The volume of digital data generated in the modern world is so immense that a single data breach can cause extensive damage. Individuals can be put at risk of fraud and identify theft if access controls on personal information are not properly implemented.

This data explosion has put privacy in the spotlight, and countries and jurisdictions around the world are implementing controls to regulate the collection of personal data. The EU’s General Data Protection Regulation, the California Consumer Privacy Act and Brazil’s General Data Protection Law are already in place and more are set to follow.

Saudi Arabia is the latest nation to act, with its Personal Data Protection Law, which takes effect on March 23 and applies to all corporations and public and private entities operating in the Kingdom. It requires them to make significant changes to the way they collect, store and process personal data, prohibits certain practices and establishes a complaints procedure.

Its purpose is to ensure that the processing of all data relating to an individual satisfies certain mandatory requirements that protect the data owner’s privacy rights.

The PDPL will be supervised by the Saudi Data and Artificial Intelligence Authority, which also developed it.

The law applies to the processing of personal data within Saudi Arabia and also to the handling of residents’ personal data outside the Kingdom. Data transfers out of the Kingdom will also be tightly controlled. Foreign data controllers must appoint a representative within Saudi Arabia who is licensed by the SDAIA to act within the terms of the new law.

The penalties for noncompliance are relatively severe, including up to one year in prison and/or a fine of SAR1 million ($267,000) for unlawfully transferring data out of the Kingdom, and up to two years in prison and/or a fine of SAR3 million for disclosing sensitive data. The SDAIA also has the ability to impose fines of up to SAR5 million.

Ahead of the PDPL taking effect, organizations should train their staff on the terms and principles of the law to ensure that a culture of data protection is embedded into their organizations.

Some of the initial steps that an organization can adopt include conducting a data mapping exercise to identify personal data that is collected, stored, processed and shared with others. This will provide a snapshot of how data is collected and managed within the organization.

Maintaining data processing records after conducting the mapping exercise is also essential. The related information will need to be systematized and stored in a readily accessible format. Many data protection laws require data controllers to keep such records.

Companies can thereafter review their systems to identify gaps in data protection clauses and noncompliance, as well as assess the existing technical and organizational measures and controls regarding data security, including the technologies they use to protect data and their access policies.

Appropriate language and documentation should be developed to explain to users both consent and purpose of data use. For instance, users are to be clearly informed that their consent on data usage is required as well as the type of data that will be collected and how it will be used.

Training employees about key data protection issues and the risks associated with potential breaches is also crucial.

An appropriate data privacy policy is to be implemented reflecting the organization’s approach to personal data management.

Last but not least, organizations will be urged to develop a cyberattack response protocol with a tested action plan to respond to any such events.

The PDPL is a step in the right direction for the economy of Saudi Arabia, and more countries in the Middle East are planning to introduce data privacy laws as part of their digital and economic strategies.

In September, the UAE announced plans to introduce a comprehensive data privacy and protection law, which shows that organizations in the Middle East need to be ready to adapt to the evolving privacy landscape.

Athira Jayakumar is a Technical Evangelist at ManageEngine.

Disclaimer: Views expressed by writers in this section are their own and do not necessarily reflect Arab News' point-of-view

Copyright: Arab News © 2022 All rights reserved. Provided by SyndiGate Media Inc. (Syndigate.info).

Disclaimer: The content of this article is syndicated or provided to this website from an external third party provider. We are not responsible for, and do not control, such external websites, entities, applications or media publishers. The body of the text is provided on an “as is” and “as available” basis and has not been edited in any way. Neither we nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this article. Read our full disclaimer policy here.