As part of the compliance obligation under Saudi Personal Data Protection Law (PDPL) We set out below a summary of our observations regarding SDAIA's current practices:
a. Registration with SDAIA
We have observed that SDAIA is increasingly requiring entities to register as data controllers on the National Data Governance Platform (NDGP). In practice, this may occur either through direct outreach by SDAIA or indirectly via the entity's sector regulator, in some cases without a prior assessment of whether the entity is in fact required—under the PDPL and its Implementing Regulations—to register.
In light of this, our recommendations are as follows:
- If you fall within the requirements to register as a data controller, you should initiate the registration process promptly to ensure compliance with the PDPL and its regulations.
- If you do not fall within those requirements but receive a request from SDAIA or a Saudi regulator to register (noting that such requests typically provide a 30-day grace period), you should be prepared to respond with appropriate explanations and legal arguments as to why registration is not required. Depending on SDAIA's reply, further steps can then be taken.
b. Data Breach Notifications
We have also seen cases where entities seeking to register as data controllers for the purpose of submitting a data breach notification encounter difficulties because they are not recognized as eligible to register. This has resulted in risks of delay in meeting the 72-hour breach notification deadline mandated by the PDPL and enforced by SDAIA.
To mitigate this risk, we have adopted the approach of submitting the initial breach notification directly by e-mail to the National Data Management Office (which administers the NDGP) within the 72-hour timeframe, while completing the formal registration process on the platform if and when registration is required. This ensures compliance with statutory deadlines. Please note, however, that if the notification is submitted after the 72-hour window, SDAIA requires a written justification for the delay.
PDPL Training
Regarding the PDPL training, we would like to emphasize the importance of conducting internal training for employees who process or handle personal data within organizations. This is a key requirement under the PDPL and its Implementing Regulations.
Specifically, Article 36 of the Implementing Regulations mandates that entities conduct regular audits to ensure the protection of personal data. It also highlights the need for staff to be adequately trained to manage personal data responsibly, identify internal compliance gaps, and implement the necessary administrative and organizational measures to ensure data accuracy and integrity.
Additionally, Article 32 outlines the responsibilities of the data protection officer, which include participating in awareness initiatives, delivering training, and promoting knowledge transfer related to data protection, compliance, and the ethical handling of personal data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
