KPMG: Financial entities to face penalties for violation of Saudi Personal Data Protection Law

  • 6/20/2023
  • 00:00
  • 10
  • 0
  • 0
news-picture

Saudi Arabia’s Personal Data Protection Law (PDPL) will help protect the privacy of individuals and ensure that banks processing personal data are held accountable through a system of severe penalties, said Ton Diemont , head of Cybersecurity & Data Privacy, KPMG Saudi Arabia. More importantly, any bank or financial entity breaching PDPL regulations involving the collection, usage, transfer, or storage of personal data, whether intentional or not, risks reputational damage, he stated in the Banking Perspective 2023 report. Following a one-year compliance grace period, PDPL is now in place and coming into force on Sept. 14, 2023, with the enforcement deadline set for Sept. 14, 2024. The new law regulates the processing of personal data and applies to any entity that processes the personal data of individuals within the Kingdom. The PDPL is the first comprehensive, generally applicable data protection law in Saudi Arabia and shares similarities with the best practice data protection laws from around the world, such as the EU’s General Data Protection Regulation. Based on broad principles covering consent, transparency, lawfulness, and purpose limitation, the PDPL is straightforward for most companies to comply with. However, certain sectors involved in providing services that require the frequent handling of large amounts of personal data will find PDPL has a greater impact. For the banking and financial services industry, compliance with PDPL will present additional requirements, a need for tighter internal controls, and the setting of new policies and protocols. While most requirements are administrative in nature, the PDPL does impose general obligations on data controllers (and the entity) to ensure the security, accuracy and confidentiality of personal data, which can extend to IT infrastructure, systems, and policy layers. Further, the PDPL requires data controllers to obtain consent from data subjects before processing their personal data unless an exception applies. The PDPL requires companies to comply with various obligations, such as appointing a data protection officer, conducting data protection impact assessments, notifying data breaches, and obtaining prior approval for cross-border data transfers. The additional burden on individual companies will depend on their size and the current sophistication of existing data handling operations, stated Diemont. For the banking industry, there is likely to be minimal impact in this regard; however, there will be the need for a degree of on-the-job training, along with modification, or upgrading legacy systems to ensure compliance. Banks, financial institutions and companies failing to comply fully with the PDPL could receive a fine of SR3 million ($800,000) or imprisonment for up to two years. In exceptional circumstances or where an entity persistently fails to comply, Saudi Central Bank (SAMA) may suspend or retract banking licenses. As with any new law of this kind, there will be a period of ‘bedding in’ where rules are assimilated, adjustments are made, and definitions are refined. “It is not yet clear how claims of non-compliance regarding personal data protection will be made and dealt with; however, it is likely that citizens will be directed to the Ministry of Commerce and an official reporting and complaint handling process will be established over time,” Diemont concluded.

مشاركة :