As part of its Vision 2030 Roadmap, the Kingdom of Saudi Arabia is rapidly enabling digital transformation. This includes enacting appropriate legislation around data governance in businesses and government entities.

The PDPL was enacted on March 17, 2023. This is the first comprehensive data protection legislation in Saudi Arabia and its stringent requirements mean organizations must implement robust technical controls to comply. FileCloud has added the PDPL to its range of regulations you can seamlessly configure and monitor via its Compliance Center.

Measures should be put in place to secure personal data. These are required to ensure the preservation of personal data, including when it is transferred.

The new rights of the data subject under the PDPL include: 

• Right to know the data controller’s contact details, the legal basis & reason for the data collection, data collection methods, and whether their personal data will be shared or sold.
• Right to request access or copy of their data, free of charge and in a clear format that conforms with the records held by the data controller.
• Right to request correction of any data about them that is inaccurate, incomplete, or obsolete.
• Right to request destruction of their personal data by an organization and rescind consent for the collection of their data.
• Right to restrict processing of their data for periods of time.

Scope of the PDPL

Regulatory Scope – Encompasses organizations’ activities in relation to the processing of personal data or sensitive personal data about individuals residing in Saudi Arabia. This includes deceased individuals’ personal data if the processing of this data could result in the identification of the deceased or their family members.

Territorial Scope – Applies to all public and private organizations that collect and process personal data and sensitive personal data related to individuals residing in Saudi Arabia. This includes entities outside the country that collect and process the personal data of individuals residing there.

Organizations’ Obligations under the PDPL

Controlling authorities and data controllers must ensure personal data is accurate, complete, and relevant before processing it. They are bound by the following principles:

• Collection limitation
• Purpose limitation
• Data security
• Accountability
• Retention limitation

Penalties for Non-Compliance with the PDPL

The PDPL imposes heavy penalties for non-compliance on the part of data controllers with its requirements, including:

• Disclosure or publication of sensitive personal information: Up to 2 years and/or a fine of up to SAR 3 million ($800,000). This applies to individuals and organizations.
• Violation of cross-border data transfer stipulations: Up to one year in prison and/or a fine of up to SAR 1 million ($267,000).
• Other provisions include a warning notice or a fine of up to SAR 5 million ($1.3 million), with the court having freedom to double the fine for repeat offences.
• Penalties can also be imposed for the absence of robust mechanisms to protect individuals’ personal data.

How Can FileCloud Help with PDPL Compliance?

With an entire tab dedicated to the PDPL, containing detailed instructions on configurations that map to vital aspects of the legislation, FileCloud’s Compliance Center contains all the features you need to comply seamlessly with its requirements. Features available include content classification, retention policies, custom metadata, anonymization of personal data, built-in pattern searching, powerful audit capabilities, and numerous security protections.

Explore FileCloud’s powerful compliance capabilities by scheduling a call with our Sales team! Contact us.