A new paper by KPMG, a leading professional services provider, provides timely recommendations to businesses in Saudi Arabia about what they can expect from the implementation of the new Personal Data Protection Law (PDPL) in Saudi Arabia, and help them avoid potential pitfalls, penalties and reputational damage.

The much-anticipated new law was published in the Official Gazette on 24 September 2021. Following a recent announcement, PDPL will be formally active from 14 September 2023, marking a significant milestone in the Kingdom's commitment to privacy.

The Saudi Data & Artificial Intelligence Authority (SDAIA), the presiding regulatory authority of PDPL, has granted businesses a one-year grace period starting from the law's enforcement date. This grace period, extending until 14 September 2024, offers a vital window of opportunity for organizations to fully comply with the provisions of the new law.

“Establishing a strong PDPL deployment and continuous compliance management program from the outset is an essential strategic move to ensure long-term success and sustainability in today's data-driven business landscape,” says Ton Diemont, Head of Cybersecurity & Data Privacy at KPMG in Saudi Arabia.

KPMG makes a comparison with the introduction of the General Data Protection Regulation (GDPR) in the European Union, a law bearing similarities across syntax, concepts, principles, and framework. GDPR is one of the world’s most comprehensive data protection laws to date and has influenced many data protection laws in countries and jurisdictions far and wide, making it an exemplar for data privacy and protection laws worldwide.

While the EU’s data protection authorities can impose fines of up to €20 million, or 4 percent of worldwide turnover, whichever is higher, fines are structured and issued based on a company’s international revenue.

The paper states that, following the launch of the GDPR several persistent challenges emerged, including cultural transformation, technical difficulties, responding to user requests in a timely manner and multi-level compliance training and revised budget planning.

“Regardless of attitudinal differences between the EU and Saudi Arabia towards personal data, there is a strong possibility that consumers from the Kingdom will become more privacy-conscious,” added Diemont.

While the initial focus will be on local businesses becoming PDPL-compliant, there will eventually be a requirement for organizations located outside the Kingdom that process the personal data of Saudi constituents to comply with the PDPL.

“Currently, this requirement has been deferred for a period of up to five years from the law’s introduction,” noted Ahmed Shokr, co-author and Data Privacy Lead at KPMG in Saudi Arabia. “Therefore, companies would be well advised to prepare for this eventuality in good time for business continuity.”

"The PDPL is likely to evolve over time, with additional amendments, reviews and modifications anticipated following the introduction of the law. Consequently, data controllers and plan managers must be vigilant for further changes, amendments, and updates to ensure full PDPL compliance,” concluded Diemont.