As the grace period for compliance with the Saudi data protection law is rapidly drawing to a close, the Saudi Data and AI Authority (“SDAIA”) has published draft rules on the operation of the national register of controllers.
Data controllers subject to the Saudi Personal Data Protection Law (“PDPL”) are currently protected by an implementation grace period, but enforcement of the PDPL is due to commence in September this year, meaning the grace period will shortly end and controllers have little time left to complete compliance readiness. Given that the draft rules have only recently been published for consultation, it is possible that enforcement of certain aspects of the Law, such as the obligation to register as a controller (if applicable – please see below), may be phased in.
The rules define the national register as a “a way to monitor and follow up on Controllers, as well as assist them in raising their level of compliance with the Law and the Regulations. Additionally, the National Register provides services related to personal data protection procedures.”
Registration not mandatory for all
The most significant section of the rules is Article 2 which provides that only the following controllers (if located within KSA) will mandatorily need to register:
- Public entities;
- Controllers whose main activity is based on personal data processing and collection; and
- Controllers who collect and process sensitive personal data, and the processing is likely to entail a high risk to the rights and freedoms of the personal data subjects.
Although registration will therefore not be mandatory for all controllers, subject to any further guidance as to the interpretation of the criteria, we consider that the obligation is likely to impact many enterprises.
Non-Saudi controllers
It is worth emphasising that the PDPL applies not just to Saudi entities, but to any entity which processes the personal data of people resident in KSA. This approach, taken literally, presents potential difficulties to businesses which do not actively target the KSA market but which may process some KSA-resident data on a passive or unsolicited basis. Helpfully, the introduction to the draft rules specify that separate registration rules will be published for controllers located outside KSA. It will be interesting to see if any additional nuances are also introduced to confirm the scope of the law to non-Saudi businesses.
Registration process
The Rules detail the registration procedures, which will vary based on the type of entity.
- Public entities must complete the registration form provided by SDAIA and appoint a delegate to handle the process, which includes assessing the need for a Personal Data Protection Officer.
- Private entities shall initiate registration on the Platform, through an owner, partner or delegate, and the process involves filling out necessary fields, verifying eligibility and assessing the need to appoint a Data Protection Officer.
- Individuals can register by completing the required procedures, including filling out the registration form and verifying eligibility.
We assume that the “delegate” referred to in the rules may be an employee of the controller, although some clarification around this point would be welcomed in the final version.
Certification
The rules also imply that the controller will be able to generate its own registration certificate as part of the registration process, which will include a QR code for verification. SDAIA will notify the controller when the registration is due for renewal at least thirty days before the expiry date. It is not clear at this stage how long a registration will be valid for before it expires.
To enhance public trust in the services provided, SDAIA will implement mechanisms for public verification of controllers’ registrations, making registration certificates accessible within a National Register for Personal Data Protection.
Summary
With the PDPL due to start being enforced in a matter of weeks, the new draft rules represent welcome and pragmatic guidance on one aspect of the law. However, it is important for all Saudi controllers and processors to understand that the administrative requirements of the law are a small part of overall compliance, and it is important to ensure that a holistic privacy framework and culture of data protection is developed.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.