This first appeared on AGBI
New data protection rules, including the Personal Data Protection Law, create big opportunities for legal and software experts as the kingdom strengthens data governance
- Digital transformation driving change
- Saudi cybersecurity rules tightened
- Strict compliance needed
Saudi Arabia’s push to digitalise its economy and strengthen data protection standards is creating opportunities for lawyers specialising in compliance, as well as for software companies supporting regulatory implementation.
The far-reaching Personal Data Protection Law came into full effect in 2023, although companies and authorities were given at least a year before the need for strict compliance.
Penalties for non-compliance include fines of up to SAR3 million ($800,000) and, unusually for such legislation, a prison sentence up to two years. The PDPL also exists alongside National Data Management Office (NDMO) standards that outline strict criteria for the governance of data.
Saudi Arabia’s data governance and protection laws are designed to support the kingdom’s digital transformation by enabling authorities to make better use of available data and enforce compliance with protection rules across public and private sectors, in line with international standards.
Yet this poses a challenge to companies and Saudi authorities, which need to align with the legislation to avoid penalisation.
“There is pressure from the regulators because they are asking for better data governance and for protection of personal data, and there are a lot of cybersecurity rules,” said Jehad Senan, co-founder of software developer Governata.
Much of Saudi Arabia’s data protection framework is based directly on the European Union’s General Data Protection Regulation (GDPR), landmark legislation introduced in 2016 that greatly tightened requirements around data management, accountability, transparency and user consent.
However, the Saudi legislation goes beyond the GDPR, with notable additions including articles concerning data classification and warehousing.
“This is where we found the big gap in the market,” Senan said. “The local market regulations are different from others in other parts of the world, because it’s not only about privacy.”
Governata sells computer software that helps customers comply with NDMO standards. Most of these customers so far have come from government organisations, but Senan says the company is receiving increasing interest from the private sector, particularly among banks and insurers.
The Saudi government has made digitalisation of the economy a major focus of its diversification efforts through the Digital Government Strategy, under which it claims to have digitalised at least 98 percent of government services.
“The country is undergoing a massive digital transformation,” said Mona Maamer, a cybersecurity specialist and partner at consultancy PWC. “Everything in Saudi today is digital.”
In this effort, Maamer said, Saudi Arabia is looking to tighten data protection practices to bring it in line with global standards.
“It matters in Saudi for a couple of things,” Maamer said. “From a visibility perspective, from a reputation perspective, it is seen as a country that values personal data.”
It also reduces friction between companies looking to operate in Saudi Arabia and other countries with data protection laws.
“For a lot of organisations, data privacy is a big area,” Maamer said. “If I look at banks, for example, if I look at the health sector, if I look at the financial services sector, some of the government entities, they take data privacy very seriously.”
