SDAIA’s New Draft Controls Shaping the Future of Data Protection

#SDAIA has released a draft of the Controls Governing Commercial, Professional, and Non-Profit Activities Related to Personal Data Protection on the Istitilaa portal for public feedback.

This document offers organizations involved in commercial, professional, or non-profit activities that handle personal data, clear guidelines, procedures, and requirements to ensure they comply with the Personal Data Protection Law and its Implementing Regulations. It serves as a comprehensive guide to help these organizations establish effective data protection measures, fostering growth and encouraging broader participation. Additionally, it supports compliance efforts, promotes best practices, and contributes to the development of the Kingdom’s data sector.

Specifically, the Controls cover the following:

1. Definitions and Scope

• Key terms such as Activities Related to Personal Data Protection, Controls, Competent Authority (SDAIA), Supervising Entity, Licensee, Permit Holder, and National Data Governance Platform are defined. The controls apply to entities involved in personal data protection activities, including consultancy services, technical solutions, vocational training, and events related to personal data protection.

2. General Requirements

• Entities must register on the National Data Governance Platform and comply with the Personal Data Protection Law and its Implementing Regulations.
• They must disclose any prior complaints or violations and ensure no ongoing investigations exist.

3. Specific Requirements for Activities

• Consultancy Services: Must comply with the law and maintain documentation of measures and practices for data protection.
• Technical and Vocational Training: Providers must have relevant qualifications, submit supporting documentation, and get approval from the Competent Authority.
• Technical Services: Providers must ensure compliance with the law, possess necessary technical tools, and conduct self-assessments.
• Conferences, Workshops, and Seminars: Speakers must be qualified, content must comply with the law, and events must be approved by the Competent Authority.

4. Suspension and Review

• The Competent Authority can suspend activities if there are ongoing proceedings or violations.
• Activities must be recorded in a National Register.
• The controls will be periodically reviewed and updated as necessary.

5. Entry into Force

• The controls will become effective upon publication in the Official Gazette.

Start Date: 23 April 2025

End Date: 20 May 2025

David Yates, Partner and Head of Digital & Data, and Christine El Khoury, Senior Counsel, Digital & Data, are available to provide further insights and guidance on this subject.