SDAIA approves rules for licensing accreditation certificates and data review

0 8 2 minutes

The Saudi Data & Artificial Intelligence Authority ( SDAIA ) announced the adoption of regulations governing the licensing of data controllers and processors, as well as auditing and inspection activities related to the processing of personal data. This strategic step aims to enhance compliance with data protection requirements in the Kingdom and establish a comprehensive regulatory framework that ensures adherence to relevant laws and regulations.

A key pillar in the digital economy system

This decision cannot be viewed in isolation from the broader context of Saudi Arabia's accelerated digital transformation, a key component of its Vision 2030. With the increasing reliance on data as the new oil of the digital age, the urgent need for robust regulatory frameworks to protect privacy and enhance the reliability of digital transactions has become paramount. The issuance of these rules complements the legislative environment that began with the Personal Data Protection Law, as the Saudi ), the national authority for data and artificial intelligence, works to bridge regulatory gaps and provide effective oversight and auditing mechanisms.

SDAIA's financial and technical licensing requirements

The new regulations have established strict standards to ensure the quality of services provided. These regulations apply to all entities applying for a license to conduct accreditation, auditing, or inspection activities. Among the most notable financial requirements is the stipulation that the applicant's capital must be at least 10 million Saudi Riyals, reflecting the Authority's desire to restrict these sensitive activities to entities with strong financial standing and operational capabilities.

On the technical and human level, the rules require applicants to have the necessary technical tools, and that the number of evaluation staff working for them should not be less than ten employees with direct contracts, with the requirement that some of them have at least five years of experience in the fields of personal data protection or evaluation work, in addition to the need for them to pass the approved professional courses and tests.

Economic dimensions and boosting digital trust

This new regulation carries significant weight, extending beyond the local level to encompass regional and international impacts. Locally, the presence of accredited auditing bodies contributes to raising the maturity level of both government and private entities in data management, thereby reducing the risks of leaks and breaches. Economically, regulating this sector creates a new market for compliance and auditing services, opening the door to high-quality investments in the technology sector.

Internationally, this measure enhances the Kingdom’s position as a secure environment for data, encouraging global companies and cloud service providers to expand their operations within the Kingdom, reassured by the existence of a clear and transparent regulatory framework that governs the flow and processing of data according to the highest international standards.

Submission mechanisms and operational compliance

The regulations stipulate that the license is valid for three years and is renewable, granting the relevant authority the power to evaluate applications within a period not exceeding 90 working days. The regulations also emphasize integrity and independence requirements, obligating entities to disclose any conflicts of interest, particularly those related to relationships with data controllers or processors, to ensure the impartiality of auditing and certification processes.

Within the framework of data sovereignty, the rules stipulated decisively the need to store data related to the practice of these activities within the Kingdom of Saudi Arabia, in order to ensure that it is subject to national regulations and protected from any external interference, which confirms SDAIA’s to protecting the Kingdom’s national cybersecurity.