Personal Data Protection in the Kingdom of Saudi Arabia, EU and UK GDPR: A Comparative Study

Abstract

The Saudi Personal Data Protection policy is relatively new. It has been into effect on 15/09/2021. Then it has been revised on 30/03/2023. The purpose of this study is to shed light on the Saudi policy of personal data protection. By conducting a comparison between the Saudi Personal Data Protection policy with the European and British General Data Protection Regulations (GDPR), this paper aims to illustrate what are there in place in the European policies not yet in the Saudi. This will help identify the gabs in the Saudi policy and how those gabs are to be addressed. This makes the Saudi policy always proactive as it is going to be in alignment with scientific and technological progresses and advances. This paper undertook a literature review and visited policy and guidance documents by the relevant Saudi governmental agencies. Findings show that there are some points the Saudi Personal Data Protection does not cover such as Privacy by design and privacy impact assessment. In addition, since personal data protection and cybersecurity are new to the Kingdom of Saudi Arabia, most organizations perform without relevant policies and without hiring a dedicated personal data protection officer.  This paper highlights these points and their vital role in compliance and risks management. This paper recommends considering Privacy in Design and Default, every organization has to create their own personal data protection policy and hire a dedicated officer for that. This paper also presents the tool of Privacy Impact Assessment to support evaluating personal data protection related matters.