Understanding the new data protection law
Dounia Aghdoube, a lawyer with Schlüter Graf in Dubai, United Arab Emirates (UAE), has many clients in Saudi Arabia (KSA) whose companies process their payroll outside the kingdom. But with the imminent arrival of the new Data Protection Law (DPL) in Saudi Arabia on March 23, providers of payroll services and other data processing operations that take place outside the country could need to find other arrangements, because the new law limits the possibility of transferring personal data outside the country.
There will be a one-year grace period before the DPL comes into full effect on March 23, 2023. Prior to this, businesses should prepare for all changes, large and small, in the way data is stored and processed.
“The DPL provides strict restrictions on cross-border data transfer outside of Saudi Arabia and only provides specific exceptions to this rule. For example, the transfer is possible when the controller has the approval of the Saudi Arabia’s data protection authority,” said Anja Christine Adam. , attorney at Schlüter Graf in Dubai and Hamburg, Germany. “If none of the exceptions apply to businesses in Saudi Arabia, they may need to consider setting up local data centers and using service providers that process data in the country in order to meet the requirements. data localization in Saudi Arabia. Expected implementing regulations may shed more light on this topic.”
New changes regarding personal data
This is just one of many changes that will come into effect with the new DPL. The DPL builds on the European Union’s similar General Data Protection Regulation (GDPR), defining personal data and regulating how personal data may be used, processed and stored.
Personal data is all data relating to a specific person or relating to a person who can be identified directly or indirectly by linking the data, Aghdoube said. “This expressly includes the name, address, contact number, photo or other data of [a] personal character.”
The new law requires all organizations that control or process personal data to comply with certain principles and obligations relating to how they process such data, said Dino Wilkinson, attorney at Clyde & Co in Abu Dhabi, UAE. A data protection agency has been established in Saudi Arabia to oversee the DPL.
Similarities and differences with the GDPR
The new law is similar to GDPR but differs significantly. Restrictions on data transfer across borders is a key difference.
In general, “you shouldn’t transfer data outside the kingdom. But if you must, then you must meet certain conditions. At the moment, we are still waiting for implementing regulations to give us a better idea of what that those conditions will be,” Wilkinson said. “For businesses that have not had to worry about transfers of data to group subsidiaries or holdings or to third parties outside the kingdom, they will now have to ensure that this is done in compliance with the new law. “
Another difference between the law and the GDPR concerns penalties. In addition to fines of up to 5 million riyals (approximately $1.3 million), certain DPL offenses can be punished by imprisonment for up to two years. How this will be applied is unclear.
“Some offenses trigger criminal penalties, and given the nature of those penalties, it is in every company’s management’s interest to comply with the DPL,” Aghdoube said.
“I think where Saudi law is different, at least compared to European law, is that it’s more security-focused,” Wilkinson said. There are “references to national security concerns”.
How can HR prepare?
HR professionals should be aware of how data is used and stored and should strive to communicate data rights with company employees.
“In order to comply with the DPL, companies must begin their HR data governance journey and work towards creating a data privacy compliance framework,” Aghdoube said. “Establishing a standard ensures compliance with the DPL and provides a common approach to how employee and candidate data is processed, stored, used and protected. This minimizes the risk of a breach.”
“In terms of preparation, the first thing that HR departments do is to process a lot of personal data concerning not only employees, but also different categories of data subjects” such as job applicants, next of kin and beneficiaries, Wilkinson said. HR professionals “would be required to take stock of the personal data they process and do an initial audit of what it is, where and how they store it, how they obtain it and who has access to it”.
Automation can help both audit previously collected data and process data collected in the future. Manual processing can lead to errors, and privacy-by-design technology can help streamline DPL compliance.
Employees will have the right to request access to their own data, so there must also be a framework in place to deal with these requests.
“It’s going to have to be a big change from ‘we’ll keep it just in case’ to ‘we’ll only keep the minimum we need’. [That] going to be a challenge,” Wilkinson said. “But it’s a challenge we’ve faced in other parts of the world and people have gotten used to it. It’s something new happening in this region.”
Katie Nadworny is a freelance writer in Istanbul.