The Saudi Data and Artificial Intelligence Authority (SDAIA) has decided its’ about time to call for the Kingdom of Saudi Arabia’s first data protection law. The Personal Data Protection Law (PDPL), originally included a public consultation component when it was launched by SDAIA in late 2022. Since then, the public consultation was withdrawn, and the draft version of the data protection law augmenting PDPL was issued.
Following several postponements, the SDAIA approved the PDPL and declared it effective as of September 14, 2023. The regulations concern personal data transfers and the PDPL will have authority over how the controllers (organizations, in this context) collect and process the individual data and the security measures laid out.
What is PDPL?
Being the first data protection law of Saudi Arabia, the PDPL regulates the processing of personal information of its residents, creating an obligation for the data controllers to adhere to. The PDPL establishes rules to follow for disclosing personal details, controlling the scope extended to which the controllers collect information from third-party providers, and ensuring the consent of the individual is in place.
The time crunch
The amended PDPL comes with an implementation deadline. The organization that collects, handles, processes, or even transfers data of an individual (residing in Saudi Arabia), should comply with the PDPL regulations before September 14, 2024, failing which costs you dearly.
So buckle up before time’s up!
What to watch out for
The PDPL applies to private and public organizations and ensures that the consent of the individual is in place before the data is collected. Several amendments were made, like the introduction of the Data Protection Officer (DPO) role, organizations being exempt from processing location data, along with the establishment of data subject rights, and records of processing activities, to name a few.
Commotion in being compliant?
Organizations based in Saudi Arabia, as well as any that engage with customers in Saudi Arabia, need to be aware of the PDPL requirements and take actions to ensure compliance. Your organization should catalog data inventories and classify the sensitive data to help fast-track compliance with the PDPL and the amendments. But what constitutes identifying the data as “sensitive” and how do you protect it?
Stick with Endpoint DLP Plus and stand by the PDLP
ManageEngine Endpoint DLP Plus is a dedicated endpoint DLP solution that protects sensitive data on managed endpoint devices. This solution provides a set of customizable data rules and criteria that enables you to scan data for patterns of PDLP-pertinent information. Based on the occurrences of the patterns, the data, falling under one of the regulations of the PDLP, is considered sensitive.
For example, let’s look at leveraging the current PDPL compliance requirements for the criteria named, Saudi Arabia: International Bank Account Number (IBAN). When devising a DLP policy, opting for this criteria for data classification ensures all the endpoints in your network are scanned for the patterns that include Saudi Arabia’s IBAN.
Once the data matching the pattern is observed, it is marked sensitive, and further DLP policy deployments protect the personal sensitive information from unauthorized access. To block data leakage and ensure your organization is PDLP compliant, the mediums via which data travels vis-a-vis the means of data access should be constantly monitored.
Data transfer mediums, such as email, USB transfer, printing, cloud upload, and application processing, are regulated to prevent the leakage of personal information. The data protection strategy is cranked up a notch with Endpoint DLP Plus through its proactive approach, that efficiently logs unauthorized access, enabling future analysis. Upon frequent illegal attempts, the concerned technician or the sysadmin is notified of the blocked events, and can report the issue and strip the user or the computer of access to sensitive personal information.
Get the better end of the stick
With a lot of talk about PDPL compliance, the requirements to be privy to, and the penalties to be paid for non-compliance, it’s better to be safe than sorry. The PDPL isn’t here to restrict enterprises from acquiring or processing personal data, as there are rules to abide by when collecting the data; all the while, the individual is acknowledged with the consent.
Endpoint DLP Plus provides data security when handling personal information, including medical-related data, bank account numbers, personal information, and more.
With Endpoint DLP Plus, your organization could be PDPL compliant within a few minutes and mouse clicks. This solution with a wide array of classification criteria, categorizes sensitive data with ease and protects critical enterprise data from threats (intentional and accidental data leakage).