Update on Saudi Arabia's cross border data transfers: understanding the New Risk Assessment Guidelines

  • Legal Development 18 March 2025 18 March 2025
  • Middle East

  • Corporate & Advisory - Technology Risk

  • Data Protection & Privacy

In February 2025, the Saudi Data & AI Authority (SDAIA) introduced a Risk Assessment Guideline for transferring personal data outside the Kingdom of Saudi Arabia (KSA). This new guideline provides businesses with a structured methodology for assessing risks and implementing safeguards to enable cross border personal data transfers in compliance with the Personal Data Protection Law (PDPL), its Implementing Regulations and the Regulation on Personal Data Transfer Outside the Kingdom (Transfer Regulations). While the guideline itself is not legally binding, it serves as an essential reference for businesses to ensure their data transfer strategies align with regulatory expectations.

Why the New Risk Assessment Guidelines matter

Cross-border data flows have become a fundamental part of modern business, and questions on personal data transfers continue to remain a key concern for clients.

The PDPL and Transfer Regulations streamline cross border data transfer mechanisms to align them with international standards, such as the EU General Data Protection Regulation (GDPR). They generally follow an adequacy system, whereby data transfers are permitted outside of the KSA to countries that will be evaluated by SDAIA as providing an appropriate level of data protection. However, the adequacy list has not yet been issued. Until the adequacy list is available, or in cases where transfers are made to countries that SDAIA has not included in the list when it is published, organisations are required to implement appropriate safeguards, such as standard contractual clauses (SCCs), and binding corporate rules (BCRs) when transferring personal data.

In addition, the Transfer Regulations requires businesses to conduct a risk assessment before transferring or disclosing personal data outside of the KSA in the following cases:

  1. Where they rely on safeguards to conduct the cross-border data transfer operations; or
  2. Where they transfer or disclose sensitive data (any personal data revealing racial or ethnic origin, or religious, intellectual or political belief, data relating to security criminal convictions and offenses, biometric or genetic data for the purpose of identifying the person, health data or data that indicates that one or both of the individual’s parents are unknown) outside the KSA on a continuous or widespread basis.

The Risk Assessment Guideline supports businesses to meet this obligation by introducing a step-by-step risk assessment framework allowing businesses to identify, assess and mitigate risks before proceeding with data transfers.

What a data transfer risk assessment entails:

The minimum elements

The Data Transfer Regulations set out minimum elements for data transfer risk assessments, including:

  1. The purpose and legal basis for the cross-border transfer,
  2. The description of the activities involved,
  3. The safeguards being implemented,
  4. The measures put in place to comply with the data minimisation principle,
  5. The potential risks of the activities, and
  6. The remediation measures applied to mitigate the risks identified.

The four phases

The Risk Assessment Guideline outlines a four-phased approach to conducting a data transfer risk assessment, in a manner that assesses the required elements as follows: 

  1. Preparation phase: Businesses should first determine whether a risk assessment is necessary by assessing the data flow against the triggering events set out above. This phase involves defining the purpose of data collection, aligning it with business operations and mapping the data journey to track how personal data is collected, stored, accessed and deleted.
  2. Risk identification and mitigation: Businesses must then assess potential risks in the operation and implement necessary safeguards to address the risks identified before proceeding with data transfers.
  3. Data transfer and compliance evaluation: Next, businesses must consider the nature of the transfer (e.g. remote access, storage abroad or disclosure to foreign entities), ensure the receiving entity complies with PDPL and its Implementing Regulations and confirm the adequacy of security measures in place.
  4. National interest considerations: Saudi regulators require that data transfers do not compromise national security, economic stability or public interest. Therefore, businesses must also assess the impact of the transfer on Saudi citizens, businesses and the broader economy while ensuring sufficient security measures are in place to protect the personal data during transfers.

It is worth noting that the triggers, minimum requirements and procedures for transfer risk assessments are distinct from those set out for data processing impact assessments (DPIAs) under the PDPL and its regulations.

SDAIA has provided supporting tools on its online platform to streamline the process of conducting data transfer risk assessments.

What should companies do next?

Navigating personal data exports out of the KSA can be challenging, as businesses must not only assess risks but also develop legally compliant mechanisms and defensible strategies to protect themselves from potential penalties and reputational harm.

Organisations should therefore consider taking the following actions in light of the publication of the Risk Assessment Guideline:

  1. Map out data flows to identify cross border operations.
  2. Ensure that data transfer mechanisms comply with the PDPL, Data Transfer Regulations and incorporate the appropriate safeguards.
  3. Identify if any data exports trigger the requirement to conduct transfer risk assessments.
  4. Review, and where necessary update, data transfer procedures to align them with the Risk Assessment Guideline.
  5. Develop and implement a transfer risk assessment template that complies with the PDPL, Data Transfer Regulations, and the Risk Assessment Guideline.
  6. Provide staff, and where necessary supplier, training on the PDPL and its Implementing Regulations to ensure compliance across all levels of the organisation.

If you would like to discuss how we can proactively assist you in managing risk and ensuring compliance with the latest regulatory developments please contact Lamisse Bajunaid.

Our dedicated Doing Business in Saudi Arabia Hub helps businesses stay informed and understand the latest developments and opportunities.

End

Stay up to date with Clyde & Co

Sign up to receive email updates straight to your inbox!

Doing Business in Saudi Arabia

Read more

You might be interested in...