Saudi Arabia's new privacy regulations are a sign of things to come in the GCC
Saudi Arabia have announced the introduction of a 1m SAR (Saudi Riyal) fine for e-commerce businesses who fail in their duty to protect their customer's data, or respect their right to privacy.
On January 31 2020, Saudi Arabia’s Ministry of Commerce and Investment issued the Executive Regulations to the E-Commerce Law (Royal Decree No. M/126 dated 10 July 2019). These have now been published and impact any e-commerce firm selling to Saudis.
The regulations stipulate that e-commerce firms must perform a range of actions which are designed to protect Saudi consumers. Affected businesses must:
- Put in place measures to protect consumer personal data.
- Put in place a procedure to deal with consumer complaints
- Add information to the Terms and Conditions
- Add details to the invoice
- Allow consumers to unsubscribe from electronic advertisements
- Register on the Ministry's commercial register (mandatory only for KSA registered entities)
We’re going to focus on the first point because it feels very much like a distillation of the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The regulations provide the following definition for consumer personal data: “any data – of whatever source of form – that identifies or is identifiable to a specific consumer”. This data includes names, ID numbers, addresses, contact details, registration documents, bank and credit card information, photographs, videos and more.
Four mandatory measures have been laid out for e-commerce businesses to comply with the first point, including:
- Applying technical, administrative and organisational measures which are proportionate to the nature of the data
- Not keeping personal data unless it is to fulfil the service provider's obligations
- Not using the personal data for other purposes, such as advertising or marketing, without obtaining explicit consent from the consumer
- if the consumer's personal data is hacked, notifying the Ministry within three (3) days from the date the service provider is made aware of the hack
“Consent” is a term you’ll have seen widely across tens of thousands of websites after the GDPR regulations came into force, but it previously applied specifically to citizens or residents of the EU. Due to the seemingly anonymous nature of the internet, it was considered safer for many websites to follow these consent regulations, to avoid falling foul of failing to identify a visitor or customer as an EU citizen or resident and storing their data illegally. Under the new Saudi regulations, businesses must obtain a clear opt-in if they want to use customer data for marketing purposes.
It is inevitable that the principles behind these regulations will spill over quickly to other business sectors and countries within the GCC. Your business should be ready in this event.
The measures listed affect all parts of your business where customer data is concerned. Your Finance, IT, Sales, Marketing, Legal and Information Security functions will all need to work together to ensure the correct processes and measures are put in place. Smaller companies without these distinct functions are not exempt, however.
If you can’t answer yes to all these questions, it’s time to take a step back and review your business practices.
- Do you know all the data your business collects and where it resides?
- Can you identify where personally identifiable data resides for a specific customer?
- Do you have a lawful basis on which to continue to hold all your customer data?
- Have you obtained explicit consent from each of your contacts to send them marketing information?
- Have you got a procedure in place to remove all stale data that your business no longer requires? Is this procedure being followed and audited?
- Have you got cybersecurity monitoring in place to ensure that you are alerted if someone attempts to or succeeds in hacking your customers’ personal data?
- Do you have preventative measures to stop your employees downloading and sharing customer data, accidentally or otherwise?
- Are your staff all trained to understand what constitutes personal data?
- Do your staff receive regular training on how to avoid email scams?
- Has your website been analysed by a competent outside party for security compliance?
- Are all the devices holding your customer data encrypted such as servers, mobiles, PCs?
- Is all your physical data including papers and USB drives under lock and key?
- Have you got a list of who has access to what data on which device?
This list is not exhaustive and shows that this is not a trivial exercise. Data Protection and Data Privacy are becoming increasingly regulated worldwide and businesses who are ahead of the curve reduce their operating risk significantly.
The GDPR was despised by many business owners when it first arrived because the short term costs of compliance seemed prohibitive, as did the potential fines. Two years on, many would agree that the GDPR was great for businesses, increasing data hygiene, cybersecurity and above all - trust.