Internet Security Concept

The guidelines specify the requirements for data controllers to conduct risk assessments related to the transfer or disclosure of personal data outside the Kingdom.

By Brian Meenagh, Calum Docherty, Faisal Imam,* and Ksenia Koroleva

The Saudi Data & Artificial Intelligence Authority (SDAIA) has released non-binding guidelines for assessing risks when transferring or disclosing personal data outside the Kingdom (the Guidelines). The Guidelines supplement the updated Regulations on Personal Data Transfer Outside the Kingdom (the Regulations), which were released in August 2024 in accordance with the Personal Data Protection Law (PDPL).

Similar to requirements in the UK and the EU, the Regulations require controllers to conduct risk assessments when relying on appropriate safeguards (such as the standard contractual clauses that the SDAIA issued in September 2024) as the basis for transferring personal data to third countries not covered by an adequacy decision. (As of the date of writing, SDAIA has not yet published an adequate country list.) The Regulations also require transfer risk assessments to be conducted for international transfers of sensitive personal data on a continuous or large-scale basis, even with an adequacy decision in place.

Stages of Conducting a Risk Assessment

The Guidelines set out four phases of conducting risk assessments. The first two phases require the controller to consider and assess the risk of the processing separate from the transfer. The last two phases deal with assessing the risk of the transfer itself.

The four phases are:

  1. Preparation: This phase involves assessing whether the processing requires a data protection impact assessment to be conducted (e.g., if it involves sensitive data, data collected from multiple sources, or automated decision making). For all data processing — whether or not a data protection impact assessment is required — the Guidelines require the controller to describe the full spectrum of the processing cycle from collection to use, retention, and finally destruction of the personal data.
  2. Negative Impacts/Potential Risks of Processing: This phase involves assessing the potential risks and negative impacts to data subjects from each stage of the processing cycle and identifying suitable administrative, technical, and physical controls to mitigate the risks and their impact on data subjects.
  3. Assessing Risks Relating to the Transfer: In assessing the risks of the transfer, the Guidelines require controllers to consider: (1) the types of personal data to be transferred, the categories of data subjects, and the frequency of the transfers; (2) whether the data recipient complies with the provisions of the PDPL and Regulations, specifically those related to disclosure, transit, and subsequent transfer; and (3) the standards and technical measures the data recipient implements to ensure data security, their effectiveness in mitigating the risks to the data subject, and any additional risk mitigation measures that need to be implemented.
  4. Assessing the Implications of the Transfer on the Vital Interests of the Kingdom: this requires controllers to consider similar factors as in (3) above to determine whether the transfer will cause any prejudice to the national security or vital interests of the Kingdom.

Controllers should then implement measures to mitigate, prevent, and reduce the risks identified. The Guidelines note that if an evaluation following mitigation measures indicates high levels of risk and irreversible impacts in the near term to the interests of data subjects or to the vital interests of the Kingdom, the controller should explore alternative methods. Such methods may involve reassessing the necessity of the processing activity in its current form, considering its elimination or modification, or adopting more efficient and effective risk mitigation measures.

Comparing the Guidelines With the UK and EU Regimes

The broad requirement to conduct a data transfer risk assessment when relying on certain data transfer mechanisms (such as standard contractual clauses) applies under the Saudi Arabia, EU, and UK data protection regimes. Similar to the guidance on transfer risk assessments issued by the UK Information Commissioner’s Office (ICO) and the European Data Protection Board (EDPB), the Guidelines require the data exporter to assess whether the transfer mechanism provides appropriate safeguards and effective and enforceable data subject rights.

However, the Guidelines are less prescriptive than the ICO and EDPB guidance on the conduct and content of transfer risk assessments. In particular, the Guidelines do not explicitly require controllers to consider the equivalence of the laws and practices of the third country in relation to the protection of personal data — including what access public authorities in the third country have to transferred personal data — a point that the EDPB focuses on. Controllers may therefore have more flexibility in the structure and nature of their transfer impact assessments for data exports from the Kingdom, as compared to the assessments required for exports from the EU in particular. That said, the Guidelines apply in addition to the provisions of the PDPL, which mandates that data transfers must not compromise national security or the vital interests of the Kingdom, requiring controllers to consider whether transfers to a particular country could raise concerns from the perspectives of the broader regulatory framework.

Implication for Data Controllers

Controllers must now conduct risk assessments prior to transferring personal data outside the Kingdom, taking into account the factors set out in the Guidelines. Controllers who are subject to the UK and/or EU General Data Protection Regulation can likely leverage any existing risk assessment templates and processes when conducting risk assessment under the Regulations, although certain amendments will be required such as including an assessment of any risks relating to the national security or vital interests of the Kingdom.

* Admitted to practice in England & Wales only.

This blog post was prepared with the assistance of Bukky Lawal and Oluyinka Ogboye.