Effects of GDPR on the financial services sector in the Kingdom of Saudi Arabia

Technological advances have enabled many traditional services to be transferred to an electronic environment, resulting in, among other things, an increasing number of communication channels between financial institutions and individuals. The upshot is that, individuals and entities have to share almost any kind of personal data. While the technology for data sharing and the demand for the data of both public and private sectors are increasing, the legislation on the protection of this data has not been able to grow at the same speed and scope. In the case of Saudi Arabia, there is an element of data protection under Sharia Principles in general, and there are some regulations punishing defined data breaches as per the related regulation. Although a new personal data protection law is under review by the Shura Council, it is not yet accepted. Meanwhile, in the European Union (EU), General Data Protection Regulation (GDPR)1 has been adopted as a regulation that will cover the whole EU and its citizens and corporates all over the world. While protecting personal data, this new framework imposes standards and certain sanctions for all individuals and institutions that process this data. This paper tries to provide a risk assessment of GDPR for the Kingdom of Saudi Arabia (KSA) and the requirement of a detailed data protection regulation that can be consistent with Sharia mainly due to the ‘maslahah’ principle and 2030 Vision.