The Kingdom of Saudi Arabia’s (KSA’s) Personal Data Protection Law (PDPL) marks a significant milestone in protecting personal data in the region. Overseen by the Saudi Data and Artificial Intelligence Authority (SDAIA), the PDPL applies to all entities processing personal data of individuals residing in the KSA regardless of the physical location of the data processing activities, whether within the KSA or not.
Among other things, the PDPL empowers the SDAIA to establish mechanisms for monitoring data controllers’ adherence to the new data protection law. Accordingly, data controllers must now register with the National Data Governance Platform (NDGP), a national repository of data controllers developed by the SDAIA to track compliance with the PDPL and its implementing regulations.
Both public and private organizations are affected by this requirement as stipulated under the Rules Governing the National Register of Controllers. Registration is mandatory if a data controller processes sensitive data or if the data controller’s main activity is based on processing personal data within the KSA.
The registration can be completed online, and currently no fee applies. For private entities, a representative must be appointed to handle the NDGP registration through the authorization system available on the Saudi Business Center’s platform. As part of the sign-up process, the representative must submit relevant details, including via completing an entity profile and an assessment on whether a data protection officer has to be appointed on the basis of the applicable processing activities.
Once submitted, applications undergo review by the SDAIA, which then issues a registration certificate upon approval. The SDAIA will notify registered data controllers 30 days prior to the expiration date of a registration certificate, on the basis of which the relevant entity may apply for renewal of its certificate.
In addition to being a national register of data controllers, the NDGP platform also makes available a number of tools for data controllers, including services related to privacy impact assessments, personal data breach notifications, and compliance assessment.