SDAIA’s Draft Amendments Redefining the Landscape of Data Protection Compliance

Subjects

Amendments

1. Definitions and Terminology

• Competent Authority’s Platform. Added as an electronic platform for support services and enforcement tools (Article 1).
• Direct Marketing. Removed the definition. The removal of the definition may necessitate clearer guidelines on what constitutes direct marketing activities, potentially leading to ambiguity for organizations striving to comply with the regulations. Consequently, companies might need to reassess their marketing strategies to ensure they are not inadvertently engaging in activities that could be interpreted as direct marketing without explicit regulatory guidance. We anticipate that SDAIA will address this issue in the final version of the amendments.
• Personal Data Breach. Removed the definition and edited related texts throughout the regulation. Similar to the removal of the Direct Marketing definition, companies will need to closely review the edited texts to understand their obligations in the event of a data breach. The absence of a clear definition may require them to adopt broader or more cautious approaches to incident management. Concurrently, companies may rely on the Personal Data Breach Incidents Procedural Guide for further clarity. While the guide provides clear instructions on handling data breach incidents, it does not specify what constitutes a data breach. Therefore, we also anticipate that SDAIA will address this issue in the final version of the amendments.

2. Controller’s Obligations

• Information Provision. Amended to ensure information is provided in simplified language when the data subject lacks full or partial legal capacity (Article 4).
• Data Subject Rights. Edited to clarify the right to request a copy of personal data in a readable format (Article 6). This amendment enhances the rights of data subjects by ensuring they can request and receive their personal data in an easily understandable format. Companies will need to ensure their systems and processes can provide personal data in a readable format, which may require technical adjustments and additional resources.
• Privacy Policy Requirements. Added a new article (Article 18 Repeated) specifying that the privacy policy must be clear and comprehensible (Article 18).

3. Consent for Marketing

• Advertising and Awareness Materials: Amended to specify conditions for obtaining consent, including documentation and the ability to withdraw consent easily (Article 28).
• Direct Marketing: Clarified requirements for obtaining consent and providing mechanisms for halting marketing materials (Article 29).

4. Personal Data Protection Officer (PDPO)

• Appointment and Responsibilities: Amended to include detailed responsibilities of the PDPO, such as monitoring implementation, acting as a contact point, and handling data breaches (Article 32).In alignment with the Rules for Appointing Data Protection Officer issued by SDAIA, the detailed responsibilities outlined in this amended version provide clearer guidance on the role of the PDPO. This ensures that companies appoint individuals capable of fulfilling these duties. The PDPO will have specific responsibilities, including monitoring compliance, acting as a contact point with the Competent Authority, and overseeing data protection impact assessments. These procedures increase accountability and ensure a higher standard of data protection within companies.

5. Record Keeping

• Processing Activities: Amended to specify the duration for keeping records and ensuring their accuracy. Removed some paragraphs and rearranged others (Article 33).

6. National Register of Controllers

• Registration Requirements: Added conditions for mandatory registration in the National Register of Controllers, including public entities, primary data processors, and those transferring data outside KSA (Article 34).

7. Complaint Handling

• Submission and Processing: Amended to streamline the complaint submission process and ensure timely responses. Removed and renumbered some paragraphs (Articles 36 and 37).

8. Enforcement

• Effective Date: Amended to specify that the regulation comes into force upon publication in the official gazette and on the Competent Authority’s website (Article 38).