The session offered practical strategies for balancing operational simplicity with increasing privacy demands. | Read the Full Webinar Transcript

Big Bucket vs. Granular Retention: Finding the Sweet Spot

Retention schedules are the backbone of HR data retention strategies, helping organizations manage records efficiently and compliantly. Our recent webinar emphasized the enduring value of the “big bucket” approach, which groups records into broad categories with unified retention periods. While granular, data object-level retention may seem ideal, it often leads to:

• Over-retention due to over-complexity, which leads to difficulty understanding obligations.
• Under-retention from misalignment with legal requirements
• Operational inefficiencies and non-compliance risks

The presenters urged organizations to strike a balance (use big buckets for simplicity but add granularity where privacy or legal obligations demand it).

The Deletion vs. Retention Dilemma

Notably, one of the most relatable challenges discussed was the tug-of-war between deletion and retention.

• Privacy advocates push for deletion to minimize data exposure.
• Legal teams require retention for compliance and litigation readiness.
• Risk mitigation teams need access to historical data for business continuity.

Global operations further complicate this balance, with varying retention laws across jurisdictions. The takeaway? Build flexible, jurisdiction-aware policies that accommodate both privacy and operational needs.

Managing Object-Level Data with Technology

Modern HR systems generate highly granular data such as emails, payroll entries, and performance reviews. Managing retention at this level is complex but achievable with:

• Metadata tagging
• Automated classification tools
• Integration with HRIS and ECM platforms

Consequently, these technologies help align granular data with broader retention categories, flag misclassified records, and reduce administrative burden.

HR Record Categories: Tailored Retention Strategies

For the strategies below, there are jurisdictions that are exceptions to these ranges and industries that also fall outside the ranges which highlights why a customized retention schedule is needed.

Recruitment Records

• Non-Hired Candidates: Retain for 6 months to 2 years, depending on jurisdiction.
• Hired Candidates: Records become part of the personnel file, retained for DOE + 5–7 years.

Background Checks

• Non-Hired: Retain for up to 1 year.
• Hired: Retain for DOE + 7 years, with industry-specific exceptions (e.g., aviation, finance).

Personnel Files

• Must be clearly defined per jurisdiction.
• Sensitive records (medical, grievances) should be segregated and protected.
• Common retention: DOE + 5–7 years.

Pension and Benefits

• Retention often driven by final payment + 5–11 years.
• Consider creating a “skeleton record series” with only essential data to avoid over-retention.

Leaves of Absence & Labor Relations

• Leaves: Typically, creation + 2–7 years, with exceptions.
• Labor Relations: Expiration + 7–15 years, driven by dispute resolution needs.

Data Subject Requests (DSRs)

• Retain the request, resolution summary, and logs.
• Copies provided to requesters should be treated as transitory.

Certificates of Destruction: Automation with Accountability

As organizations automate purges based on retention schedules, the webinar stressed the importance of:

• Documenting destruction via Certificates of Destruction (CODs)
• Checking for litigation holds before purging
• Maintaining audit trails for defensibility

Next Steps: Privacy as a Practice

In conclusion, the session closed with actionable advice for improving HR data retention strategies in response to evolving privacy laws and operational needs.

• Review and simplify retention schedules with privacy in mind
• Align triggers with legal and operational needs
• Train teams to understand the balance between retention and deletion
• Monitor global legal developments to stay ahead of compliance changes

Bottom Line: Big bucket retention remains a best practice, but today’s privacy climate demands thoughtful adjustments. By leveraging records management software, defining record categories clearly, and staying legally informed, HR teams can build retention strategies that are both compliant and efficient.

Disclaimer: The purpose of this post is to provide general education on information governance solutions. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Buckets, Benefits, and Boundaries: HR Records in a Growing Privacy Climate appeared first on Zasio.

Strengthening Traditional Protections

Most readers are familiar with the Health Information Portability and Accountability Act (HIPAA), which provides federal protections to patient health information.

HIPAA requires ‘covered entities’ and their ‘business associates’ to follow specific privacy and security rules for electronic patient health data. However, gaps can emerge when this data is sent outside the U.S. or transferred to foreign entities. As a result of these gaps, states have started to take steps to limit where health data can be stored. The U.S. Department of Justice has also recently enacted a rule restricting the transfer of personal health data and other forms of sensitive personal information to certain “countries of concern.”

State Health Data Storage & Transfer Restrictions

In July 2024, Florida amended its Electronic Health Record Exchange Act to prohibit Florida health care providers and their third-party vendors from storing or transferring electronic health information outside the U.S. or Canada. With this amendment, Florida’s law is more stringent than HIPAA with respect to patient data.

In Michigan, a similar piece of legislation is working its way through that state’s legislature. HB4242 requires state licensed health care providers to store medical records, whether physical or virtual, in the U.S. or Canada. The bill specifies that licensees must follow these requirements when they use a medical records company.

In addition, the federal government has also turned its attention to foreign interest in U.S. data, including “bulk” personal health data.

Federal Restrictions on Data Transactions

In December 2024, the Department of Justice issued a final rule (the “Bulk Data Rule”) restricting, and in some cases prohibiting, certain data transactions involving bulk U.S. sensitive personal data with six countries of concern: China, Cuba, Iran, North Korea, Russia, and Venezuela. The DOJ began enforcing the rule on July 8.

The Bulk Data Rule blocks these countries from accessing large amounts of personal health data. It also restricts access to biometric, genomic, geolocation, and financial information. It also applies to entities under the control, jurisdiction, ownership, or direction of the six countries of concern. The definition of “bulk” transactions varies between categories of data. For example, human genomic data on over 100 U.S. individuals is considered bulk; for personal health data, the number increases to 10,000.

The Bulk Data Rule includes multiple broad exceptions, making it complex. Nonetheless, the DOJ has been clear in its instructions to U.S. companies to understand the data they hold and how they use it. Accordingly, companies should carefully review their commercial, employment, and vendor agreements to ensure compliance.

Why These New Restrictions Matter

These new rules add to the existing patchwork of U.S. privacy laws. They cover all types of personal data, including health information. As a result, they can create new compliance challenges for companies handling health data in the United States, particularly those using third-party vendors or cloud services. Vendors should also examine new requirements to ensure they’re being followed.

Time will tell whether these new and proposed state and federal restrictions are the beginning of a wave of new regulatory efforts to control foreign access to U.S. health data. Either way, organizations should proactively investigate their records management solution to ensure compliance with existing laws, as well as assess their capacity to respond to any future laws.

Disclaimer: The purpose of this post is to provide general education on information governance software. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Navigating New U.S. Health Data Laws appeared first on Zasio.

This mindset has become outdated. In fact, audio is not just a byproduct of communication. Depending on its content, it could be a primary record that must be governed with the same care as any other business record.

Why Managing Audio Records Is Now a Regulatory Priority

The growing regulation of audio recordings stems from its rising use in business communications and the legal implications tied to privacy and consent. As more conversations occur over voice calls, virtual meetings, and voice-enabled platforms, regulators are stepping in to ensure proper governance of these communications. Meanwhile, privacy laws such as the U.S. Wiretap Act (18 U.S.C. § 2511) and state-level consent laws are placing legal obligations on organizations to obtain proper consent before recording. Furthermore, industries such as finance and healthcare have specific mandates to retain and monitor audio communications for compliance and transparency. This evolving legal landscape emphasizes the importance of treating audio as a regulated business asset.

Why Audio Matters More Than Ever

The rise of remote and hybrid work has also made audio communication more popular than ever. For example, consider these common sources of audio records:

• Meeting Recordings: Platforms like Zoom, Microsoft Teams, and Google Meet automatically generate audio files for recorded meetings.
• Voicemail and Voice Notes: Mobile-first teams often rely on voice messages for quick updates or instructions.
• Podcasts and Webinars: Many organizations produce internal or external audio content that contains strategic insights or training material.
• AI Voice Assistants: Interactions with tools like Alexa for Business or Google Assistant may be logged and stored.

These audio files often contain critical business decisions or compliance-related discussions—making them just as important as written records.

The Challenges of Managing Audio Records

Audio records present unique challenges:

1. Searchability: Unlike text-based documents, audio files are not typically searchable.
2. Storage and Cost: High-quality audio files can be large. Over time, this can lead to significant storage costs.
3. Retention and Classification: Determining how long to keep an audio file—and under what classification—can be difficult. Is a recorded meeting a formal record?
4. Authentication and Integrity: Audio files can be edited or manipulated. Ensuring the authenticity of a recording and verifying who said what can be complex.

New Tools and Technologies

Modern records management platforms are beginning to integrate. These include:

• Speech-to-Text Engines: Real-time transcription and captioning.
• Voice Recognition: Identifying individual speakers in multi-person recordings.
• Sentiment Analysis: Detecting tone, urgency, or emotional cues in conversations.
• Audio Fingerprinting: Verifying the authenticity and originality of audio files.

AI Summary Notes: Balancing Efficiency with Privacy

Organizations are increasingly relying on AI to transcribe and summarize audio records. While these tools can improve the accessibility and usefulness of audio content, they also introduce risks if not used responsibly.

AI transcription and summarization tools often process sensitive information, including:

• Client names and project details
• Employee identities and internal discussions
• Confidential business strategies or intellectual property

If mishandled, this data is fed into third-party AI platforms (especially those that store or use data to train their models) it can lead to unintended consequences, such as the unauthorized exposure of sensitive information, loss of control over proprietary business content, and vulnerability to regulatory non-compliance. These risks are exacerbated when organizations lack transparency into how the data is processed, where it is stored, and whether it is being reused beyond its original purpose.

To mitigate these risks, organizations should thoroughly consider the following safeguards:

1. Use Enterprise-Grade AI Tools: Choose transcription and summarization platforms that offer data residency controls, enterprise agreements, and no data retention policies. Organizations should also verify that the provider does not use your data to train their models or for any other purpose besides providing the services you’ve requested.
2. Anonymize Sensitive Information: Before processing, redact or anonymize names, client identifiers, and confidential terms.
3. Implement Internal AI Models: Where possible, deploy AI tools on-premises or within a private cloud environment to maintain full control over data flow and storage.
4. Update Governance Policies: Include records management and data governance policies to include AI.
5. Train Staff on AI Ethics and Usage: Make sure employees understand the implications of using AI tools and follow protocols for handling sensitive information.

Best Practices for Managing Audio as a Record

To effectively manage audio records, organizations may:

1. Transcribe and Index: Use AI-powered transcription tools to convert speech to text. This not only makes audio content searchable but also allows for easier classification and review.
2. Apply Metadata: Tag audio files with relevant metadata such as:

• Date and time of recording
• Participants or speakers
• Meeting or event title
• Department or business unit
• Retention category

Metadata ensures that audio files are readily retrievable.

3. Define Retention Rules: Audio files should be subject to the same retention as other similar records. Retention should be based on content and purpose, not format.

4. Secure Storage and Access Controls: Store audio files in secure, access-controlled environments and use encryption to protect sensitive data.

5. Standardize Formats: Convert audio files to widely supported, long-term formats like MP3 or WAV. Avoid proprietary formats that may become obsolete or difficult to access in the future.

Final Thoughts: Listening to the Future

The next time you hit “record,” ask yourself: Is this just a conversation—or is it a record that needs to be managed? By embracing the sound of records, you ensure that your governance program is not only comprehensive but ready for the future.

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post The Sound of Records: Managing Audio as a Primary Record Type appeared first on Zasio.

With this amendment, Colorado has further strengthened and refined privacy protections for Colorado consumers to keep pace with new digital technological and legal developments. The state joins the trend of states defining precise geolocation information (i.e., any information enabling a person to be located within 1,850 feet) and classifying it as sensitive personal data.

As consumers increasingly rely on technology in every facet of their lives, they leave behind a widening digital trail revealing their preferences, habits, and routines. Among the most significant of these is location data (whether precise or general), which is particularly sensitive because it tracks a person’s daily movements, offering insight into their lives. Businesses use this information for targeted marketing, but others may use it to monitor a person’s activities.

For someone wishing to learn as much as possible about a person, location data is among the most valuable types of information. It reveals a person’s daily comings and goings. A favored route for a morning run, a habitual place to eat lunch, or a dinner at a romantic partner’s home are just a few examples. But malicious actors can also use location data for exploitative purposes, such as stalking or extortion. That’s why the CPA now explicitly bans controllers from selling sensitive data, including precise geolocation data, unless they first obtain the consumer’s affirmative consent.

The Importance of Protecting Location Data

Recognizing the significance of this information, most state privacy laws, including Colorado’s CPA amendment, designate “precise” geolocation data as a sensitive personal data type that requires heightened safeguards and protections to stop misuse or unauthorized access.

For businesses and public agencies in Colorado, the CPA’s change likely has significant implications. Any processing of precise geolocation data, including transfers or sharing, now requires explicit consumer consent.

The law’s broad scope includes “derived” information (data that can infer a person’s whereabouts or activities). This includes data from Wi-Fi networks, cellular towers, Bluetooth devices, IP addresses, and many others that help identify a person’s location. Other peripheral categories of data may also come under scrutiny if they can reveal someone’s location, such as purchase and transaction data, online behavior, and social media activity.

Evolving Landscape of Privacy Laws and Best Practices

Expect to see the contours of location data protections continue to evolve in the coming years. States with comprehensive privacy laws are sure to incrementally refine their approaches to protecting personal data. They may also gradually become more uniform by copying provisions from each other that have proven popular. Meanwhile, the growing body of enforcement actions and court decisions will shape a clearer set of principles and best practices for personal data management and protection that businesses can follow.

Note:

The CPA amendment, SB25-276, adds language that defines “precise” geolocation data as sensitive, which includes any data allowing a person’s whereabouts to be determined to within a broad radius of 1,850 feet. Specifically, SB25-276[i] defines “precise geolocation data” as “information derived from technology that accurately identifies the present or past location of a device that links or is linkable to an individual within a radius of one thousand eight hundred fifty feet… [and] includes: (i) global positioning system (gps) coordinates within a radius of one thousand eight hundred fifty feet; or (ii) any data derived from a device and that is used or intended to be used to locate a consumer within a geographic area within a radius of one thousand eight hundred fifty feet.”

This roughly tracks the definition provided in California Consumer Privacy Act (CCPA), which also specifies 1,850 feet (about six football fields). It also excludes communication content or any data from advanced utility meeting systems.

[i] https://leg.colorado.gov/sites/default/files/documents/2025A/bills/2025a_276_enr.pdf

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Understanding the New Colorado Privacy Act Amendment on Precise Geolocation Data appeared first on Zasio.

As the CCPA’s enforcement memo highlights, data minimization reduces the risk of unintended data access, is part of good data governance, and businesses can reduce risk exposures by regularly evaluating how they collect, use, retain, and share personal information. The memo further provides a few thought exercises to help organizations examine and apply the data minimization principle in some common consumer data rights requests contexts. Questions organizations should often ask include: Do we really need more information than we already have to achieve our purpose? What are the possible negative impacts from collecting and using the information we control? And what additional safeguards are available to help address the potential for negative impacts?

At Zasio, we help organizations make data minimization a foundational part of not only their personal information processing, but throughout their records and information practices. Good information governance requires organizations think about how they collect, use, retain, and share not just personal information, but all records and information.

Good information governance requires organizations to frequently ask themselves questions like (i) are your business units being precise or overbroad in their records and information collection and retention, (ii) what records and information in your domain no longer have business or legal value and are ripe for disposal, and (iii) what additional safeguards can we apply? Having a well-vetted and consistently followed records and information management policy and records retention schedule, routinely updating these documents, and ensuring functions like IT, security, and privacy, are all fundamentally represented in your IG program, will help make data minimization an intrinsic part of your organization’s information governance.

Consistently following the data minimization principle is integral to managing records and information risks, allowing it to spend more time on producing the innovations that will allow it to thrive.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Data Minimization is Good Information Governance appeared first on Zasio.

The post Developing Privacy as a Retention Schedule and Program Foundation appeared first on Zasio.

Join Zasio Consulting analyst Brandon Tuley, along with Jennifer Chadband and Rick Surber, co-managers of Zasio’s Consulting division, for this important and timely discussion!

What: Identifying and Breaking Down Privacy Requirements for Your Program

When: Tuesday, Jan. 30, 2024.

UPDATE: This webinar has aired! Looking for the slides from the presentation? View them HERE. You can register and view the recording HERE.

The post Virtual Coffee with Consulting: Identifying and Breaking Down Privacy Requirements for Your Program appeared first on Zasio.

Lawmakers have been busy brewing up a cauldron of new or revised privacy laws and regulations in 2023. Join Frank Fazzio, Zasio senior analyst, along with Jennifer Chadband and Rick Surber, co-managers of Zasio’s Consulting division, for an overview of recent privacy law updates in the United States and internationally. This presentation will focus on significant laws recently passed with an emphasis on the most impactful, notable, or unique aspects of the laws to be considered for your organization’s privacy program.

UPDATE: Register to view the Oct.19 recording.

The post Virtual Coffee with Consulting: A Guide to Key Privacy Law Updates in 2023 appeared first on Zasio.

Data privacy law compliance is in large measure about showing your work. Five years into the swell of new comprehensive data privacy laws, privacy teams are getting used to ensuring their organization’s personal data activities are well documented. This means creating records—often lots of them. And for records managers, this means sorting out retention practices for all these new records.

This article identifies some key privacy law compliance records that records managers will likely encounter, and discusses how to apply classic retention principles to determine appropriate retention periods.

Types of Privacy Law Compliance Records

Article 30 of the GDPR requires organizations to maintain detailed records of their processing activities. This necessitates creating written documentation of processing activities and making them available to data protection authorities. Under CCPA, as well as a growing number of U.S. state privacy laws, organizations must analyze the risks associated with their processing activities through privacy impact assessments. Other records frequently generated through privacy law compliance include data transfer impact assessments before transferring personal data across borders, responses to data subject rights requests, breach assessments and notifications, personal data audits, and privacy-by-design assessments, to name a few.

Privacy law compliance records tell your organization’s story with respect to its personal data processing activities, such as its commitment to the letter of the law, thinking through privacy risks, respecting data subject rights, and curing defects.

Applying Basic Records Retention Principles to Privacy Compliance Records

By now we’re well acquainted with the storage limitation principle in data privacy—keep no longer than necessary. This has sent records managers scrambling to reduce retention periods for personal data. However, applying such aggressive deletion practices to data privacy compliance records can land your organization in regulatory trouble. For these, the tried-and-true general rules of identifying applicable legal requirements, and balancing risk with business need, are still largely your best practice.

Express Legal Retention Requirements

While less common than for other record types, there are still a number of express legal retention requirements that apply to data privacy compliance records. Breach investigation and notice records is a good example of where some of these can be found. Under Canada’s Breach of Security Safeguards Regulation, organizations must keep breach records for at least two years after the breach.[1] In Iowa, state law mandates a five-year retention period for records documenting an organization’s determination that consumer notice of a breach is not legally mandated.[2]

Another area for express legal retention requirements is under laws governing requests by data subjects to exercise data privacy rights. Under CCPA regulations, for example, an organization must maintain records of consumer requests for at least 24 months.[3] Colorado’s Privacy Act regulations obligate controllers to retain records documenting responses to their consumer data rights requests for the same period.[4]

While the GDPR does not specify retention periods for records of processing activities under Article 30, the subject is not without legal guidance. In 2017, the Belgian Data Processing Authority recommended keeping Article 30 records of processing activities for five years after termination of the processing activity.

But don’t let your search for legal retention requirements stop at data privacy-specific laws and recommendations. Retention periods in broader regulatory requirements can encompass records in your privacy compliance program, and where those are longer, they should be followed.

Where No Legal Retention Requirement Applies

When a record isn’t subject to an express retention requirement, records managers must balance business needs and legal risks to determine an appropriate retention period. To do this, records managers must ask how long their organization may need to justify its practices. This can mean turning to applicable statutes of limitation for guidance.

While statutes of limitations are not legal retention requirements, they’re a good measure of the time you may be called on by data privacy regulators or consumers to show compliance. Under the CPPA, administrative actions must generally be commenced within five years. The Illinois Supreme Court also in February clarified the general statute of limitations for civil claims under the state’s Biometric Information and Privacy Act (BIPA) is five years. But oftentimes, business need necessitates retention for longer than any regulatory or legal need, so whether to use an applicable statute of limitations as your retention benchmark must be evaluated on a case-by-case basis.

Conclusion

When setting retention periods, it’s crucial to understand the types of records your organization generates and which laws apply to these records. But knowing an organization’s specific regulatory and jurisdictional retention requirements, as well as balancing business needs and risk to determine retention periods, is something records and information management professionals have plenty of experience doing. For data privacy records compliance, it’s a matter of applying some trusted and familiar tools to a new set of records.

As privacy regulation expands, expect a lack of comprehensive privacy compliance recordkeeping to be a big part of regulatory actions. As a RIM professional, you can play a crucial role in ensuring your organization isn’t among those involved in these actions.

[1] Breach of Security Safeguards Regulations (SOR/2018-64) (amended Nov. 1, 2018): https://laws-lois.justice.gc.ca/eng/regulations/SOR-2018-64/page-1.html#h-858504

[2] Iowa Code 2023, Section 715C.2(6): (https://www.legis.iowa.gov/docs/code/715C.2.pdf)

[3] Cal. Code Regs. tit. 11 § 7101(a).

[4] 4 CCR 904-3-6.11.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Navigating Retention of Data Privacy Compliance Records appeared first on Zasio.

On March 10, 2022, the Saudi Data and Artificial Intelligence Authority (SDAIA) and the National Data Management Office (NDMO) jointly released draft Executive Regulations complementing the PDPL. The regulation’s final version is expected to be released before Sept. 13, 2024.

You can find a comprehensive summary of the PDPL and its implementing rules below:

The PDPL governs the collection, use, storage, sharing, transfer, and updates pertaining to personal data, regardless of the methods of processing used. Foreign organizations that process Saudi personal data are also subject to the PDPL.

The PDPL defines as any information that specifically identifies a person or could lead to their identification. Examples include names, email addresses, driver’s licenses, phone, and social security numbers.

Under the new legislation, data controllers (organizations) are obligated to ensure the accuracy, completeness, and relevance of personal data before processing it. They must adhere to various data protection principles, including:

1. Obtaining the consent of the data owner before processing their personal data.
2. Creating and sharing with data subjects a personal data privacy policy. The policy should outline the purpose, content, collection method, storage, processing, destruction, and owner’s rights, and the process for exercising these rights.
3. Implementing appropriate organizational, administrative, and technical measures to safeguard personal data, including during its transfer, in accordance with the regulations and controls outlined in the Executive Regulations.

Data Breach

In the event of a data breach, data controllers must promptly notify the SDAIA within 72 hours of becoming aware of the breach. They are also required to provide a comprehensive analysis of the breach to the regulatory authority, as well as the measures being implemented to prevent similar incidents in the future.

Data Processing Records

Organizations must maintain records of their processing activities, as specified by the Executive Regulation, for a determined period. The draft version of the Executive Regulations includes a five-year retention period after processing activities or until the purpose of collection of personal data ends, whichever is longer. These records should include essential information such as the organization’s contact details, the purpose of personal data processing, categories of data subjects, recipients of personal data, the expected retention period of the personal data, and whether the data has been transferred outside of Saudi Arabia.

Data Transfers

The PDPL has expanded the grounds for international data transfers. Previously, transfers outside Saudi Arabia were only allowed in specific cases such as protecting the life or vital interests of the data subject, addressing diseases, fulfilling obligations under agreements involving Saudi Arabia, or serving the interests of the country. Now, transfers are permitted for additional purposes specified in the regulations, including obligations of the data subject.

The conditions for transfers, such as minimum necessary data and protection of national security and vital interests, remain the same. The requirement for approval from the competent authority, however, has been removed. Instead, there is a new requirement for an appropriate level of data protection in the destination country. Further details and procedures regarding data transfer provisions, including potential exemptions, will be outlined in the final Executive Regulations.

Penalties/Sanctions

The PDPL establishes penalties for the disclosure or publication of sensitive personal data, including imprisonment for up to two years and/or a fine of up to SAR 3 million ($800,000 USD). Both organizations and individuals can be subject to sanctions. Violations of other PDPL provisions carry penalties that include a warning notice or a fine not exceeding SAR 5 million ($1.3 million USD). In cases of repeated offenses, the court has the authority to double the fine.

Final Thoughts

The PDPL in Saudi Arabia is a significant new law impacting personal data and privacy rights. By adhering to the law, organizations subject to the PDPL can help ensure compliance with the requirements for doing business in Saudi Arabia.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Closer Look: Saudi Arabia’s New Comprehensive Personal Data Protection Law appeared first on Zasio.