Navigating NDMO Data

Management & Personal Data

Protection Standards

Copyright © 2024 Securiti

Navigating NDMO Data Management & Personal Data Protection Standards

Introduction

In the wake of an unprecedented surge in data- The Standards have been developed pursuant to the

driven activities and swift technological directive issued by the Saudi Authority for Data and Artificial

Intelligence, which directs NDMO to develop and

advancements, the Kingdom of Saudi Arabia

implement policies, governance mechanisms, standards,

(KSA) stands at the forefront of developing robust

and controls for data and artificial intelligence and monitor

frameworks to regulate data management and
compliance upon publication.

protect personal data.

As data continues to tenfold and play a crucial role in the

macroeconomic landscape, this whitepaper aims to

The National Data Management Office (NDMO), the KSA’s

contribute to the broader discourse on responsible data

national regulatory authority, has established requirements

management and the safeguarding of personal data within

for implementing and governing practical Data Management

the purview of the NDMO. It serves as an essential resource

and Personal Data Protection Standards (the “Standards”)

for government entities, commercial entities handling

based on the National Data Management and Personal Data

government data, business partners, and individuals aiming

Protection Framework.
to understand and comply with the NDMO's directives.

Data Management &

Personal Data Protection

Standards

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.

Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be
1
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

Scope of the Standards

Government entities are required to implement

the Standards, monitor development, and drive
efforts toward successful implementation,
compliance will be evaluated yearly. The
Standards also extend to business partners
handling government data.

For all government data assets under their

control and custody, these business partners are
responsible for understanding and implementing
the Standards. All government data, including
paper documents, emails, data stored
electronically, and voice recordings, is subject to
the Standards regardless of its format or kind.

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be 2
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

Data Management and Personal Data

Protection Framework and the Standards

The Standards, including their controls and

specifications, have been defined across 15
Domains as presented in the KSA Data
Management and Personal Data Protection
Framework. These domains encompass the entire
data lifecycle, ranging from data creation, storage,
and transfer, to its usage and eventual retirement.

KSA Data Management and Personal Data Protection Framework

1. Data Governance

Data Assetization Data Usage

2. Data Catalog
8. Business Intelligence 9. Data Sharing and
3. Data Quality
and Metadata and Analytics Interoperability

5. Document and 10. Data Value

4. Data Operations 11. Open Data
Content Mgmt. Realization

6. Data Architecture 7. Reference and

and Modeling Master Data Mgmt.

Data Classification and Availability

12. Freedom of Information 13. Data Classificaton

Data Protection
15. Data Security and
14. Personal Data Protection
Protection (covered byNCA)

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be 3
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

The Standards employ a three-tiered hierarchy of domain, Document and Content Management
control, and specification levels, with 15 domains broken
down into control groups and specific compliance It focuses on regulating the collection, storage, use, and
requirements. Each control and specification is detailed with distribution of data and documents stored outside of
its ID, description, dependencies, and priority level. The relational databases.
Standards comprise 77 controls and 191 specifications,
prioritized into three levels for phased-wise implementation
in three years: P1 for foundational implementation within the
first year, P2 for capability improvement from the second Data Architecture and Modelling
year, and P3 for advancing maturity from the third year.
These domains include: It focuses on creating formal data structures and data flow
channels to enable end-to-end data processing across and
within entities.
Data Governance

It offers authority and control over the planning and

implementation of data management practices through Reference and Master Data Management
people, processes, and technologies, ensuring consistent and
appropriate handling of the organization's data assets in line All crucial data can be linked to a single master file using
with its Data Management and Personal Data Protection reference and master data management, creating a single
Strategy. reference point for all crucial data.

Data Catalog and Metadata Business Intelligence and Analytics

It focuses on providing efficient access to well-integrated, It focuses on analyzing an organization's data records to get
high-quality metadata. Metadata access is facilitated by the insight and make decisions regarding the data discovered.
automated Data Catalog tool, which acts as the single point
of reference for the organizations' metadata.
Data Sharing and Interoperability

It involves gathering data from multiple sources and

Data Quality
includes integration solutions that promote smooth internal
It focuses on enhancing the organization's data quality and and external communication between different IT systems.
ensuring that data is suitable for use in accordance with
customers’ requirements.
Data Value Realization

Involves the continuous analysis of data assets to find

Data Operations
possible revenue-generating or cost-saving data-driven use
It focuses on maximizing the value of data at every stage of cases.
its lifecycle, from creation or acquisition to disposal.

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be 4
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

Open Data Personal Data Protection

It focuses on the data held by the organization that may be It focuses on the security of data subjects’ right to secure
made accessible to the general public to increase management and non-disclosure of their personal data.
transparency, spur innovation, and promote economic
progress.

Data Security and Protection

Freedom of Information It focuses on the methods, personnel, and technological

tools used to secure an entity's data. These tools include but
It emphasizes giving Saudi citizens access to government are not limited to, preventing spoliation, granting authorized
information, outlining the method for doing so, and outlining access to data, and protecting against unauthorized data
the appeals process in case of a dispute. disclosure. The Saudi National Cybersecurity Authority is in
charge of this domain.

Data Classification

It’s the process of categorizing data to make it easier to

utilize and protect. Levels of data classification are
determined after an impact assessment that quantifies the
possible harm that might result from improper data
management or unauthorized access to data.

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be 5
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

How Securiti Can Help in

Implementing the Standards

Securiti enables organizations to comply with Securiti’s compliance framework streamlines compliance
KSA’s Data Management and Personal Data and enables organizations to operationalize the NDMO
Protection Standards through the Securiti Data standard. Here’s an overview of Securiti’s modules mapped
Command Center, which leverages contextual with each specification:
data intelligence and automation to unify data
controls across security, privacy, compliance,
and governance through a single, fully
integrated platform.

Specification & Name Securiti Module How Securiti Helps

PDP.1.1
Personal Data Protection Automate Gap Assessments Utilize Securiti’s collaborative, multi-regulation
Initial Assessment and Risk Assessments readiness and evaluation system to analyze the
Initial Data Integration position of your business to the needs of the
DSI.1.1
Assessment Data Management and Personal Data
Protection Standards. Automate DPIAs, and
DAM.3.3
Future State Gap
Assessment expand assessments, and inventory
management capabilities across your
PDP.4.3
Personal Data Protection ecosystem to maintain compliance with the
Risk Assessments
Standard.

PDP.4. 2 Data Subject Rights Automate Individuals’ Data Inform individuals of their data privacy rights
Rights Request Handling and make verified data access requests easier
to start. Automate the creation and delivery of
reports on secure data access.

D C .3.1 Data Identification Data Asset Discovery (Dark Discover all non-native and native data systems
Data System Discovery) operating in Multicloud. Discover and
DSI.1.1
Initial Data Integration remediate misconfiguration and overprivileges.
Assessment

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be 6
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

PDP.4.1
Privacy Notice and Consent Monitor and Track Consent Monitor consent to ensure data is processed
Management legally. Track consent revocation to prevent the
processing or transfer of data without consent.
Demonstrate consent compliance to regulators
and data subjects.

PDP.3.1 Data Breach Notification Automate Data Breach Automate data breach response mechanism,
Response Mechanism including breach impact assessments and
DC.3.2 Impact Assessment breach notifications to concerned stakeholders
regarding data breach incidents by leveraging a
knowledge database on security incident
diagnosis and response.

PDP.4.1
Privacy Notice and Consent Privacy Policy and Notice Automatically update and refresh your privacy
Management Management policies and notices. Build and publish a privacy
notice with pre-built templates.

PDP.5.1
Personal Data Protection Map Data Flows and Trace data flow across your digital estate,
Register Generate RoPA Reports catalog data collection, and transfer points, and
Initial Data Integration document all business process flows internally
DSI.1.1
Assessment and to service providers or third parties.
Maintain an inventory of processing
DSI.1.2
Target Data Integration
Architecture components and generate processing reports.

DSI.5.1 Data Sharing Process

DSI.6.1
Data Sharing Request
Submission Channel

DSI.7.1
Internal Data Sharing
Agreements
External Data Sharing
DSI.7.2
Agreements

DSI. 8 .1
Data Sharing and
Interoperability KPIs

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be 7
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

DC.3.1 Data Identification Sensitive Data Discovery Establish Sensitive Data Intelligence and enable
(Sensitive Data Intelligence) People-Data-Graph across structured/
MCM.5 Data Catalog Automation unstructured systems, fulfilling all key
obligations around data concerning security,
OD.5 Artifacts privacy, and governance.

DC.1 Plan Data Classification and Automatically apply labels and metadata to
Labeling documents/files and structured datasets for
DC.2 Classification Controls security, privacy, and governance use cases.

DC.3 Classification Process

DC.5 Artifacts

DC.2 Classification Controls Data Security Posture Discover Data Security posture issues and
Management remediate them automatically across critical
DS Data Security systems.

DO.3.2 Database Access Control Data Access Intelligence Visibility of an identity/role’s access to sensitive
data. Utilize a data-driven methodology to
identify and prioritize file access risk to detect
and fix high-risk data access concerns.

DO.3.2 Database Access Control Data Access Controls Policy-based controls on an identity/role’s
access to sensitive data. Authorize users,
employees, and third parties to access
company data in a way that complies with
compliance, security, and privacy standards.

DG.5.3 Compliance Monitoring Data Risk Scoring Monitor global data risk over time with a clear
breakdown of various contributors to risk and
PDP.4.3
Personal Data Protection uncover high-risk activity in your environment.
Risk Assessments

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be 8
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

MCM.1.3 Metadata Architecture Data in Motion Discover the flow of sensitive data across your
message bus (Kafka) and control the sprawl of
DAM.3.1 Current State Architecture sensitive data in real-time.

DAM.4.2 Tools and Technologies

DSI. 5.1 Data Sharing Process

DSI.8.1
Data Sharing and
Interoperability KPIs

MCM.1 Plan Data Catalogs Collect and enrich metadata, enabling users to
discover trusted data promptly.
MCM.5 Data Catalog Automation

MCM.6 Performance Management

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be 9
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

Compliance and

Enforcement

Entities subject to the Standards will conduct a

compliance audit every year and submit the
results of the audit to NDMO during the third
quarter of each year. The NDMO will examine and
compile all entity reports and then publish the
yearly compliance results to relevant parties at
the entity, sector, and federal levels of government.

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be 10
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

Key Steps to Adopt the Data Management

and Personal Data Protection Standards

Automating compliance with the Standard Data Minimization and Purpose Limitation
ensures coherence, streamlines compliance
processes, and significantly minimizes human Only collect and process data that is absolutely necessary.
oversight. Here are steps to guide organizations Refrain from collecting and maintaining excessive data that

toward compliance in Saudi Arabia: isn’t necessary. Clearly state the reasons for the data
processing.
Understand Applicable Laws and
Standards
Assess and understand the particular laws and standards E nsure Data Security
that apply to data protection and management in your
jurisdiction, such as data protection acts, local and Implement robust security measures to protect personal
international data privacy laws, or industry-specific data from unauthorized access, disclosure, alteration, and
regulations. destruction, including state-of-the-art encryption, access
controls, and regular security audits and assessments.

Data Discovery, Classification, and

Mapping Consent Management
Discover and classify the types of data you collect, process,
and store and map it to the rightful owner. Determine the Before collecting and processing an individual’s personal
data's sensitivity and classify it appropriately. This enables data, obtain their explicit and informed consent. Automate
the implementation of appropriate security measures. the consent process to enable individuals to provide,
update, or revoke consent easily.

Implement Access Controls

Data Retention and Deletion
To ensure that only authorized individuals access sensitive
data, automate role-based access control. Establish policies for data retention and deletion. Personal
data shouldn't be retained for any longer than is required for
the intended use.

Privacy Policies and Notices

Develop clear and comprehensive privacy policies and
notices with transparent details about the purpose of data
collection. The policies and notices should communicate how
an individual’s data will be collected, processed, and stored.

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be 11
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

Cross-Border Data Transfers

Ensure your practices comply with all applicable cross-

border data transfer regulations before transferring personal
data across borders. Implement appropriate safeguards
such as Standard Contractual Clauses (SCCs) or Binding
Corporate Rules (BCRs). Conduct privacy impact
assessments to determine any vulnerabilities.

Data Breach Response

Establish a robust strategy for responding to data breaches.

Implement protocols for evaluating, containing, and
notifying impacted parties and relevant authorities in
compliance with legal requirements in the case of a data
breach.

Regular Audits and Assessments

Conduct regular audits and assessments of your data

management processes to identify and address any
potential compliance issues.

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be 12
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

Meeting NDMO Standards with Securiti

Securiti is the pioneer of the Data Command

Center, a centralized platform that enables the
safe use of data and GenAI. It provides unified
data intelligence, controls, and orchestration
across hybrid multicloud environments.

Large global enterprises rely on Securiti's Data Command

Center for data security, privacy, governance, and
compliance. Securiti has been recognized as Gartner's "Cool
Vendor in Data Security", Forrester's "Privacy Management
Wave Leader", and RSA's "Most Innovative Startup".

With Securiti, organizations can:

Discover and classify and categorize data across

the enterprise;

Map and conduct a sensitive data catalog by an

individual;

Leverage workflow orchestration to streamline

operations, reduce costs, and improve accuracy;

Execute privacy policies and notices;

Conduct privacy risk assessments for security

purposes;

Monitor and manage third-party consent;

Automate the incident response process.

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be 13
consulted prior to making any decision in reliance on the information contained in these materials.
Navigating NDMO Data Management & Personal Data Protection Standards

Securiti’s Data Command Center

enables organizations to comply with NDMO Data Management &
Personal Data Protection Standards by leveraging contextual data
intelligence and automation to unify data controls across security,
privacy, compliance, and governance via a single platform.

Schedule a Demo Learn More

Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any kind.
Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel should be
consulted prior to making any decision in reliance on the information contained in these materials.