Saudi Arabia’s Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (September 16, 2021), which approved Resolution No. 98 of 7/2/1443 H (September 14, 2021). It was published in the Republic Journal on September 24, 2021.

The Saudi Data and Artificial Intelligence Authority (SDAIA) will oversee the implementation of the new legislation for the first two years, after which a transfer of oversight to the National Data Management Office (NDMO) will be considered. The NDMO is the regulatory arm of SDAIA and had already published interim data governance regulations in 2020, which have now been superseded by the PDPL with regard to the protection of personal data.

According to the SDAIA announcement, the PDPL is intended to ensure the privacy of personal data, regulate data sharing and prevent abuse of personal data in line with the goals of the Saudi Vision 2030 to develop digital infrastructure and support the innovation to grow a digital economy.

PDPL Enforcement Scope

The Personal Data Protection Law (PDPL), as well as other legislation on the subject, is designed to protect personal data, that is, any information, in any form, through which a person can be directly or indirectly identified. This expressly includes an individual’s name, identification number, addresses and contact numbers, pictures, and video recordings of the person.

The PDPL applies to any personal data processing by companies or public entities carried out in Saudi Arabia by any means, including the processing of personal data of Saudi residents by entities located outside the Kingdom.

The PDPL does not apply to the processing of personal data for personal and family use.

The PDPL Pillars

Many of the features of the Personal Data Protection Law (PDPL) are consistent with the concepts and principles contained in other international data protection laws, such as:

• Data Subject Rights: Individuals (data subjects) shall, with some exceptions, have the right to be informed about the processing of personal data and the legal basis for such processing, the right to access their personal data (including to obtain a free copy thereof), the right to correct or update their personal data, and the right to request their destruction if they are no longer necessary. Data subjects can also file complaints related to the PDPL enforcement with the regulatory authority.
• Registration of Controllers: Organizations that collect personal data and determine the purpose for which they are used and the method of processing (controllers) must register with an electronic portal that will form a national register of controllers. There will be an annual fee payable for registration, to be determined in executive regulations (which will be issued in due course).
• Controller Obligations: Controllers will be obliged to ensure the accuracy, integrity, and relevance of personal data before processing them, to keep a record of the processing for a period that will be defined by the executive regulations, and to ensure their team is properly trained in the PDPL and data protection principles.
• Consent: Data subjects may withdraw their consent to the processing of personal data at any time, and consent shall not be a prerequisite for the controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).
• Processing not Based on Consent: Notwithstanding the provisions on withdrawal of consent, the PDPL makes it clear that data processing does not always require consent from the data subject. Consent is not required if processing achieves a clear benefit and it is impossible or impractical to contact the data subject, if required by law or prior agreement to which the data subject is a party, or if the controller is an entity and processing is required for security or legal purposes.
• Privacy Policy: Controllers must implement a privacy policy and make it available to data subjects before the collection of their personal data. The Personal Data Protection Law (PDPL) establishes the minimum information that must be included in the privacy policy, including when personal data is collected directly from the data subject.
• Purpose Limitation and Data Minimization: Organizations must make clear the purpose for which personal data is collected and used. Personal data must also be relevant and controllers must limit collection to the minimum necessary to achieve the intended purpose.
• Impact Assessments: Controllers must assess the impact of processing personal data and, if personal data is no longer needed to achieve the intended purpose, the controller must stop collecting such data.
• Marketing: Personal data may not be used for marketing purposes without the recipient’s consent or the use of opt-out mechanisms.
• Breach Notification: Data breaches, leaks, or unauthorized access to personal data must be notified to the supervisory authority, and incidents that cause material damage to the data subject must be notified to the data subjects.

During the pandemic, cyberattacks grew more than ever. Theft, hijacks, and data leaks are increasingly popular practices in cybercrime. The lock and hijack for ransom (ransomware) category has stood out a lot, as data is a highly valuable resource and most companies do not refuse to pay the million-dollar amounts charged to rescue their data. 

Moving to remote work models has caused more people to occupy virtual environments, which increases the chances of digital attacks. In addition, home office work, where business systems are accessed from home and through personal devices, has increased the attack surface in information security. 

In other words, the global destabilization generated by the pandemic has been a fertile field of vulnerabilities to be exploited by cybercrime.

This wave of attacks has been spreading around the world, reaching government agencies and companies from different sectors. One of the biggest risks for companies is having their data leaked, which can be one of the consequences of non-payment of ransomware, for example. 

Another potential leak occurs when attackers make the data available for sale on specific deep web forums.

The year is not over yet and we already have a generous list of this kind of cyberattacks. Check out the biggest data leaks that occurred in 2021 in Brazil and worldwide. 

Brazil: 223 million Brazilians’ Data Leaked 

The most recent case of data leak in Brazil has 223 million personal information about Brazilians, including names, dates of birth, gender, individual taxpayer numbers, corporate taxpayer numbers, vehicle information, addresses, face pictures, education, registration in retirement benefits, data from public officers, debt score, among others. 

That is pretty much all the data a person can have. If the Brazilian population is 212 million, data from almost all Brazilians would be included in this list, but the leak also contains information on deceased people and data from previous leaks.

The data package was posted on a forum to be marketed. The suspects responsible for putting the information up for sale have already been caught by the police. One of them is called Marcos Correia da Silva, known as Vandathegod. The second involved, Yuri Batista Novaes, known as JustBR, was arrested in the act in Petrolina and seized with 4 terabytes of data in his home.

Brazil has been one of the main targets of cybercriminals. In 2019, the country reached second place in the world in ransomware attacks. In 2020, in the second quarter alone, there was an increase of 350%, reaching both companies and governments, according to data from Kaspersky. 

The numbers do not stop growing, even in the first half of 2021 the world already has numerous cases of cyberattacks, and at least eight of these incidents occurred in Brazil, which corresponds to about one attack per week.

RockYou2021: Historical Leak of 8.4 billion Passwords

Considered the biggest leak in history, the attack makes reference to RockYou, a large leak that released 32 million passwords from users of the social network RockYou. This time, the leak involved 8.4 billion access passwords disclosed in a hacker forum. 

It is still not possible to say how these data were compiled and their source. But some experts believe the data has been accumulated over the years and merged with previous leaks.

This type of leak raises an alert, as these cybercriminals may use password matching techniques on multiple online accounts or build an access dictionary to facilitate attacks. The users’ neglect only makes the situation worse, as the common habit of reusing passwords, for convenience, can further increase the damage.

Facebook: 533 million Facebook Users’ Data Leaked

 553 million people from 106 countries had their personal data published free of charge on a hacker forum. Information includes name, address, telephone number, date of birth, and email accounts. Tests performed by experts confirmed the legitimacy of the data and that it can still be used for future attacks.

When taking a stand on the case, Facebook stated it is a leak with data already violated in 2019. At that time, the attacker found a vulnerability in the platform that allowed the import of user data, linking phone numbers to specific users. “We found and fixed this issue in August 2019,” said a Facebook spokesperson.

Facebook has already been the target of speculation about data leaks and misuse since the case involving Cambridge Analytics, when it used data from 80 million users to interfere in the course of the 2016 elections in the United States.

What is HIPAA? Currently, this is one of the most frequently asked questions by many professionals working in the healthcare industry, especially in times of the Covid-19 pandemic.

But why is it so important and what are its benefits for healthcare companies? First, it is critical to comply with HIPAA to ensure that more secure procedures are in place regarding the handling of some critical information.

However, it must be emphasized that this law is North American. Based on this, there is no document or certificate in Brazil capable of attesting that your company is working following HIPAA.

Thus, working following HIPAA means working in accordance with the standards established by foreign law.

But following these guidelines is a movement that, fortunately, has been gaining many followers in Brazil.

It must be taken into account that HIPAA is extremely important, as it aims to ensure information security in all companies operating in the healthcare industry.

With that in mind, we have prepared an article with five fundamental tips to help your company work in compliance with this law. Check it out!

1. Know HIPAA in Detail

Why is it important to know all the details of HIPAA? To make sure all its points are met.

As mentioned, the Health Insurance Portability and Accountability Act (HIPAA) is a law of foreign origin and applicable in the United States.

So, it can be described as a group of standards aimed at companies in the healthcare industry.

The aim is to ensure data protection. Although HIPAA is legally applicable to the North American territory, this law has inspired many entities around the globe that are part of the healthcare universe.

These companies use various resources to adapt to the rules and guidelines set forth by this law.

The intention is to practice the procedures that guarantee enhanced security in relation to information that circulates in the healthcare sector.

As a result, customers are more confident in doing business with companies that adapt to this foreign law.

Therefore, you can increase the credibility of your brand in a market that is increasingly competitive.

Requirements to Be HIPAA Compliant

Certain requirements must be followed by all companies that aim to comply with HIPAA.

After all, they indicate the standards necessary to protect the electronic medical records of doctors and patients.

Based on this, one could say this law was created to cover several objectives, such as:

• Offer improvements to the healthcare industry;
• Ensure a high level of security of patient information and privacy;
• Determine that healthcare companies provide medical records to patients whenever requested;

2. Assess Your Company’s Infrastructure According to HIPAA

One of the key issues for companies looking to comply with HIPAA standards is a thorough analysis of their IT structure.

For that, they must have a broad vision of the possible vulnerabilities and risks that may appear during the activities.

In this way, it will be possible to identify sensitive loopholes to fully comply with this law.

Another interesting aspect is to assess the information security practices present in the organization and understand if the level of security provided by them is within the ideal.

Thus, analyze whether these practices are capable of guaranteeing the confidentiality of health information, as well as the security of data considered more sensitive.

An effective tip is to observe the procedures being performed to obtain the resources capable of correcting current threats, thus conforming to HIPAA guidelines.

Due to the growing technological development in the market, we can clearly see how much how consumers tend to buy products and services has changed. Through more practical technologies, such as cellphones, laptops, and tablets, for example, they are just a click away to connect with companies over the internet.

Realizing this new consumer behavior, brands uncovered the need to ensure a digital presence in order to conquer new audiences. As a result of this migration, there was a need to have digital marketing strategies to capture customers, and the collection of user information is among the most used strategies to generate conversions.

However, the LGPD was sanctioned in 2018 to make sure that this data collected by companies — whether an email, CPF, or telephone number — was stored and used securely and transparently.

Do you want to learn more about it? So, check out our post until the end and answer all your questions about the LGPD and how it can impact your business.

After All, What Is The LGPD?

Law 13.709/2018, popularly known as LGPD — an acronym for General Data Protection Law — ended up entering into force in 2018. Therefore, it was created so that the personal data users make available to companies become even more secure, that is, efficiently collected and stored.

In a practical way, it is known that this law offers users power over their data. In other words, it can define how companies can dispose of their sensitive data, and how it should be treated. Furthermore, these users can also simply deny sharing their information as they are not obligated to do so.

There is also a European law, popularly known as GDPR. It was from there that the LGPD based its main premises regarding the security of data and shared user information.

Following the LGPD’s practical line, users must be aware of how their personal information will be used and handled by the companies that collected it. Also, users can choose to remove their data from the database of such companies.

Do you want to stay on top of this subject? Download our free e-book right now and get access to exclusive information.

How Does The LGPD Impact Companies?

Looking at the business side, these new processes guided by the Law will insist that businesses be extremely careful and meticulous about the terms of use of the respective data. Therefore, brands need to explain very well all forms of use in relation to the information provided by users. Not to mention that these businesses must also promote actions so that the user can manage their information.

For these activities to be carried out efficiently, and above all, following the guidelines imposed by the LGPD, each company must pay attention to the main rules it guides regarding the collected data.

What has happened a lot in the business world is that brands have hired professionals to deal specifically with these processes, making the internal sectors that need personal data of customers and leads can work even more securely, and within the law.

It is important to know the differences between IAM (Identity & Access Management) and PAM (Privileged Access Management). However, this theme still raises doubts for some people.

First, it is necessary to understand that the need to obtain an identity is essential. 

After all, it is important to know that it is not defined only based on personal documents anymore. 

In fact, identity is constituted through several characteristics capable of affirming who we are and the types of activities we perform.

Thus, several issues make up our identification such as name, biometrics, among other attributes that help build a unique identity.

Based on this, without detecting these characteristics, it would be impossible to recognize a person among the large number of individuals that inhabit planet Earth.

Regarding this aspect, have you ever imagined what would be the routine of an online system in which all users had the same identity?

So, imagine the following situation: Leo owns a company. When logging into the system, he seeks access to information relating to all employees in the organization.

Laura, who also works at the company, needs to enter the same platform to obtain information about the work she will perform, without necessarily seeking information regarding the clients.

But how will the system be able to provide the necessary information if it cannot recognize the identity of each one?

And how will the platform be able to identify authentic access?

This reality would also make it impossible to select the people who can have access to certain functions within the system in question.

Interesting, isn’t it?! So, I invite you to keep reading this article.

IAM: What Is It?

Based on the concern regarding identity issues, IAM has emerged, which can be understood as Identity and Access Management.

This system makes it possible to manage the most diverse identities and accesses related to company resources.

These resources can be understood as devices, environments, applications, network files, among other possibilities.

In other words, through IAM, it is possible to have optimal management and definition of the activities each user will be able to perform within the system.

These users can be clients, internal employees, third-party workers, or some applications.

One can see that, regardless of the type of user, IAM systems defend the concept that each individual must have their own virtual identity.

Therefore, it must be unique and needs to be monitored based on its life cycle, thus considering its creation, use, and exclusion stages.

From this perspective, the virtual identity presents the username, a password, and the activities carried out virtually.

IAM contains certain application models. One of the most common is the system as a service.

It is called IDaaS (Identity as a Service).

This process occurs when the authentication infrastructure is supported and managed by third parties.

Generally speaking, there are many application models today. However, every IAM system must have:

• An efficient database to store information from the most diverse users.
• Tools that provide the ability to enable and disable accounts.
• Features capable of granting and revoking access rights to users.

In other words, IAM systems can manage digital identities.

The goal is to ensure access permission to users who, in fact, have authorization.