Home / Knowledge Hub / News

Changes to Personal Data Protection Law in Saudi Arabia – Implications for the Healthcare Sector

In this article, we look at some of the forthcoming changes to the Personal Data Protection Law in KSA and the impact that this may have on business operating in the country, with particular focus on the healthcare sector. In anticipating the impact of some of the changes, we will consider what businesses operating in the sector can do now to prepare for compliance and to take advantage of the potential opportunities that lie ahead.

Some welcome new amendments have been implemented to KSA’s Personal Data Protection Law (PDPL). These amendments promise to bring in some new concepts that will bring the PDPL closer to the principles of wider international data protection laws, such as those that apply in the EU, and will come into force in September 2023. 

The effect of the changes also potentially presents opportunity for healthcare sector organisations involved in the transfer of personal data, such as overseas providers of diagnostic/clinical services and telehealth services. Much of the detail however will lie in supplementary executive regulations, yet to be issued. 

There is also a one-year grace period for controllers of personal data to achieve compliance, meaning that entities to which the PDPL applies will have until September 2024 to evolve their processes accordingly. The executive regulations are expected to be published prior to the amended law coming into force in 2023.

As the executive regulations are yet to be released, we will publish a further article at that point with a more detailed commentary on what this means for organisations in the healthcare sector. For now, a few take-away points to note include:

    • Cross-border transfers of personal data no longer necessarily require approval of the Saudi Data and Artificial Intelligence Authority (SDAIA, the regulator), where SDAIA has stipulated that the recipient country has an appropriate level of protection, plus in certain other circumstances, including those to be set out in the forthcoming executive regulations. This promises to have a positive impact for businesses, for example on the potential for telehealth providers to establish or expand a service offering in the country.
    • There is newly introduced legal basis for a controller to rely (with a number of exceptions) on a ‘legitimate interests’ exception to be able to process data where it is in the legitimate interest of the controller to do so. Healthcare providers should note however that this does not apply to sensitive personal data (i.e. health data). Healthcare sector business already operating across borders may well be familiar with the comparable position in wider international law, such as in the EU.
    • There are no longer criminal sanctions for breaching data transfer restrictions, but healthcare providers should note that there remains a criminal offence for the unlawful disclosure of publication of sensitive personal data. For other breaches, there is a potential fine of up to SAR 5,000,000 for a first offence.
    • In terms of controller registration requirements, there is no longer any reference to controllers needing to register their processing activity on an electronic portal, although SDAIA may in the future create a national register if it considers it appropriate to do so.
    • It is expected that detailed provisions relating to matters such as data breaches, the role of data protection officers, etc., will be addressed in the executive regulations when published.

What does this mean for business operating in the healthcare sector in KSA?
As the PDPL evolves more closely towards a more flexible international approach to regulating the processing of personal data, in understanding and assimilating the changes, those operating in the healthcare sector should pay particular attention to the differing treatment of sensitive personal data within the broader class of personal data. The publication of the executive regulations is therefore keenly awaited. 

In the meantime, organisations can begin to review the impact of the changes on existing policies and processes, and the practical implications for the existing and future use of information management and technology systems. It will also be useful to undertake a review of existing contracts and any other arrangements that may need to be changed, where they relate to the storage or manipulation of personal data and sensitive personal data, where cross-border transmission may occur. 

There is also now an exciting opportunity for organisations to begin to consider the scope for expansion of their business activities and ambitions in the country as a result of these changes. 

Our healthcare team would be happy to discuss any of the issues raised in this article and to assist you with any action you may wish to take as a result.

Related Insights
Got a question or enquiry? Contact us