By MEmob+’s Saad Bleik
Ever since the General Data Protection Regulation (GDPR) was adopted in the European Union in 2016, data protection laws have been like an unstoppable train which next station will be Saudi Arabia, where the Personal Data Protection Law (PDPL) will come into effect on March 23.
The PDPL is meant to ensure the privacy of personal data, regulate data sharing, and prevent the abuse of personal data, to help develop a digital infrastructure and support innovation in order to grow a digital economy in KSA. It applies to any processing by businesses or public entities of personal data performed in Saudi Arabia, including the processing of the personal data of Saudi residents by entities located outside the Kingdom. Personal data means any information through which a person may be directly or indirectly identified. This expressly includes an individual’s name, identification number, addresses, and contact numbers.
What the law says
Many of the features of the PDPL are similar to those of other international data protection laws, for example:
There are some differences, however:
Who will need to comply when
A grace period will be in place to give organizations the time to adapt. It could be up to five years for entities that process the personal data of Saudi residents but are located outside Saudi Arabia. Both entities with a Saudi presence and those that are targeting Saudi residents will be covered by the PDPL and will have to comply. In most cases, the personal data of Saudi residents will have to be collected, stored, and processed in the Kingdom. The recent fracas between Meta and the EU on international data transfers after the abolition of Privacy Shield shows how complex an issue this can be.
If a media agency, for example, buys a regional digital plan for a client, there is a strong possibility that some of those publishers and data sources are subjected to PDPL regulations. When we look at the complex chain of relationships between the brand and the consumers, including agencies, publishers, various DSPs, and others, advertisers cannot guarantee that all of these links do not expose the transactions to databases covered by the PDPL.
As a data processor working with providers around the world, MEmob+ is well accustomed to such regulations and requirements. We rely on data mapping to identify the data we process, store, transfer, and use. We do not have access to PII (personally identifiable information), as it is hashed. We also have data protection policies and procedures in place and regularly review our existing contracts with partners and data sources, ensuring clear consents are in line with current requirements. We also provide training to our staff working with data. GDPR compliance has prepared us well for the raft of new regulations in the GCC.
How we can help
Our experience has also prepared us well to assist organizations in Saudi Arabia with their own plan to become compliant. These include:
But being compliant is merely the beginning; you need to remain so. Like any law, PDPL is fluid and will evolve through its application. Experience will lead to amendments and enhancements based on stakeholders’ feedback and issues that will appear. Its predecessors, like GDPR, are broadly seen as successful and having met their goals but the goalpost will keep on moving as the technological ecosystem transforms. The development of blockchain will certainly prove interesting in this context.