An Overview of Saudi Arabia’s Rules for Appointing Personal Data Protection Officer (DPO)

I. Introduction

Saudi Arabia has enacted stringent privacy regulations to protect personal data in the ever-evolving data privacy landscape. Central to these regulations is the requirement that applicable organizations appoint a Personal Data Protection Officer (PDPO), commonly recognized as a Data Protection Officer (DPO).

As a result, on August 27, 2024, the Saudi Data & Artificial Intelligence Authority (SDAIA) published Rules for Appointing Personal Data Protection Officer (DPO Rules). These Rules are established under Paragraph (2) of Article (30) of the Personal Data Protection Law (PDPL) and Paragraph (4) of Article (32) of the PDPL Implementing Regulations, providing a legal framework and principles for safeguarding personal data in Saudi Arabia.

This article provides an overview of the DPO Rules. It explores controllers' obligations when appointing a DPO and elaborates upon the required credentials, responsibilities, and autonomy of a DPO to comply with the PDPL.

II. Key Definitions Under the Rules

a. Data Protection Officer

A DPO is a natural person, or multiple persons, appointed by the data controller to oversee compliance with the PDPL and its Implementing Regulations. The DPO is tasked with overseeing the implementation of the provisions of PDPL, ensuring that the controller follows appropriate procedures, and manages personal data-related requests in accordance with the PDPL.

b. Competent Authority

The Saudi Data & Artificial Intelligence Authority (SDAIA) is the primary body responsible for enforcing the PDPL and the rules and regulations made thereunder.

c. Core Activities

Activities that are essential to the controller's ability to provide products or services and rely on personal data processing. Examples include insurance companies processing health data for health insurance, finance companies processing credit data for financing products or services, and marketing companies processing personal data for marketing purposes. However, activities supporting the controller’s core business, like HR processing employee data, are not considered core activities.

III. Who Needs to Comply with the Rules

These Rules apply to all controllers subject to the PDPL’s provisions and Implementing Regulations. These Rules are designed to:

• establish minimum requirements for appointing a DPO,
• outline the key roles and responsibilities that the DPO must fulfill.

IV. When to Appoint a DPO

A Controller must appoint one or more individuals responsible for Personal Data protection in the following situations:

1. The controller is a public entity providing large-scale services involving personal data processing.
2. The controller's core activities involve regular and systematic monitoring of data subjects.
3. The controller's core activities involve processing sensitive personal data.

The assessment of whether processing is on a large scale depends on the following factors:

1. The number of data subjects involved.
2. The volume of personal data processed.
3. The type of personal data.
4. The geographical scope of the processing.
5. The variety of data subject categories.

Regular and systematic monitoring of data subjects involves:

1. Collecting personal data using tracking via cookies or other technologies.
2. Using behavioral analytics technologies for risk assessments.
3. Collecting health data through wearables.

V. Obligations of Controllers

A. DPO Requirements

When appointing a DPO, the controller must ensure that:

• the candidate meets specific criteria: they must have relevant academic qualifications and experience in personal data protection,
• possess sufficient knowledge of risk management and handling data breaches,
• be well-versed in regulatory requirements related to personal data protection, and
• demonstrate honesty and integrity, with no prior convictions for dishonesty or breach of trust.

Additional Provisions

• The DPO can be an internal executive, an employee of the controller, or an external contractor.
• The controller can voluntarily appoint a DPO, even if not required, to help ensure compliance with PDPL and its Implementing Regulations.
• Controllers should routinely assess DPO appointments to determine if they are still required or whether their appointment is obligatory under the applicable regulations.
• The controller must enable and assist the DPO in completing their tasks and responsibilities by providing the necessary resources.
• When appointing a DPO, the controller must not provide responsibilities that may clash with DPO tasks or compromise the DPO’s independence.
• When entering into an agreement with a processor for handling personal data, a controller must verify if the processor has a DPO. If the processor is required to appoint a DPO the controller should ensure the processor appoints a DPO.

B. Documentation Requirements

Controllers must appoint a DPO formally in writing. If the DPO is an internal employee, the controller must document their appointment. If the DPO is an external contractor, the controller must enter into an agreement with the contractor.

C. Contact Details

The controller must ensure that data subjects have a clear and accessible way to communicate with the DPO. Additionally, the controller must promptly provide SDAIA with the DPO's contact details upon appointment via the National Data Governance Platform and update these details whenever the DPO changes.

VI. Obligations of a DPO

A DPO must provide controllers with the following:

A. Support and Advice

Providing support and guidance on all aspects of personal data protection, including assisting with developing policies and internal procedures related to data protection.

B. Training and Awareness

Engaging in awareness activities, training, and knowledge transfer to ensure controller personnel understand and comply with data protection laws, regulations, and ethical data handling practices.

C. Data Breach Response Plan

Reviewing and ensuring the adequacy and effectiveness of response plans for Personal Data Breach incidents.

D. Periodic Reports on Data Processing Compliance

Preparing periodic reports on the controller's personal data processing activities and offering recommendations to ensure compliance with legal and regulatory requirements.

E. Staying Updated with SDAIA’s Regulations

Monitoring regulatory documents on personal data protection, including any updates, and informing relevant departments to ensure compliance.

F. Providing Support

Offering support and guidance to those developing and operating technological systems to ensure compliance with legal and regulatory requirements.

VII. How Securiti Can Help

Securiti emerges as a pivotal catalyst for organizations seeking to navigate and comply with Saudi Arabia’s Personal Data Protection Law (PDPL) and its Implementing Regulations. Securiti’s robust modules fortify organizations against potential cyber threats and ensure alignment with Australia’s stringent data privacy laws.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.