended modes of communication with the Data Subjects such as Email, text messages, national address, applications etc. are mentioned in the regulation.
- Conditions for consent and withdrawal of consent are established which needs to be followed by an organization willing to rely on the legal basis of consent
- Relative ease of implementation of consent based processing for minors between the age of 13 to 18 are stipulated in the regulation
- Establishment of relevant contracts, ensuring implementation of controls etc. while using a third party vendor is clearly stated in the regulation
- Articles related to data minimization, disclosures and information security provide more guidance of implementation of requirements from the law
- Breach notification timeline of 72 hours, to notify the competent authority is established in the regulation. Along with this, information which needs to be furnished to the competent authority are called out clearly in the regulation
- The regulation also call our requirements to conducted Impact Assessments, maintaining Record of Processing Activities (RoPA), national registration of controllers with the competent authority etc.
While these are very high level requirements, for the actual draft of implementing regulation one may refer to the draft regulation available in SDAIA’s website.
While most of the articles of the implementing regulations provide more clarity w.r.t the Law, we are awaiting the final version to be published soon after the public consultation period is over. This will be one of the landmark regulations in KSA for protecting the rights and freedom of citizens of the Kingdom and exciting times are ahead for organizations which needs to comply to these regulations.