Worldwide
FileCloud
13785 Research Blvd, Suite 125Austin TX 78750, USA
Fax: +1 (866) 824-9584
Europe
FileCloud Technologies Limited
Hamilton House 2,Limerick, Ireland
FileCloud has received the Gartner Peer Insights Customers’ Choice Distinction for the fifth consecutive time!
92% of our customers would recommend us to a friend.
As part of its Vision 2030 Roadmap, the Kingdom of Saudi Arabia is rapidly enabling digital transformation. This includes enacting appropriate legislation around data governance in businesses and government entities.
The PDPL was enacted on March 17, 2023. This is the first comprehensive data protection legislation in Saudi Arabia and its stringent requirements mean organizations must implement robust technical controls to comply. FileCloud has added the PDPL to its range of regulations you can seamlessly configure and monitor via its Compliance Center.
Measures should be put in place to secure personal data. These are required to ensure the preservation of personal data, including when it is transferred.
The new rights of the data subject under the PDPL include:
Regulatory Scope – Encompasses organizations’ activities in relation to the processing of personal data or sensitive personal data about individuals residing in Saudi Arabia. This includes deceased individuals’ personal data if the processing of this data could result in the identification of the deceased or their family members.
Territorial Scope – Applies to all public and private organizations that collect and process personal data and sensitive personal data related to individuals residing in Saudi Arabia. This includes entities outside the country that collect and process the personal data of individuals residing there.
Controlling authorities and data controllers must ensure personal data is accurate, complete, and relevant before processing it. They are bound by the following principles:
The PDPL imposes heavy penalties for non-compliance on the part of data controllers with its requirements, including:
With an entire tab dedicated to the PDPL, containing detailed instructions on configurations that map to vital aspects of the legislation, FileCloud’s Compliance Center contains all the features you need to comply seamlessly with its requirements. Features available include content classification, retention policies, custom metadata, anonymization of personal data, built-in pattern searching, powerful audit capabilities, and numerous security protections.
Explore FileCloud’s powerful compliance capabilities by scheduling a call with our Sales team! Contact us.
Prior to processing personal data, organizations must obtain explicit consent from the data subject, with certain exceptions stipulated in the legislation. Data subjects are owners of their personal data and can withdraw their consent at any time. Consent cannot be a prerequisite to obtaining a service/benefit unless that service/benefit is related to the data processing itself.
Organizations must register on a dedicated portal and pay annual fees. This functions as the national record of data controllers. Organizations outside of the jurisdiction that process data of Saudi residents must appoint a representative in the Kingdom to communicate with the regulatory authorities about compliance.
Organizations must have a privacy policy regarding personal data for individuals to review before data collection. This should include the purpose, method, storage, processing, and destruction of the data. It should also outline the rights of the data subject and the organization’s commitment to upholding these rights.
All organizations must put measures in place to secure personal data. These are required to ensure the preservation of personal data, including when it is transferred.
Organizations must notify the regulatory authority within 72 hours of becoming aware of a data breach. The data controller must outline the breach and steps being taken to prevent a recurrence. The controller must also inform the data subject if the breach puts them at significant risk.
The PDPL requires all organizations to conduct a thorough impact assessment regarding the processing of personal data.
Organizations must appoint or more Data Protection Officers to ensure that the provisions of the PDPL are implemented comprehensively throughout all departments.
Record-keeping must include: the organization’s contact details, the purpose of the processing, categories of data subjects, parties to whom the data has been (or will be) disclosed, whether the data has been transferred or disclosed outside Saudi Arabia, and the data retention period.
Organizations must choose a processing party that complies with the PDPL. In addition, they must verify this third-party compliance on an ongoing basis.
Personal data can be transferred only if a strict impact assessment has been done to ensure the security of the external location. Written consent from the regulatory authority must be obtained. Exceptions are made when the transfer vitally serves the public interest and if it is necessary to save the data subject’s life abroad.