Why the PDPL Isn't the Only Data Law You Need to Follow in KSA & Egypt

Are You Dual-Compliant? Why the PDPL Isn't the Only Data Law You Need to Follow in KSA & Egypt

In the rapidly evolving regulatory landscape of the Middle East, organisations operating in the UAE, Saudi Arabia, and Egypt are diligently working to understand and comply with new, comprehensive data protection laws. The UAE's PDPL, Saudi Arabia's PDPL, and Egypt's DPL are rightly receiving significant attention.

However, a dangerous misconception is emerging: the belief that complying with these overarching laws is sufficient. The reality for many sectors, particularly in Saudi Arabia and Egypt, is far more complex. Businesses must achieve "dual-compliance," adhering not only to the general data protection law but also to additional, often stricter, requirements imposed by powerful sectoral regulators.

Ignoring these sector-specific rules isn't just a minor oversight; it's a critical compliance gap that can lead to severe penalties, operational disruptions, and reputational damage.

Let's dive into the specifics for Saudi Arabia and Egypt, where the landscape demands a meticulous, layered approach.

The General Rule vs. The Sectoral Exception

The federal or national data protection law (like the PDPL in KSA or the DPL in Egypt) establishes the baseline. It applies to almost everyone processing personal data. But here's the crucial caveat: many regulators have the authority to impose additional rules for the entities they oversee, especially when data is deemed highly sensitive or critical to national infrastructure.

Saudi Arabia: A Multi-Layered Compliance Challenge

Saudi Arabia's data protection ecosystem is evolving rapidly, with the Saudi Data & AI Authority (SDAIA) leading the charge on the national PDPL. However, critical sectors face an added layer of scrutiny.

1. The Financial Sector: Balancing SDAIA with SAMA

If you're a bank, insurance company, or financial service provider in Saudi Arabia, you effectively answer to two masters when it comes to data:

• SDAIA: Enforces the primary KSA PDPL, dictating core principles like consent, data subject rights, and breach notification.
• Saudi Central Bank (SAMA): Through its robust Cybersecurity Framework and various circulars, SAMA imposes some of the region's strictest data governance rules.

What SAMA Adds Beyond the PDPL:

• Data Classification: SAMA mandates specific, granular classification of financial data, often requiring higher levels of protection than the general PDPL.
• Cloud Outsourcing: Any outsourcing of data processing to cloud providers, especially outside the Kingdom, is heavily scrutinised. SAMA has strict requirements for due diligence, contractual clauses, and risk assessments for third-party service providers.
• Data Residency: While the PDPL allows transfers with safeguards, SAMA often prefers or even mandates data residency within KSA for critical financial data. This can significantly impact cloud strategy.

2. The Healthcare Sector: Heightened Sensitivity and Specific Protections

The KSA PDPL explicitly recognises "health data" as sensitive data, requiring enhanced protections. However, healthcare providers must also contend with the Ministry of Health (MoH) and other health authorities who may issue specific guidelines.

What the Healthcare Sector Needs to Watch For:

• Data Minimisation: Strict adherence to collecting only the health data absolutely necessary for patient care.
• "Need-to-Know" Access: Rigorous access controls ensuring only authorised personnel can view patient records.
• Breach Reporting: While the PDPL has general breach notification rules, healthcare entities may face additional, more urgent reporting requirements to health authorities for medical data breaches.

3. The Tech & AI Sector: Navigating a New Regulatory Frontier

Saudi Arabia is aggressively pursuing its Vision 2030, with AI at its core. If your organisation develops, deploys, or uses AI systems that process personal data, you're not just under the PDPL's umbrella.

What the Tech & AI Sector Needs to Watch For:

• SDAIA's AI Ethics Guidelines: While not yet legally binding in the same way as the PDPL, these guidelines signal the direction of future regulation. They cover principles like fairness, transparency, accountability, and human oversight in AI systems.
• AI Adoption Framework: This framework from SDAIA provides a roadmap for responsible AI deployment, often touching upon data governance, bias mitigation, and privacy-by-design principles for AI. Expect these to become increasingly prescriptive.

Egypt: Where Exemptions and Licenses Dominate

Egypt's Data Protection Law (DPL) is comprehensive, but it has a crucial carve-out that significantly impacts a major sector.

1. The Key Exemption: Financial Services and the Central Bank of Egypt (CBE)

In a critical departure from many other data laws, Egypt's DPL does NOT apply to entities regulated by the Central Bank of Egypt (CBE). Instead, these entities—banks, payment service providers, and certain financial institutions—must comply with:

• Banking Law No. 194 of 2020: This law, along with its executive regulations and various CBE circulars, contains highly stringent provisions on data confidentiality, customer privacy, and the outsourcing of IT and data processing functions.
• CBE's Outsourcing Regulations: These regulations are extremely prescriptive, often dictating data residency, security standards, and contractual requirements for third-party service providers (including cloud providers).

The Impact: Financial institutions in Egypt cannot simply transplant their DPL compliance efforts. They must have a deep understanding of the CBE's specific directives, which can be more restrictive than the general DPL, especially concerning cross-border data transfers and cloud usage.

2. Healthcare and E-commerce: The DPL Applies in Full (and Strictly)

For sectors not explicitly exempted, such as healthcare providers, e-commerce platforms, and marketing agencies, the Egyptian DPL applies in its entirety. This is particularly important due to the DPL's strict stance on:

• Explicit Consent: For any electronic marketing, explicit, affirmative consent is required. There's no "soft opt-in" for existing customers.
• Sensitive Data: Processing health data, genetic data, or biometric data requires explicit written consent, a very high bar.
• Cross-Border Transfers: As we've highlighted previously, any transfer of personal data outside Egypt requires a mandatory license or permit from the Data Protection Centre (PDPC), a process that can be time-consuming and costly.

Your Dual-Compliance Action Plan

To avoid compliance pitfalls and ensure robust data governance, organisations operating in Saudi Arabia and Egypt must:

• Identify Your Regulators: Beyond the national data protection authority, determine which sectoral regulators have jurisdiction over your activities (e.g., SAMA, CBE, MoH).
• Map Data Flows: Understand where personal data is collected, stored, processed, and transferred, paying close attention to cloud services and third-party vendors.
• Conduct a Gap Analysis: Compare your current data protection practices against both the national data law and all relevant sector-specific regulations. Pinpoint areas where additional requirements exist.
• Engage Experts: Work with legal and compliance professionals who have deep expertise in both the general data protection laws and the nuances of specific industry regulations in KSA and Egypt.
• Train Your Teams: Ensure HR, marketing, IT, and legal teams are fully aware of the distinct requirements applicable to their functions within your specific sector.

The era of one-size-fits-all data compliance is over, especially in the sophisticated regulatory environments of Saudi Arabia and Egypt. Embracing a dual-compliance mindset is not just good practice; it's essential for sustainable and secure operations in these dynamic markets. contact Formiti for your free consultation