The Personal Data Protection Law (PDPL) in Saudi Arabia aims to safeguard individuals’ privacy and hold banks accountable for processing personal data, according to Ton Diemont, head of Cybersecurity & Data Privacy at KPMG Saudi Arabia.

Compliance with the PDPL is crucial for banks and financial entities to avoid reputational damage and severe penalties outlined in the Banking Perspective 2023 report. The PDPL, which resembles global best practice data protection laws like the EU’s GDPR, is now in effect from September 14, 2023, with the enforcement deadline set for September 14, 2024. It applies to all entities processing personal data in the Kingdom and requires compliance with principles of consent, transparency, lawfulness, and purpose limitation.

While most companies can easily comply, certain sectors handling large amounts of personal data will face more significant impact. The banking and financial services industry will need to enhance internal controls, set new policies, and ensure security, accuracy, and confidentiality of personal data. Compliance obligations include appointing a data protection officer, conducting impact assessments, reporting breaches, and obtaining consent for cross-border data transfers.

Non-compliance can result in fines of up to SR3 million ($800,000) or imprisonment, and the Saudi Central Bank (SAMA) may suspend or retract banking licenses in persistent cases. The Ministry of Commerce is expected to handle non-compliance claims and establish an official reporting and complaint handling process.