Saudi Arabia’s New Personal Data Protection Law - Revinate

Saudi Arabia’s New Personal Data Protection Law

Following a series of global data protection laws, Saudi Arabia approved the Personal Data Protection Law (PDPL) in September 2021. The law will go into effect March 23rd, 2022, giving data controllers a transition period to achieve compliance. 

According to the Saudi Data & Artificial Intelligence Authority (SDAIA) (who has been designated the authority responsible for supervising and enforcing implementation of the law), PDPL is intended to ensure the privacy of personal data,regulate data sharing and prevent the abuse of personal data. The release of this law brings Saudi Arabia into alignment with the data restrictions that are going into effect around the globe though the penalties associated with PDPL do stand out from the rest. 

The law is structured much like GDPR in that it applies to the processing of personal data that:

  • Takes place in the Kingdom of Saudi Arabia; or
  • Relates to the personal data of residents of the Kingdom by companies located outside of the Kingdom

Below is an overview of the main aspects of the PDPL:

  1. Obtaining consent from individuals is the main basis upon which controllers will be able to process personal data. 
  2. Businesses must share a data privacy policy that details the processing of their personal data and features the purpose for which the data is collected. 
  3. Businesses are also obliged to destroy data “if it becomes clear that it is no longer necessary for achieving the purpose of its collection.”
  4. Businesses are required to notify the supervising authority should data breaches, leakages or unauthorised access to personal data takes place. Data subjects but also be notified of incidents that cause them material harm. 
  5. Personal data owners themselves (Saudi residents) have a right to be informed of: 
    1. The practical justification for collecting their personal data
    2. The purpose for collecting their personal data
    3. The right to access the data collected
    4. The right to request correction, completion or updating of their personal data
    5. The right to request destruction of their data

Penalties for non-compliance include:

  1. Disclosure or publication of sensitive data contrary to PDPL may result in penalties of imprisonment for up to 2 years or a fine of up to SAR 3,000,000 ($800,000 US) 
  2. Violation of the data transfer provisions could result in imprisonment for up to one year and a fine of up to SAR 1,000,000 ($266,600 US) 
  3. In respect of all other provisions of the PDPL, the penalties are limited to a warning notice or a fine of up to SAR 5,000,000 ($1,333,000 US) 
  4. Fines can be increased up to double the maximums for repeat offences 
  5. Parties affected by non-compliance may be able to seek compensation

What this means for hoteliers: 

This law is a continuation of the growing global concern regarding data privacy and protection. The transition timeline allows for 18 months of preparation from when the law was passed. 

If you operate in Saudi Arabia or have personal data from Saudi residents, these new requirements apply to your hotel(s). 

As is standard for global data privacy policies, there are three roles that are assigned data management responsibility and it’s important to understand the definition of each: 

  1. Data controller: The entity that determines the purpose and method of processing personal data → This is the hotel, group, or brand. 
  2. Data processor: The entity that processes personal data on behalf of the data controller. Often vendors and contractors for hotels → This is where Revinate and other platforms come into play
  3. Data subprocessor: The entity that processes personal data on behalf of the processor in order for them to complete their work → In Revinate’s case, this is SendGrid

For hotel marketers, a big portion of aligning to this new law means prioritizing 3 categories of consent and ensuring you employ data platforms that support them:

  1. Opt-in: When you collect data, ensure that your processes include opportunities for contacts to actively opt-in to the collection of the data and, specifically, the ways in which you intend to use it. Individuals must have clarity into why they need to submit data and what they can expect in return. Your hotel should keep proof of how, when, and what your travelers are opting into to prevent any issues here. Leveraging a double opt-in via email confirmation is a trusted and proven method for capturing proof of consent. You can read more about Revinate’s double opt-in automation functionality hereWhile ensuring opt-ins exist at all collection points may raise concerns about limiting your data collection, the reality is that the quality and engagement of your list far outweighs the size of it so regardless of data protection laws, there is more value to you in setting expectations with your contacts upfront to ensure they are receptive to your marketing efforts that follow. 
  2. Access: The data you collect needs to be accessible to your contacts by request. They must be able to view, update, restrict or remove their data so having a process for your contacts to make these requests and ensuring you can act on them wherever your data is stored is important going forward. As a Revinate user, you can export and download your guest data from within the Marketing application. 
  3. Erasure: All contacts should have a clear and simple way to request any and/or all of their data be removed from campaigns and also from the database entirely. In this scenario, data must be removed from all systems and at all of the data processor levels (including processor and subprocessor systems).

As a Revinate user, you can easily remove contact data from within the Marketing application. 

Outside of ensuring you have the proper levels of consent baked into your contact collection processes, we recommend: 

  1. Reviewing/updating your privacy policy and ensuring its widely available to your audience
  2. Ensure you have proof of consent for all Saudi residents 

You can do so by identifying these contacts and delivering an updated double opt-in campaign to them. Or delivering a double opt-in campaign to all contacts that have not previously completed the process. Within this campaign we recommend you: 

  • Include your privacy policy
  • Clearly communicate that you are requesting their consent, what data you have, and what the data will be used for
  • Feature a clear unsubscribe link
  • Feature an offer so there is added value for contacts to subscribe

Within Revinate, you can leverage our qualification campaigns to build out your double opt-in campaign, build a custom double opt-in landing page, and automate the process on your behalf. As a result, you will have a double opt-in segment created within your account so that you can identify contacts who have completed your double opt-in consent process. Read more about qualification campaigns here

In addition to running a double opt-in campaign, you should ensure that your confirmation, modification, and cancelation emails include an opt-in message and subscription link as well as links to unsubscribe from further communications. 

Privacy Changes Moving Forward

Revinate takes privacy seriously and will continue to take steps to ensure the privacy of personal data that we handle. Although the main focus of PDPL is to protect Saudi residents, we will continue to ensure our efforts are spent protecting PII of all citizens (just as we have following the release of GDPR and China’s PIPL).

As regulations and technology changes continue to raise the bar on privacy, marketers will have to evolve. And as these and other privacy changes continue to shape how you interact with guests and prospects, Revinate will continue to focus on solutions to respond effectively and enable you to continue to create effective, relevant, and personalized marketing communications.