Saudi Arabia: Data residency under the PDPL - Part 2: Key steps to Article 29 compliance
Saudi Arabia's new Personal Data Protection Law1 ('PDPL') was recently published in the Official Gazette, triggering a 180-day period that will require the publication of additional Executive Regulations and see the PDPL come into effect on 23 March 2022. Controlling entities will then have one year from this date to achieve compliance. Article 29 of the PDPL provides that a controlling entity may only transfer personal data outside the Kingdom, or disclose it to a party outside of the Kingdom, in specific circumstances and after certain conditions are met. In Part 12 of this two-part Insight article series, Dale Waterman, Managing Director for the Middle East & North Africa at Breakwater Solutions, shared his initial observations on the interpretation and potential operationalisation of Article 29. In Part 2, Dale seeks to offer newly appointed compliance stakeholders in the region a few suggestions on how they might consider ways to begin preparing for future data sovereignty obligations in advance of receiving the Executive Regulations and the PDPL coming into effect.
What can legal and compliance stakeholders do in the interim?
Most organisations rely on the ability to transfer and share data across borders in data-driven economies. Complying with data sovereignty regulations is also becoming increasingly complex, in part because organisations are often faced with a global collection of inconsistent data sovereignty regulations in different jurisdictions. The challenge therefore is not only going to be compliance with the PDPL within the Kingdom. Companies are going to require a global strategy supported by a global data governance program.
As we await the publication of the PDPL's Executive Regulations in March 2022, newly appointed compliance stakeholders in the region, who may not yet be experienced privacy professionals, may wish to consider the following as they begin to assess how best to prepare for the likely data sovereignty challenges.
Before entering a new market or acquiring a company, it is always prudent to ensure you understand the regulatory landscape, which also holds true for the data landscape. It is also very important to recognise that organisations should not look at the PDPL in isolation inside the Kingdom. Personal information in the Kingdom, as with other countries within the Gulf Cooperation Council ('GCC'), is protected under general laws and regulations that apply to all organisations, but a number of laws and regulations that apply to organisations within specific industry verticals also exist. There are several sector-specific laws in the Kingdom, where competent authorities are responsible for overseeing elements related to data protection, and which include data sovereignty provisions relevant to our current discussion.
The main competent authority for the purposes of data protection is now the Saudi Data and Artificial Intelligence Authority ('SDAIA'). Underneath the SDAIA, you have the National Data Management Office ('NDMO'), which will take over the duties of the SDAIA and supervise the application of the provisions of the PDPL and its Executive Regulations after a period of two years.
Without trying to offer an exhaustive list, it is important to call out that legal and compliance stakeholders should familiarise themselves with several other sectoral stakeholders and regulations:
- The National Cybersecurity Authority ('NCA') has developed and implemented the Essential Cybersecurity Controls3 ('ECCs'). The objective of these controls is to set the minimum cybersecurity requirements for information and technology assets in organisations. The ECCs apply to all government organisations in the Kingdom and its companies and entities (i.e. semi-government entities), as well as private-sector organisations owning, operating, or hosting Critical National Infrastructures ('CNIs'). Section 184.108.40.206 of the ECCs, which deals with cloud computing and hosting cybersecurity, mandates that an applicable organisation's information hosting and storage must be inside the Kingdom of Saudi Arabia. Of interest is that the NCA strongly encourages all other organisations in the Kingdom to 'leverage these controls and implement best practices to improve and enhance their cybersecurity'.
- The Communication and Information Technology Commission ('CITC') offers General Principles for Personal Data Protection and has issued several iterations of a Cloud Computing Regulatory Framework4 ('CCRF'). The CCRF, which regulates all cloud services in Saudi Arabia, sets out the service provider's obligations and mandates (see 3-3-8) that cloud computing providers registered with the CITC (and their cloud subscribers) shall not transfer any content from the Saudi Government outside the Kingdom for any purpose, even temporarily, unless permitted by the laws or regulations of the Kingdom.
- The Saudi Central Bank ('SAMA') Outsourcing Regulation for Insurance and Reinsurance Companies5 requires that the SAMA must issue a 'no objection' for outsourcing of material processes abroad. A SAMA-regulated entity must obtain the SAMA's approval prior to using cloud services or signing a contract with a cloud provider. In addition, explicit approval by the SAMA is required to use cloud services located outside the Kingdom.
- Recital 6 of the PDPL requires that the SDAIA, as the competent authority, and the SAMA prepare a Memorandum of Understanding ('MoU') to regulate the provisions of the PDPL in the entities subject to the regulatory supervision of the SAMA.
- Recital 7 of the PDPL demands that the SDAIA and the CITC prepare a MoU to regulate the application of the provisions of the PDPL and to address any potential impact on the CITC's independence as a regulatory authority.
- Finally, Article 42 of the PDPL requires that the chairman of the SDAIA should coordinate with the Ministry of Communications and Information Technology, the Ministry of Foreign Affairs, the CITC, the NCA, the Saudi Health Council, and the SAMA, each within its scope of competence.
Data classification is often described as the foundation of any successful data governance or information security program. It is only once you understand what data your organisation is collecting and processing, where that data is stored, and who has access to it, that you can make informed decisions on how best to manage that data and reduce organisational risk. Having this information also enables the organisation's management teams to make strategic decisions about how best to create value from this data as a modern-day asset.
If you can accurately classify and track unstructured data, then it stands to reason that you are much more likely to manage and control the location of that data to help mitigate any identified data sovereignty risks.
In addition, I would also encourage readers to familiarise themselves with the NDMO's Data Classification Regulations, which form part of the NDMO's National Data Governance Regulations6.
Data minimisation is a well-established data protection principle, but can also be leveraged to address the challenges of data sovereignty. Data minimisation involves limiting data collection to only what is required to fulfil a specific purpose. Your ability to minimise data is largely dependent on the ability to first classify that data. Minimisation reduces risk and helps reduce compliance costs, because it may enable certain organisations to reduce the volume of unnecessary personal data that they are currently collecting. It is that very collection of personal data that puts more of the organisation's data into the realm of the PDPL.
Data anonymisation is another common data protection and cybersecurity practice, but can also be leveraged in a data sovereignty context. If personal data can be de-identified, the data is then taken outside the remit of the PDPL because it is no longer related to what we refer to as an identified or identifiable natural person. This may allow your organisation to then transfer anonymised data across borders to central company locations for projects that might require data aggregation and data analysis using technologies like hyperscale cloud computing and AI.
Supply chain management has become a key modern-day compliance focus, which is also true for data protection. You cannot contract away your obligations in data protection, meaning controllers remain responsible for the conduct of their third-party processes. This concept becomes relevant in the data sovereignty context because an organisation will need to consider the ability of their third-party vendors (or partners) to ensure they remain compliant with the PDPL's Article 29 data sovereignty obligations. This is an additional element to consider during the procurement and contracting process, and the maturity and/or geographic location of your third parties may begin to impact the selection process in future.
The convergence of cybersecurity and privacy
There can be a tendency in the Middle East to have the cybersecurity and privacy functions operating in silos, which, in many ways, is quite understandable. Cybersecurity is already recognised as a high-profile risk by leadership teams in the region and is typically managed by roles, like those of chief information security officers or chief information officers. The default position for the ownership of privacy compliance is however the GCC (or legal department) in the Middle East. The overlap in shared goals between these two domains is now significant and I would encourage the designated legal lead to build a strong, or stronger, relationship with the cybersecurity team and leverage their operational experience.
Support by outside counsel is inclined to be very much about paper governance, but implementing a privacy program will require bringing all those good intentions (documented on paper in company policies) to life. Leadership teams tend to consider cybersecurity risks as not to be mitigated with policies alone. Implementation of the necessary controls is required, also applicable to privacy. A legal function may default to updating documentation, but feel much less comfortable about operationalising the program. Legal teams will therefore, in my opinion, benefit enormously from working more closely with their cybersecurity team on projects, such as business continuity, disaster recovery, and breach incident planning.
International standards, such as the International Organization for Standardization's ('ISO') and the International Electrotechnical Commission's ('IEC') ISO/IEC 27018:2019, 27001:2019, 27702:2013, and 38505-1:2017, offer and define best practices for data governance and serve as a useful tool for governing bodies to publicly demonstrate compliance with internationally respected standards. Conformity and certification also serve as a tool to build trust with customers and partners, and can help organisations obtain a competitive advantage in a world where consumers are increasingly concerned about privacy.
An example of a standard on the governance of data is ISO/IEC 38505-1:2017. This standard helps governing bodies understand that data has inherent value, risks, and constraints, the accountability issues of data, and how to develop a framework for governing the use of data. The standard uses a 'data accountability map' to describe in very simple terms the data activities that require governance oversight and policies.
As new laws are introduced around the world governing personally identifiable information, such as the Kingdom's PDPL, a new standard, known as ISO/IEC 27701:2019, the Privacy Information Management System ('PIMS') has been developed. ISO/IEC 27701:2019 is a privacy extension of ISO/IEC 27001 Information Security Management and ISO/IEC 27002:2013 Code of practice for information security controls. It defines a way of managing data privacy through a code of practice, including specific standardised measures (referred to as controls), that can be implemented as needed in an organisation to meet the needs of both global regulations and specific contractual obligations.
The PDPL is due to come into effect on 23 March 2022. Article 29 of the PDPL states that a controlling entity may not transfer personal data outside the Kingdom or disclose it to a party outside the Kingdom. Even if the upcoming Executive Regulations offer familiar derogations, controllers will still require approval for cross-border transfers of personal data from the SDAIA as the competent authority. This has the potential to pose practical challenges, unless the Executive Regulations offer some form of self-assessment mechanism, with case-by-case formal approval only required for designated high-risk or prohibited categories of personal data. Organisations who use the remaining time to familiarise themselves with the existing data landscape in the Kingdom and who then begin to explore and/or implement legal and technical solutions, like data classification, will put themselves into a position of managing more effectively the risks that data sovereignty could impose in the future, in the Kingdom and beyond.
Dale Waterman Managing Director, Middle East & North Africa
Breakwater Solutions, Dubai
1. Available at: https://laws.boe.gov.sa/BoeLaws/Laws/LawDetails/b7cfae89-828e-4994-b167-adaa00e37188/1 (only available in Arabic)
2. Available at: https://www.dataguidance.com/opinion/saudi-arabia-data-residency-under-pdpl-part-1
3. Available at: https://www.dataguidance.com/legal-research/essential-cybersecurity-controls
4. Available at: https://www.dataguidance.com/legal-research/cloud-computing-regulatory-framework-0
5. Available at: https://www.dataguidance.com/legal-research/outsourcing-regulation-insurance-and
6. Available at: https://www.dataguidance.com/legal-research/national-data-governance-interim-regulations