In more detail

What are the different phases of the risk assessment to be conducted?

The guidelines set out four phases for the conduct of a comprehensive risk assessment:

1. Preparation phase. This phase involves initial preparatory steps to determine whether the assessment is required, provide a detailed description of the service or product involving personal data processing to determine its alignment with the entity's activities, and clearly identify the purpose of data collection and describe the context of personal data processing.
2. Assessing negative impacts and potential risks. This phase involves assessing the potential negative impacts and risks arising from personal data processing: (i) linking elements of negative impact and risk assessment; (ii) analyzing activities and evaluating the adequacy of measures implemented to ensure compliance with the Law and its Regulations; and (iii) identifying and implementing suitable controls and measures to prevent risks, minimize their likelihood, or mitigate their impact when they occur.
3. Risk assessment for data transfer or disclosure to entities outside the Kingdom. This phase involves the steps required to assess the risks of transferring or disclosing personal data to entities outside the Kingdom. Controllers have to take into account the nature of the transfer or disclosure, the entities receiving the transferred personal data and their compliance with the provisions of the Law and the Regulations and their implementation of standards, and adequate measures to reduce negative impacts and potential risks.
4. Guidelines for identifying factors related to the analysis of implications for the vital interests of the Kingdom. This phase provides guidelines for identifying any potential implications of personal data transfers or disclosures for the Kingdom's vital interests. Elements to be considered are the scope of the processing, the impact resulting from the transfer or disclosure of data in particular whether it affects only the data subjects or it reaches society at large and the adequacy of the measures taken to prevent or mitigate risks.

After completing all of the above steps, if the evaluation still indicates high levels of risk and irreversible impacts on the interests of individuals or the community, the controller should explore alternative methods. This may involve reassessing the need for the processing activity, considering its elimination or modification, or adopting more efficient and effective measures.

How does SDAIA's approach differ from equivalent international guidelines or best practice?

For the most part, the new guidelines reflect good international practices for the assessment of data transfer risks and impact. However, there are some key differences with approaches that multinationals may take under international laws such as the EU General Data Protection Regulation (GDPR), particularly in their focus and requirements.

While both the SDAIA guidelines and the standard GDPR approach aim to ensure the protection of personal data transferred outside their respective jurisdictions, the SDAIA guidelines primarily focus on a comprehensive risk assessment and mitigation process mainly centered on data exporters' processing activities, with some consideration of data importers' implementation of appropriate measures. In contrast, the European approach post-Schrems places more emphasis on the legislation and practices of the third country and their impact on the specific transfer tools and supplementary measures adopted by the data importers.

The fourth phase in the SDAIA guidelines – focusing on prospective harm to the national interests of Saudi Arabia – is also less obvious under the European approach, where GDPR places more emphasis on the rights of individuals.

What should Saudi data controllers do next?

• Mandatory risk assessments: companies must conduct thorough risk assessments before transferring or disclosing personal data outside the Kingdom (as required by Article 7 of the Data Transfer Regulations). This includes evaluating potential risks and impacts based on specific conditions such as processing sensitive data or large-scale data processing, and the stepped plan in the new guidelines will provide a sensible methodology for this assessment.
• Detailed documentation: companies should provide detailed descriptions of their services or products involving personal data processing, clearly define the purpose of data processing activities, and describe the context of personal data processing, including collection, storage, usage, disclosure, and destruction activities.
• Recipient's compliance with regulations: it is crucial for companies to ensure that entities receiving personal data comply with the provisions of the Law and its Regulations. This includes verifying the adequacy of standards and technical measures implemented by these entities to ensure data security.
• Mitigation measures: companies must implement suitable administrative, technical, and physical controls to prevent risks, minimize their likelihood, or mitigate their impact when they occur. This involves regularly reviewing and updating data transfer practices to address emerging risks.
• Impact on vital interests of the Kingdom: companies should consider the implications of data transfer or disclosure on the Kingdom's vital interests, evaluating the scope of processing, the impact on data subjects and society, and the adequacy of measures to prevent or mitigate risks.
• Alternative methods: If high levels of risk and irreversible impacts are still indicated after all the evaluations above and the implementation of mitigation measures, controllers should explore alternative methods, such as reassessing the necessity of the processing activity or adopting more efficient and effective measures.

* * * * *

To speak to us or for any assistance in relation to Saudi Arabia's new guidelines on personal data or any data and technology-related matters, or issues generally, please feel free to contact one of the Baker McKenzie team members listed above.