KSAPDPL.COM

PDPL Compliance Services

Table of Contents

PDPL Implementing Regulation Article 9 – Anonymisation

  • 🕒 2 min read

Implementing Regulation of PDPL Article 9 governs how a Controller should anonymize personal data so that the Data Subject can no longer be identified. It requires strong safeguards to prevent any possibility of re-identification and mandates periodic evaluation of anonymisation methods. Once data is truly anonymized, it is no longer considered personal data under the Law.

When a Controller anonymizes the Personal Data of a Data Subject, it shall comply with the following:

Implementing Regulation of PDPL Article 9 (1) (a)

Prevent Re-identification

Ensure that the re-identification of the Data Subject is impossible after Anonymisation.

Implementing Regulation of PDPL Article 9 (1) (b)​

Assess Re-ID Risk

Evaluate the impact, including the possibility of re-identifying the Data Subject, in the circumstances specified in Paragraph (1) of Article 25 of this Regulation.

Implementing Regulation of PDPL Article 9 (1) (c)​

Implement Controls

Take the necessary organizational, administrative, and technical measures to avoid the risks, taking into account technological developments, methods of Anonymisation, and updates to those methods.

Implementing Regulation of PDPL Article 9 (1) (d)

Review Anonymisation

Evaluate the effectiveness of the applied techniques for anonymising Personal Data and make necessary adjustments to ensure that re-identification of Data Subject is impossible.

Implementing Regulation of PDPL Article 9 (2)

Not Personal Data

Anonymized data shall not be considered as Personal Data.

Explanation of Implementing Regulation of PDPL Article 9

Identity must stay hidden:

Implementing Regulation of PDPL Article 9 (1) (a) says, the anonymisation must ensure the individual cannot be re-identified.

Evaluate potential reversibility:

Implementing Regulation of PDPL Article 9 (1) (b) says, risk of re-identification must be assessed, especially in high-risk processing cases.

Apply strong safeguards:

Implementing Regulation of PDPL Article 9 (1) (c) says, take technical and organizational measures considering tech changes and anonymisation updates.

Keep effectiveness up to date:

Implementing Regulation of PDPL Article 9 (1) (d) says, regularly evaluate and improve anonymisation methods.

Truly anonymised data is exempt:

Implementing Regulation of PDPL Article 9 (2) says, cnce data is irreversibly anonymised, it no longer qualifies as personal data under the Law.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Personal Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top