Cybersecurity Requirements Under PDPIR, PDPL and ECC in Saudi Arabia in 2022
The new Personal Data Protection Law (PDPL) expands cybersecurity duties imposed under the Personal Data Protection Interim Regulations (PDPIR) and the Essential Cybersecurity Controls (ECC).
Sunday, December 5, 2021
Personal Data Protection Interim Regulations (PDPIR)
Today, the Personal Data Protection Interim Regulations (PDPIR) set the legal basis for protection of rights of individuals in relation to processing of their personal data by all entities in the Kingdom of Saudi Arabia (KSA).
The regulations set 10 foundational Data Protection Principles designed to implement a comprehensive privacy management framework, including Data Security (Principle 8) and Monitoring and Compliance (Principle 10).
The PDPIR apply to all entities in the KSA that process personal data in whole or part, as well as all entities outside the Kingdom that process personal data of individuals, residing in the Kingdom, by using any means, including online personal data processing.
Personal Data Protection Law (PDPL)
On September 24, 2021, the Royal Decree M/19 of 9/2/1443H triggered implementation of the Personal Data Protection Law (PDPL) in the Kingdom, designed to complement and enhance the existing PDPIR privacy regime briefly describe above.
The new law becomes effective on March 23, 2022, and will be provisionally supervised by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) that may later transfer the regulatory and enforcement roles to the National Data Management Office (NDMO). Once effective, data controllers will have one year to fully implement the PDPL’s requirements that may also be supplemented by additional regulations to be published by March.
Like many modern data protection and privacy laws, PDPL applies extraterritorially, meaning that foreign companies, that process personal data of KSA residents, must comply with it as well. Data subjects will enjoy a broad spectrum of individual rights to control how their personal data is used and processed. The new legislation contains quite some elements similar to the European GDPR, however, has a considerable number of distinctive features that organizations should carefully consider.
First, a lawful basis for data collection and processing is significantly narrower, mostly stemming from properly obtained consent of the data subject. There is no such concept as “legitimate interest” of data controller that would legitimize data processing without consent. Second, there are strict data localization requirements under PDPL, meaning that personal data of KSA residents must be physically stored within the Kingdom with a few limited exceptions, for instance, when so is required by law or when transfer is required under extreme necessity to prevent serious bodily injury or death.
Under PDPL, a special attention is given to protection of health and financial data of data subjects. Finally, data controllers must pay a fee to register with the SDAIA and keep auditable Records of Processing Activities (ROPA). PDPL also creates some unique particularities in the body of privacy law, for example, it is expressly prohibited to make photocopies of ID documents, such as passports.
Administrative penalties for PDPL violations may go up to 5 million SAR (approx. 1,3 million USD), while serious violations may be criminally prosecuted and care out a prison sentence going up to 2 years.
Any financial proceedings gained from unlawful data processing may be also confiscated. Importantly, data subjects will also have right to claim compensation for any material or moral damage stemming from misuse or mishandling of their personal data.
Essential Cybersecurity Controls (ECC)
But PDPIR and PDPL are far from being the only pieces of legislation that affect data management and cybersecurity strategies of enterprises and organizations doing business in the flourishing Kingdom.
In 2018, the National Cybersecurity Authority (NCA) released the Essential Cybersecurity Controls (ECC) to establish the minimum cybersecurity requirements in the KSA. The ECC are composed of 114 specific technical controls organized into 5 interrelated domains:
- Cybersecurity Governance
- Cybersecurity Defense
- Cybersecurity Resilience
- Third-Party and Cloud Computing Cybersecurity
- Industrial Control Systems Cybersecurity
All KSA entities and organizations must implement all necessary measures to ensure continuous compliance with the ECC as per item 3 of the Article 10 of NCA’s mandate and as per the Royal Decree number 57231 of 10/11/1439H.
The ECC security controls resemble to PCI DSS by being specific and fairly detailed. For example, Control 2-1 (“Asset Management”) requires organizations to possess an accurate and detailed inventory of information and technology assets. Controls 2-10 (“Vulnerabilities Management”) and 2-11 (“Penetration Testing”) prescribe creation of a comprehensive vulnerability management program and regular performance of penetration testing.
Furthermore, Control 2-13 (“Cybersecurity Incident and Threat Management”) requires organizations to ensure timely identification, detection, effective management and handling of security incidents and threats to prevent or at least to minimize negative impact on organization’s operations, taking into consideration the Royal Decree number 37140 of 14/8/1438H.
Supply chain security is particularly addressed by Control 4-1 (“Third-Party Cybersecurity”) requiring robust protection of data and assets against cyber risks and threats related to third parties, including outsourcing and managed services, as per organizational policies and procedures.
Putting It All Together
All local and foreign companies, having presence or doing business in the Kingdom of Saudi Arabia, shall consider implementing a comprehensive cybersecurity and privacy programs as soon as practical.
Comprehensive visibility and continuous mapping of your IT assets and data, located both on premises and in a cloud environment, are indispensable to comply with the cybersecurity requirements created by legislative and regulatory frameworks of the Kingdom. Regular security auditing, vulnerability scanning, penetration testing, continuous security monitoring and Third-Party Risk Management Program (TPRM) are also necessary to protect your organization and the personal data that it handles as imposed by the virtue of the KSA law and regulations.
At ImmuniWeb, we help companies complying with the above-mentioned security controls and requirements, being able to help with over 18 use cases related to cybersecurity, data protection and privacy requirements in a cost-efficient and simple manner.
What’s next:
- Explore 18 use cases how ImmuniWeb can help
- Follow ImmuniWeb on Twitter and LinkedIn
- See the benefits of our partner program
- Request a demo, quote or special price
Latest news and insights on AI and Machine Learning for application security testing, web, mobile and IoT security vulnerabilities, and application penetration testing. 
