SPEAKER_00 0:13

Welcome everyone to today's episode. It's the second episode in Privacy Engine series on international data protection legislation. We started off last week with the India Indian Data Protection Law, or what we call the Digital Personal Data Protection Act of 2023. And today we're looking at the Kingdom of Saudi Arabia's Personal Data Protection Law, or what we call the PDPL. We'll break down the law in terms of what it does, how it compares to the GDPR, and what organizations need to do if they are preparing to be compliant with the law. I'm joined, like I was last week, by my friend or my and colleague Katie. And like last week as well, we'll take we'll alternate the questions. So I'll start with the first question and then Katie will go on with the second question and so on. We have about 12 questions, like we did last week as well. So hopefully this podcast will take you on a journey where you'll get a clear, engaging tour of one of the most important data protection laws in the Gulf region. It sets out how personal data must be collected, used, stored, shared, and transferred. And it gives individuals really clear rights that are very similar to the GDPR as well, and places obligations, very formal obligations on organizations in terms of uh processing personal data. And it's similar to other global uh privacy laws like the GDPR. It was introduced as part of Saudi Arabia's Vision 2030 digital transformation, and that's that's we can talk about that later on. I have information here about it actually. But the Saudi Saudi Arabia's um Vision 2030 is essentially the kingdom's blueprint for economic and social transformation. Um and the digital innovation sits right at the center of this. So the idea is to shift the country away from purely oil-independent economy and build a modern, diverse, technology-driven society. Okay, so the country is rapidly expanding cloud services, AI, fintech, a digital government, and it has a massive smart cities project which is called NEOM. And NEOM is like Saudi Arabia's flagship future city project. It's huge and it's in the northwest of the country near the Red Sea. It was created as part of the Vision 2030, and it's not just a city, it's more of a cluster of developments that are meant to showcase the ultra-high-tech low-carbon urban living and what that could look like. So the total of the NEOM area is 26,500 square kilometres. So it's not like a city, it's more like a small country. So that's really exciting. So, you know, the the PDPL is a crucial part of that development for Saudi Arabia. So the law also attracts um helps to attract international investment. And before the PDPL, there was no unified data protection regime, which made global companies hesitant to process to come to the kingdom. The law, especially after its 2023 amendments, aligns more closely with international standards and creates a workable system for cross-border transfers. The PDPL also reinforces national data sovereignty, central oversight by the Saudi data and AI authority, reflecting Saudi's priorities around security, cultural norms, and responsible innovation. At the same time, it responds to growing public expectations by giving people their rights to their data, the right to access, the right to correct, the right to delete. And we look at those in more detail as we go through the podcast. And finally, the PDPL lays the groundwork for safe AI and data analytics, ensuring these technologies are developed within trusted, well, well-governed legal environment. And in short, it's not just a privacy law, it's a strategic foundation for Saudi Arabia's modern digital AI-driven future. Okay, so moving on to the next question then. Katie, this question is for you. Who does the PDPL apply to, both inside and outside of Saudi Arabia?

SPEAKER_01 5:14

So the Act does have quite a broad scope. It applies to any organization that processes personal data of individuals who are located inside the kingdom, whether the organization is physically in the kingdom or operating from abroad. They include public and private sectors. And again, something interesting we had from our previous talk about the Indian law, it does extend to deceased persons as well. But in this case, only to the extent that it could identify the individual or their family members. So that's kind of quite an interesting common thread in this law, actually, that reflects the local culture of that area. That kind of they have quite strong family identities and reputations there. So it's just interesting that that comes in through the data protection law. And so other than that small detail there, that it is basically identical to the to the territorial scope of GDPR. If you target or monitor people in Saudi Arabia, you have to abide by this law basically. Again, the GDPR only really applies to living individuals. So I'd say that's the that's the main thing in the material scope to look out for.

SPEAKER_00 6:40

Yeah, exactly. And we've seen that now, like you say, with the Indian law and now with the Saudi Arabian law, that it it considers deceased individuals as well in various different ways, but that was that's something that the GDPR has never never considered, you know, and even in the digital omnibus, it's not even thought about there. So that's interesting. It is I think that it reflects kind of culture, I think maybe.

SPEAKER_01 7:07

Yeah, yeah, I agree. I quite like that it extends to the extent that it could identify someone as well here, that it's kind of making that distinction, like it's kind of helping explain why we should maybe think about diseased persons' data.

SPEAKER_00 7:25

I agree. Yeah. And like you say, there's implications for the family, you know.

SPEAKER_01 7:30

Yeah. Oh, definitely. Yeah. Um so Maria, how does it actually define personal data? Does it have a special category data equivalent?

SPEAKER_00 7:46

Yeah, actually, so like the Indian Act last week, we saw that you know special category data doesn't exist in the Indian Act, but um here in the PDPL, there is a, you know, they do make that distinction. So the PDPL defines personal data in a very broad way. It includes any information that identifies a person directly or indirectly, um, not just names and ID numbers, but also behavioral data and device identifiers and employee employment details and location information can even be deemed as personal data. So any kind of information that can be linked back to the individual can be seen as personal data, which is interesting again because when you consider the digital omnibus, now they're looking to change the per the definition of personal data in the GDPR because they're they're now saying that certain pseudonyms certain pseudonymized data under the GDPR may not be covered by the GDPR. So that's that's interesting. So there's kind of like an opposite happening. Like, you know, the the PDPL is very broad in scope, and whereas the GDPR seems to be reducing it somewhat, you know. The law then goes further by creating a category of sensitive personal data which receives stronger protections. So again, like the GDPR. This includes health information, but it also includes financial data, which is not covered under the GDPR, special category data. It also includes genetic data, religious or philosophical beliefs, again like the GDPR, ethnic origin and security-related identifiers. So it's slightly different there from the GDPR. These categories are treated as high risk because misuse could cause harm or discrimination. They also reflect cultural and national considerations specific to Saudi Arabia. Like, for instance, biometric data like fingerprints and facial recognition, it's given stricter treatment with Saudi Arabia moving quickly into AI and digital identity and smart cities initiatives and so on. The PDPL requires organizations to apply very strong safeguards, obtain explicit consent in some cases, and conduct risk assessments before using biometric or genetic data, which is which is a good sign. Compared to the GPR, both GDPR, both laws treat sensitive and biometric data as requiring extra protection. So that's similar to the GDPR, but the PDPL does within a more centralized governance model focused on data sovereignty and national security, as opposed to you know what the GDPR would do, it's more like rights focused. So you could say, in this respect, the PDPL is more controlled or prescriptive. So, in short, the PDPL uses a broad definition of personal data, it treats sensitive and biometric categories as high risk and requires stricter safeguards when processing them, all reflecting the kingdom's priorities around trust and governance and um safe digital transformation. So Katie. Yeah.

SPEAKER_01 11:02

I was just gonna say I also when I was looking through it, I noticed one element of the sensitive category data was also data that indicated one or both of a data subject's parents are unknown. So I just thought that was another interesting reflection of kind of the cultural revel relevance of family backgrounds in the area, which again, like in the deceased individuals we've seen, reference to the family connections and then under the sensitive category data. I just you know they're kind of thinking about individuals in a wider context than individual which than the GDPR etc.

SPEAKER_00 11:49

Which and when you say when one of the parents is unknown, does is that does that then become a special category data or sensitive data? Or or how does that work?

SPEAKER_01 12:02

Well it said for the data that indicates one or both of the individuals' parents are one are unknown, was included in the article that defines sensitive category data. So I just think it's it's almost more community-based, like I don't know, then the European understanding of personal data, it kind of considers the impact community impact as rather than just the impact on the individual as well.

SPEAKER_00 12:35

Yeah, okay. So if an individual if if one of the parents is unknown, then that m may be sensitive within her environment or her community, so his community. So keeping that private would probably, yeah, probably um help them, you know, uh feel more comfortable in their in their uh in their community, maybe. Yeah.

SPEAKER_01 12:59

Yeah, yeah. That's what I was inter interested in another.

SPEAKER_00 13:05

Yeah, something different to the European perspectives, yeah. And so probably something that's important for their culture, that that obviously wasn't important enough for for it to be included in the GDPR, but yeah, that's interesting, uh an interesting distinction. Okay, so Katie, uh the next question for you is what are the main lawful bases for processing personal data under the PDPL? So last week again we saw the Indian uh the Indian uh Act or the PDPD of 2023 being quite different to the GDPR. So is the KSA similar to to uh the or the PDPL similar to the Indian law or is it more similar to the GDPR?

SPEAKER_01 13:55

Well, I'd I'd say it's a bit of both and neither. I don't know. So the PDPL is consent first, basically, which is flipped from the GDPR. I mean, I feel like it's actually the supervisory parties in Europe right now are kind of discouraging people from relying on consent as much because of you know the consideration for the fact that consent may not be freely given in a lot of cases. So consent is the is the main basis for processing personal data under the PDPL. Um but Article 5 does say it needs to be explicit, informed, and freely given. It does say that the data subject can withdraw the consent at any time. So I mean, I wouldn't really be consent if I suppose if you couldn't, but Article 6 then goes on to allow a couple of different situations where you do not need the consent of the data subject. Um they have the the vital interest basis, they have the actual interest of the data subject, they have legal obligations, contractual agreement, um for matters of security, uh judicial requirements, and they do have for the legitimate interest of the controller, but only where those interests do not harm individuals' rights or contradict the law's purpose. So they do have the concept of legitimate interest, but it is a bit narrower than the GDPR version now. It's only legal where there's no sensitive data as well, so they can't kind of mix legitimate interest for protest and sensitive data, and they do need to complete an assessment. So I mean, back to back, the GDPR encourages uh kind of taking a case-by-case basis when it comes to legal basis. They kind of don't want people to be relying on consent in every situation. Um the PDPL is basically backwards and saying, you know, consent first, and if you can't get it, then you need to fit into one of these other categories.

SPEAKER_00 16:26

So and I think it's interesting as well to say that you know, again, with the digital army bus coming down the line, legitimate interest is going to be widened under the GDPR and the EU AI Act. So I it would be really interesting to know, and I don't know this answer, but maybe we can look look into it. But it would be really interesting to know how uh Saudi Arabia or even India uh justifies the use, you know, processing of personal data in AI systems. Because under the GDPR now, um uh we we're seeing that they're saying that you know you could actually use legitimate interest for processing personal data in your AI systems, which in my opinion could cause a conflict of interest for the G DPO quite easily, you know, but that's another discussion. But yeah, it's it's interesting. Yeah, yeah. So so yeah, so the the in the in the PDPL legitimate interest does exist, but it's not as wide as the GDPR. That's interesting.

SPEAKER_01 17:32

Yeah, and you can't use uh sensitive uh data. We'll move on to the next question. Um so Maria, what rights do people have under the PDPL?

SPEAKER_00 17:52

Thanks, Katie. Well, I think again, so these are quite similar, in my opinion, to the GDPR. There, from what I can understand, there are six rights. So one of the key features of the Saudi PDPL is that it gives individuals a set, a clear set of data subject rights. Um, these rights are central to building trust in the digital services and supporting the kingdom's shift towards a modern accountable data ecosystem, like we were saying earlier on. So people have the right to be informed, which means organizations must clearly explain what data they're collecting, why they're collecting it, and how it will be used, and who it may be shared with. So that again, similar to the GDPR here. Privacy notices need to be transparent and accessible and not buried within legal jargon. Individuals also have the right to access their data. They can request a copy of the information an organization holds about them. So that again is like a data subject access request, which is especially important now that the that more services rely on cloud platforms and AI systems within the kingdom. They also have the so individuals also have the right to correct inaccurate or outdated data, which is crucial in in sectors like financial and healthcare, because you know you can have serious consequences in those two industries. The PDPL also recognizes a right to request deletion, but this is within limits. So people can ask for their data to be erased when it's no longer needed, but in certain situations, organizations may need to keep some information for legal or security reasons. So, again, that's very similar to GDPR there. Another significant protection is the right to restrict processing, something that we didn't see in the Indian Act of last week, but what it also exists in the GDPR. If someone believes that their data is being used unfairly or incorrectly, or if there's a legal process going on, then they can request the organization to pause processing until the issue has been resolved. There's also a growing expectation that individuals can challenge automated decision making, even though I don't think this is a right yet, but there is increased pressure in looking into this area. The PDP, the PDPL doesn't mirror the GDPR's article 22, but it does require transparency around profiling and automated decision making. In short, the PDPL gives individuals the right to be informed, to access their data, to correct it and to delete it under certain certain conditions, to restrict processing and to question automated decisions. And this is all aimed at increasing transparency, accountability, and public trust in Saudi Arabia's fast growing digital landscape. So next question now is for you, Katie. What obligations are organizations required to comply with under the PDPL?

SPEAKER_01 21:54

Um thanks for that, Maria. So they have A couple of different things to look out for. Um under Article eight, they need to do their due diligence with their processors. They need to basically make sure that their processors have an adequate level of compliance in relation to the law. So that's a responsibility on them, much like the GDPR. You know, you can't really claim ignorance as to what your subprocessors, how your subprocessors subprocessors are handling the data that you give to them. Um they need to implement uh accountability measures, ensure accurate and minimal data collection. They need to have technical and organizational security controls. They do need to maintain processing records, which not every international law imposes, and which even the GDPR is considering taking out for certain organizations, which I mean I think that maintaining processing records is kind of essential to every other thing that you do in relation to your compliance. I mean, it just it just takes more work off you at the at the end of the day. I mean it's easier. So yeah, they do have to do that. Um they have an obligation to uh train their employees, offer clear rights handling mechanisms for the data subjects. Um they do have impact assessments similar to DPIAs for high risk processing, new technologies, profiling or profiling, handling sensitive data, um, and then bridge notification obligations, which we'll kind of talk about further on, I think, in in a bit more detail there. So it's I mean it's quite identical to the GDPR there. Um the SETI enforcement does have a stronger emphasis on uh regulatory engagement, culturally specific expectations, like their notices have to be in Arabic. Um which I mean that's not so different when you consider that the GDPR notices have to be kind of intelligible. Um when you consider, I mean, the people who are who are going to be exercising their rights, you know, they need so I'd say yeah, it is it is it's almost one for one compared to the GDPR.

SPEAKER_00 24:44

You know how we saw last week as well with the Indian law that the data principal had certain obligations not to you know not to be vacatious and so on. Did do you have any idea whether that exists in the Saudi law, or is it very much like the GDPR in that it it doesn't seem to put any obligations on the data subject?

SPEAKER_01 25:05

Yeah, no, I don't I don't think they do. I think as far as those three laws, the Indian law is unique in imposing the obligation on the data subject, which I actually like that.

SPEAKER_00 25:16

I agree.

SPEAKER_01 25:17

That obligation. Yeah, um yeah. So Maria, what does the law say about international data transfers?

SPEAKER_00 25:28

So I think it again, so we look we saw in the Indian law last week, completely different to the GDPR. The Saudi, the PDPL, in my opinion, is much more like the GDPR in terms of the fact that it has adequacy requirements. So international data transfers are one of the areas where the Saudi PDPL has changed most, especially after the 2023 amendments. The original version of the law was very restrictive. It basically made it difficult for organizations to send personal data outside of Saudi Arabia. So but after 2023, they kind of made it more, they kind of made the act more or the PDPL more modern. Because before 2023 it caused issues for cloud services, multinational uh organizations, and and basically any kind of cross-border business uh business models. So the amended PDPL from 2023 is much more practical and aligned with global standards. Today, data can be transferred outside the kingdom, but only if proper safeguards are in place, and that's again similar to the GDPR. The core idea is simple: any personal data leaving Saudi Arabia must be protected to a level that isn't materially lower than what the PDPL guarantees inside the country. So, again, you can see that as kind of an adequacy agreement that you would have to put in place or you'd have to have with the GDPR. Or again, you know, standard contractual clauses. If you don't have an adequacy agreement, you'd have to get the standard standard contractual clauses in place to make sure that the data has the same level of protection outside as opposed to inside the country. There are a few ways organizations can meet that threshold. Uh, they can transfer data to a country that the data uh the Saudi authority has deemed adequate, or they can use strong contractual safeguards, again, similar to the SCCs in in Europe, like the PDPL compliant transfer agreements and that they have. And for very specific situations, such as fulfilling a contract or protecting someone's vital interests, the law allows for limited exceptions, which again are similar to the GDPR. So, what's unique about the PDPL is that its emphasis on the national data sovereignty. Organizations must show that the transfer is genuinely necessary and that they've limited the amount of data leaving the kingdom. The Saudi authority also keeps central oversight and can approve, restrict, or block these transfers, especially when sensitive categories or national security concerns are involved. So while the GDPR and the PDPL allow for international transfers based on adequacy, their philosophies are slightly different. The GDPR is driven by protecting fundamental rights, as we know, across the borders, while the PDPL focuses on ensuring that the data leaving the kingdom doesn't undermine the national governance or cultural or security priorities of the country. So, yeah, so kind of fundamental philosophical differences there between the two jurisdictions. Um so, Katie, tell us about the requirements for consent and privacy notices under the PDPL.

SPEAKER_01 28:50

Um okay, so I mean, as I said earlier, consent needs to be explicit. You need to obtain the consent before collecting or processing the data. Um and individuals need to be able to withdraw their consent at any time without negative consequences. I suppose without negative consequences, that kind of considers that point that the European perspective of why consent may not be appropriate in all circumstances. Um but so it's Article 12 and 13 that talks about the privacy notices in particular. Uh they need to be clear, accessible, and usually in Arabic. Um they need to be provided to data subjects prior to the collection of their data. And it needs to it needs to outline the controller's identity, the purpose of processing, the legal basis they're relying on, how long the data is going to be retained for, what rights they can exercise, whether the data is going to be disclosed to a third party, how someone can object or withdraw the consent. Um it needs to inform them of their right for complaint, and it also needs to explain whether the data is mandatory and what could happen if the data subject declines to share that information. So, you know, I suppose everyone might want to exercise their rights to not share data, but I mean in some circumstances that might actually have an effect on your experience of a particular service, so it's an interesting addition. But yeah, overall the transparency transparency expectations are quite similar to the GDPR. Um again the language emphasis, but I mean it's their country, their language at the end of the day.

SPEAKER_00 30:50

Absolutely, yeah.

SPEAKER_01 30:53

And it also requires that it needs to be accessible to individuals with varying levels of digital literacy, which I quite like because I mean I know just personally, some people in my life have never no concept of you know what the repercussions could be of giving their consent to something or withdrawing their consent, you know, and I you can't blame them either because it's just not everyone's you know ballpark.

SPEAKER_00 31:25

So absolutely, I I agree, and that sounds to me like the protections that are in place in the financial industry where if you sell an individual a financial product, you have to be sure that they understand what they're buying, you know. So, again, that would be kind of financial literacy and understanding what you're getting into. I think it's very similar in the digital age, like giving consent, but they have to understand what are they giving consent to. Like you can you can you can give them a whole load of jargon and kind of befuddle them and confuse them, and and you know, that's not explicit consent, in my opinion, you know. So I agree. Digital literacy is is essential in terms of making sure you have explicit consent. So that's a good point.

SPEAKER_01 32:13

Yeah, um that's quite quite a good point. So I'll move on to the next question for you here, Maria. How does the law treat AI profiling and automated decision making?

SPEAKER_00 32:29

Okay, so this is an interesting question as well because again, we've seen, like we've discussed it already, that you know, they're looking at Vision 2030, they're looking at smart cities, they're really jumping into digital identity and AI systems and so on. So, but it doesn't actually have the equivalent of the EU AI Act that we have in Europe at the moment. Um and so it doesn't have a kind of the PDPL as well as a data protection law doesn't have a kind of standalone AI chapter, but it still places clear rules uh around how AI profiling and automated decision making can use personal data. So, again, similar like to the GDPR, it's not it doesn't specifically give definitions of AI, but it talks about profiling, it talks about automated decision making. So data Saudi Arabia views AI as a major part of its vision 2030, like we said, and the PDPL is designed to support innovation, is is designed to support innovation while also setting boundaries around higher risks, uh higher risk uses. So, again, we saw that kind of balance in the Indian law last week, and so I think what what the the PDPL tries to do as well is to try and get that balance right between you know being innovative but also protecting the state as well as their citizens. So, under the PDPL, any AI system that processes personal data must follow the law's core principles, having a lawful basis, limiting processing to a specific purpose, collecting only what's necessary, so that's data minimization under the GDPR, and ensuring fairness, transparency, and security. These rules apply whether we're talking about basic analytics or advanced machine learning models in fintech, healthcare, and smart cities environments, so it's across the board. Profiling and an automated decision making are treated as potentially high-risk activities, which in my opinion they are. When AI is used to make decisions about people, such as hiring, credit scoring, eligibility assessments. Like we have again, we have a lot coming from the European Court of Justice in this area where they're trying to understand what is what is seen as automated decision making and what's not. There's been a number of cases. Um Shufa was one of them back in December 2023. There was another one in February of 2024 about a decision making and what can we understand as automated decision making. So again, the the the similar kind of issues are coming up. So hiring, credit scoring, eligible eligibility assessments or behavioral predictions against around you know the EU AI Act would ban some of those behavioural prediction AI systems. Organizations need stronger risk assessments, enhanced safeguards, and some degree of explainability so individuals understand how those how those automated decisions were made. Individuals have the right to know when automated processing is happening, and so they need notification around, you know, it's a it's an AI system that's processing their data. And in some cases, the right to challenge or correct decisions made solely by algorithms exist. The PDPL doesn't have a direct equivalent of the GDPR's article 22, like we said before, but the expectation is similar. Important automated decisions should not be completely opaque or unchecked. So you have to have that human human in the loop again, like with the GDPR. So biometric data adds another layer of obligation. So if you have biometric data, you know, they they they look at it more, there's more kind of obligations around that. If AI uses facial recognition or voice prints or other kind of biometric identifiers, the PDPL classifies this as especially high risk. That means stricter security controls, access rules, retention limits, and in many cases explicit consent, reflecting both national security. Again, the national security kind of comes up as well as the fundamental or the you know the human rights um and cultural sensitivity. So we're seeing a lot around the government, national security, and cultural differences that we've spoken we've spoken about throughout the podcast. Compared with the GDPR, the PDPL is slightly more governance-driven. The GDPR frames automated decision making primarily around individuals' rights, whereas the PDPL blends that with Saudi Arabia's national data sovereignty model, meaning some AI uses may face stronger central oversight. So, in short, the PDPL allows AI and pro it does allow AI profiling, but it regulates them through a principle-based, risk-based approach. Organizations must stay transparent, they have to justify their data use, protect sensitive data and biometric data, and maintain human oversight. So again, it's you know it is quite close to the GDPR. There are differences, and I would say philosophical differences as well, but it wouldn't be a huge jump for somebody that's been working in the GDPR to, you know, to to work with this law or to be, you know, to be compliant with the law as well. So, okay, so the next question then for you, Katie, is Does the PDPL require organizations to appoint a data protection officer? So again, we saw last week in India that a data protection officer only needs to be appointed when the data fiduciary is seen as significant. So for significant data fiduciaries. How about in the uh in the PDPL? What's that? What's that like?

SPEAKER_01 38:34

So yeah, some again, kind of like the Indian law, some controllers are going to need to appoint a DPO, and the per that's provided for under Article 30. Um, but there are conditions. So the conditions are where a company carries out large-scale monitoring, handles sensitive personal data as a core activity, or operates as a public entity with significant processing responsibilities. So the Society Data and AI Authority has published a couple of kind of guiding literatures here. So they said to determine if you fall under one of these categories, and consider things like the number of data subjects you handle, the actual volume of the personal data, what's the type of personal data, what's the geographical scope of your processing, and what are the categories of data subjects that you handle. So that's the kind of things to consider if you're asking do we carry out large-scale monitoring?

SPEAKER_00 39:51

Um it's kind of similar to the to the Indian law, then, is it? So it's it's only when there's high risk processing taking place.

SPEAKER_01 40:03

Yeah, basically, or a public entity with significant responsibility. So I suppose that could you could kind of use the same guidance there. Or if you if handling sensitive personal data is a core activity. So again, financial institutions and healthcare and hospitals and so on, yeah. Yeah. Um so they need to document their equipment of a DPO, and whether they're an internal employee or external, um, they don't need to be internal. And so the DPO's responsibilities, very much like the GDPR, monitoring compliance, advising on obligations, training staff, uh point of contact for the for the SDAIA. Um there is guidance out there of like what kind of qualifications a DPO should have. So there's a few considerations they put out there. Um they need to have the appropriate academic qualifications and experience, they need to have a knowledge of risk management practices, knowledge of the regulatory requirements and so knowledge of the law. Um interestingly, they need to be um an honest, they need to be a person that demonstrates honesty and integrity. So they also can't have been convicted of any offence involving dishonesty or a breach of trust. So um those two considerations seem to be kind of independent of each other. So the honesty and integrity, and then not been convicted of any offence involving dishonesty or a breach of trust. So that's to me, that's a nice addition, but I'd just love to know what way they're going to consider whether someone is honest and you know, the integrity and honesty of person are just being interact, you know.

SPEAKER_00 42:17

Maybe it's a background check or something they may have to do.

SPEAKER_01 42:21

Yeah, true. I'd that's just my personal I'd you know, I just like to know the the kind of thought patterns of whoever's appointing them, of what they are gonna be, you know, is there gonna be criteria? Is there gonna be like a code of practice? Maybe there's more out there than but yeah, so they're conceptually similar, but it is it is a bit more like the Indian DPDP than the GDPR when it comes to the appointment of a DPO.

SPEAKER_00 42:52

I think that's an interesting consideration as well, that they you know, they look for a trustworthy individual, they may check their background to see if they have any kind of criminal record or kind of any kind of wrongdoing. It kind of reflects the importance that they put on data and personal data, you know.

SPEAKER_02 43:11

Yeah, yeah, yeah.

SPEAKER_00 43:13

Yeah. So, like like somebody in Europe said, data is a new oil. So I suppose, especially for Saudi Arabia, important to protect personal data, like oil.

SPEAKER_01 43:26

Yeah, I think it's another to me, it's another example of how they keep kind of considering personal data in more of a community-based understanding rather than individualistic because it keeps coming back, you know, thinking about not just the effect on the individual, but you know, kind of the broader effects on larger groups of people.

SPEAKER_00 43:49

You know, absolutely, and the country itself, you know, and the state, it's very kind of emphasized in the law, I would say.

SPEAKER_01 44:00

Yeah. Nice to note those differences. We'll move on to the next question here for you. Maria, what counts as personal as a personal data breach? So what what is a personal data breach and what do organizations need to do?

SPEAKER_00 44:25

Okay, thanks, Kaylee. So I think it's this is really an interesting area as well because a personal data breach under the PDPL is defined very broadly, not just about a hackers trying to hack into the organization. It includes any kind of incident or accidental or intentional breach of personal data as well that leads to loss or alteration or disclosure or unauthorized access to personal data. So it could actually be also internal, like if somebody internally, like a nosy person checking somebody's health record, you know, or something like that, that would be seen as a breach as well. So a cyber attack counts, of course, but so do everyday mistakes like emailing data to the wrong person within the organization, losing a laptop, misconfiguring a cloud service where data is personal data is is breached, or exposing within the environment within the cloud environment as well, or exposing information through poor access controls to employees that shouldn't have access to that kind of personal data. So that's really interesting, you know. And again, I think that, like you say, it might go back to the kind of community or cultural thing about exposing personal data to people within the community that shouldn't have access to that data. You know, like like you say, it's kind of private, not just out for protecting people from outside the country, but it's also it seems to be to protect people from even people from in the the culture or from in within the community, you know. So there seems to be a trend there. So the PDPL focuses on the likelihood of harm. If the incident could affect someone's privacy, their dignity, which is important and interesting, financial security or their you know their their human rights, the organization must treat it as a breach and take action. This reflects Saudi Arabia's emphasis on trust. Again, we're that's coming up again, strong governance around national data assets. So when a breach occurs, the organization must notify the Saudi authority or the SDAIA and the regulator as soon as it becomes as soon as the organization becomes aware of the breach. There's no fixed kind of 72-hour rule like we have in the GDPR, but the expectation is you know, make sure it's prompt reporting, especially when sensitive or high-risk data is involved. If the breach is likely to cause harm to the individuals, the organization must also notify the individuals of the breach and explain what happened, what data was exposed, and what steps they should take to protect themselves. So again, you have you have a similar kind of procedure as the GDPR, but kind of more of an emphasis on protecting the individual from not just external threats but also within the community or within even within their workplace, you know. So the PDPL also requires immediate remedial action, similar to the GDPR, containing the breach, preventing further exposure, restoring data if possible, and reviewing internal safeguards to avoid repeat incidences. So again, the breach procedure is very similar to the GDPR. Organizations also document the response because the Saudi authority should, or you know, the regulator may request evidence of how the incident was handled. So compared to the GDPR, the overall structure is very similar. Both require reporting, transparency, and mitigation, but again, the PDPL places emphasis on central oversight. Uh, the the supervisory authority or the SDAIA has stronger authority to intervene and impose controls or restrict processing in higher risk situations. You know, breaches include any incident that compromises personal data, and organizations must report it or notify individuals if harm is possible, similar to the GDPR. So, Katie, this brings us to our last question, which is for you. And the question is: what are the penalties for non-compliance and how does the PDPL enforce non-compliance?

SPEAKER_01 48:45

So it does come with quite substantial administrative fines, up to 5 million Saudi Riel, with the potential for doubled penalties if an organization commits repeat violations. So quite a good deterrent there. But they also have a couple of criminal penalties of imprisonment fines for unlawful disclosure of sensitive data or illegal across border data transfers. So quite a bit more severe there. The enforcer of these penalties is the FDAIA, and the regulators have shown willingness to enforce, especially in situations of national security and public trust. So that's an almost you know, national security public trust. That's in about every second question nearly that we went through. So it's very important to them.

SPEAKER_00 49:51

And it's also evidenced by the fact that they are willing to put people in prison if they breach if they breach the law.

SPEAKER_01 50:00

Um especially for the cross-border illegal cross-border transfers that they can into with criminal penalties. Um so it it is quite different to the GDPR in that sense. Actually, um GDPR relies mainly on administrative fines. That's it. I mean criminal liability.

SPEAKER_00 50:34

No, absolutely. And I think probably yeah, and that I think that probably falls on the leaders, like the you know, I would say that would probably be the CEO or managing directors or the board or so on, um of organizations. Yeah, hopefully not. I wonder, does the DPO have that independence like it does under the GDPR? That might be an interesting question to ask. So the DPO under the Saudi PDPL does not have the same level of statutory independence as the GDPR PR DPO. Okay. It's not in the same way. Under the GDPR, the data protection officer is a legally protected role. They must act independently and cannot cannot be dismissed, as we know. Um, but under the Saudi PDPL, the level of independence isn't explicitly built into the law. So the PDPL does allow organizations to appoint someone responsible for privacy oversight, but it doesn't include the GDPR style protections around independence, job security, and guaranteed access to leadership. Instead, the PDPL takes a governance-driven approach. The person overseeing data protection must ensure compliance with the law, support internal controls, manage breach notifications, and coordinate with the uh the Saudi regulator, but they operate within the organization's normal management structure. So the version of a DPO under the D the PDPL is more of a compliance coordination role rather than an independent statutory officer. That's interesting. That is, yeah. And that has that could have different implications for the DPO and how they conduct themselves in the organization, you know?

SPEAKER_01 52:47

Yeah, that kind of honest integrity consideration is quite important in light of that.

SPEAKER_00 52:56

Conflict of interest could be um an issue for DPOs taking taking up the role of a DPO in in the Kingdom Saudi Arabia, Kingdom of Saudi Arabia, because if they don't have that protection they won't feel as competent to call out wrongdoing, you know. Yeah. So the the integrity of the individual is very important then in that respect. Great. So thanks, Katie, for that. That was a really interesting uh final question. So that brings us to the end of our walkthrough of the Saudi PDPL. Hopefully, this discussion gives you a clear understanding of how the law works, where it aligns with the GDPR, and where the key differences lie. Thank you, Katie, for joining me again today. And thank you to our listeners for tuning in. Um, don't forget to subscribe, and we'll see you in the next episode as we continue to explore our global privacy data protection and AI governance podcast. Thanks, Maria. Thanks, everyone. Thanks, Katie.

SPEAKER_02 54:02

Take care of the