Saudi Arabia and the UAE have introduced a new legislation, the Personal Data Protection Law (PDPL), that mirrors the EU’s GDPR. We explain what the law is, what it means for businesses, and how to stay compliant.
Since the Personal Data Protection Law (PDPL) was ushered in between 2021 and 2022 across Saudi Arabia and the UAE, organizations have been forced to adapt and sometimes reinvent their privacy policies to avoid retribution. Closely aligned with the EU's General Data Protection Regulation (GDPR), the PDPL serves as a mechanism to protect user data privacy.
Today, one of the sectors that will experience the most impact in the UAE is the banking industry, with financial institutions obligated to comply with financial and data protection regulations while handling vast volumes of sensitive data and PII. While organizations are still eagerly awaiting the law to come into effect in the UAE, there's no doubt that failure to comply will have major consequences for banks based in the territory, and organizations must be prepared.
In Saudi Arabia, banks and other financial entities that fail to comply face fines of up to $800,000 and potential jail time of up to two years for responsible parties. In extreme circumstances, organizations can even have their banking licenses withdrawn. The UAE is expected to follow suit.
As mentioned above, the PDPL is based on the EU's GDPR to the extent that the main focus of the regulation is to secure data privacy and uphold the rights of citizens to decide how their data is used. These protections extend to the processing of data belonging to citizens based in these territories and citizens living or working outside of these territories if their data is processed within them and apply to both data processors and controllers.
Beyond this, any organization outside the UAE or Saudi Arabia that processes data belonging to citizens from these nation-states must also adhere to the legislation. The scope of the law can be divided into five critical elements: consent and lawful processing, purpose limitation and data minimization, security measures and data protection, data subject rights, and cross-border data transfers.
The five core elements of the PDPL are as follows:
This element concerns getting consent from users before processing their data. Processing requests must be clear and transparent and in accordance with the regulatory framework laid out by the PDPL. Ultimately, the PDPL makes consent a mandatory obligation.
Subject data must be collected for a specific purpose, and the PDPL governs these limitations. The aim is to prevent companies from collecting large amounts of data and to ensure that only the data required for the transaction is collected.
Organizations operating within the UAE and Saudi Arabia must ensure that they have robust security measures in place to protect customer data. This provision includes several measures such as risk assessment, inbuilt security protocols, record keeping, and all by default.
The PDPL bestows several rights on the data subject. These include the right to control, access, correct, erase, and restrict the processing of their data. Beyond this, data subjects must be able to communicate directly with the data controller.
The final core element of the PDPL concerns cross-border data transfers. This requires organizations to acquire legal consent to move data out of Saudi Arabia or the UAE. The clause was designed to stop data transfer to territories where data protection standards are lacking.
Since its launch in 2014, OvalEdge has been working closely with organizations to help them mitigate the fallout from non-compliance with the GDPR. Today, we have a strong knowledge of how to implement governance protocols that ensure our customers remain compliant with this major framework.
The PDPL is very similar to the GDPR, but subtle nuances across the PDPL for both Saudi Arabia and the UAE make it different. Since the law was announced, we've been studying these differences to offer our clients operating in the jurisdiction a tailored service that builds on our comprehensive understanding of the GDPR. So, what are the differences?
Banks operating in the UAE should be aware that the PDPL has a broader scope than the GDPR and automatically applies to entities outside the UAE that deal with UAE subject data. The GDPR, in comparison, addresses these issues conditionally.
While the GDPR includes specific conditions for children's data, the PDPL does not. However, both laws contain a general data security obligation. Unlike the GDPR, which has specific penalties for non-compliance, the UAE's PDPL does not. In today's reading, fines can be imposed at the will of government ministers.
These are just some differences between the GDPR and PDPL, but there are many more. That's why it's so important to work with a data governance company that understands both legislations inside and out.
At OvalEdge, we have developed a data governance toolkit that is purpose-built for banks. When applied to the PDPL, this tool offers an end-to-end data governance solution that incorporates each of the key processes required to ensure compliance.
With our data catalog, our customers can map all of the data in their organization so they know what the data is, where it is, and how to access it. By crawling the metadata, we can plot the entirety of your data estate while our AI tools identify and categorize all of the PPI, sensitive, or confidential data you have, tagging it accordingly.
Our comprehensive data access policies are based on roles and responsibilities. Using this feature, data access policies that protect the data that falls under the PDPL can be secured. All of these facilities are operated from a single, centralized dashboard, slashing the complexity of data management.
When it comes to auditing, OvalEdge makes it easy to find and collate the data you need to build critical reports. Of course, as a dedicated data governance platform, we take care of all the other supporting tasks, such as data quality improvement and lineage building, that ensure you are always following best practices.
Read More:
1. Improving Data Quality at a Regional Bank | A Case Study
2. 3 Data Privacy Compliance Challenges that can be solved with OvalEdge
Book a call with us to find out:1. How OvalEdge can help your bank to streamline data governance 2. How our dedicated data quality improvement tools are built for banks 3. Why only a solution developed for finance organizations can tackle the complex data issues they face |