SAUDI ARABIA Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Shahad Al Humaidani and Khaled Al Khashab, GLA & Company
litigation remains an emerging aspect of the PDPL’s development. 2.3 Collective Redress Mechanisms Currently, KSA does not have formal collective redress mechanisms for privacy-related viola - tions, such as the class action system seen in some EU jurisdictions. The PDPL, which was enacted in 2023, provides a robust framework for individual data protection, but does not cur - rently include provisions for collective actions or class actions for data privacy violations. 3. Data Regulation on IoT Providers, Data Holders and Data Processing Services 3.1 Objectives and Scope of Data Regulation The PDPL seeks to regulate the collection, pro - cessing and storage of personal data in KSA, ensuring data privacy and security. This applies to all personal data, including data generated by Internet of Things (IOT) services. IOT is defined as the sensors and devices (things) that are con - nected to the internet and/or other networks, which helps to create value based on exchanged data, such as easing jobs functions per the NCA’s Cybersecurity Guidelines for Internet of Things (the “IOT Guidelines”). The IOT Guidelines aim to provide a compre - hensive framework for organisations utilising IOT technologies to mitigate cybersecurity risks. The primary objective is to ensure that IOT sys - tems are secure, resilient and compliant with relevant laws and regulations. These guidelines are designed to address the growing cyberse - curity threats associated with the widespread adoption of IOT devices and services, which are increasingly integrated into critical sectors
such as healthcare, smart cities and transpor - tation. By establishing best practices across four main domains –cybersecurity governance, cybersecurity defence, cybersecurity resilience, and third-party and cloud computing cybersecu - rity – the guidelines seek to enhance the overall security posture of IOT ecosystems. The scope of the IOT Guidelines applies to all organisations in KSA that use IOT technolo - gies, as well as IOT manufacturers developing products and services. The guidelines are non- mandatory but strongly recommended minimis - ing cybersecurity risks. They emphasise the importance of embedding cybersecurity into the governance, development, maintenance and management of IOT systems. The IOT Guide - lines also encourage IOT manufacturers to adopt secure-by-design principles and provide con - sumers with transparent information about the cybersecurity features of their products. This dual focus on both users and manufacturers ensures a holistic approach to IOT cybersecurity. Data holders – such as organisations that collect, store and process data through IOT devices – are obligated to implement robust cybersecurity measures to protect the confidentiality, integrity and availability of data. This includes maintain - ing an accurate inventory of IOT assets, enforc - ing strong identity and access management, and conducting regular vulnerability assessments and penetration testing. Data holders must also ensure compliance with national laws and regu - lations, such as the PDPL, and adopt privacy policies that inform data subjects about how their data is collected, used and protected. Addi - tionally, data holders are required to establish incident response plans and to ensure business continuity in the event of a cybersecurity breach.
361 CHAMBERS.COM
Powered by FlippingBook