• Sectors we work in banner(2)

    Quick Reads

Safeguarding Data Privacy: Saudi Arabia's New Rules for Personal Data Protection Officers

Following the implementation of the Kingdom of Saudi Arabia’s (KSA) new Personal Data Protection Law (PDPL), the Saudi Data & AI Authority (SDAIA) has issued new rules for appointing Personal Data Protection Officers (DPOs). This represents a significant step in reinforcing data protection and privacy in Saudi Arabia. These rules are designed to align with international best practices and to ensure that entities processing personal data are doing so in a manner that respects individual rights and complies with the PDPL.

The requirement for certain data controllers to appoint a DPO is in line with similar requirements in other jurisdictions, such as the European Union's General Data Protection Regulation (GDPR). The criteria set forth for determining what constitutes large-scale processing and regular and systematic monitoring are crucial for controllers to understand whether they fall under the obligation to appoint a DPO.

DPO Requirements

The emphasis on the qualifications of the DPO, including academic background, experience, and knowledge of data protection and risk management, underscores the importance of the role. The DPO is not just a nominal position but is expected to have a substantive impact on the controller's data protection practices.

The flexibility in allowing the DPO to be either an employee or an external contractor provides controllers with the ability to choose the best arrangement for their operations. However, regardless of the employment status, the DPO's contact details must be made available to both the SDAIA and data subjects, a measure intended to enhance transparency and accountability.

The detailed roles and tasks of the DPO, including policy advising, contributing to data breach response plans, and monitoring regulatory updates, show that the DPO is expected to be actively involved in all aspects of data protection within their organisations.

The requirement for controllers to support the DPO with necessary resources and ensure their independence is also critical. It is envisaged that this will assist with preventing conflicts of interest and will also ensure that the DPO can perform their duties without undue influence from the controller.

Looking Ahead

The encouragement of training and professional development for DPOs is a forward-thinking approach that recognises the evolving nature of data protection laws and practices in the Kingdom. These new rules represent a comprehensive approach to data protection governance, ensuring that entities in KSA are held to a high standard when it comes to handling personal data.

Organisations should consider undertaking a review of their data policies and procedures to ensure that they are in compliance with KSA legislation.

Our thinking

  • Tribunal Tactics: Securing Favourable Outcomes and Enforcing Awards

    Alim Khamis FCIArb

    Events

  • SIAC Rules 2025: Pioneering a New Era of Arbitration

    Thomas R. Snider

    Insights

  • Cryptoassets as property: the latest from the courts and legislators

    Sonia Kenawy

    Insights

  • AI in Advertising: Balancing Innovation and Integrity

    Willemijn Paul

    Quick Reads

  • Sports media rights and recent changes to the UK “Listed Events” regime

    Richard Davies

    Insights

  • Charles Russell Speechlys continues to develop its Financial Services and Funds practice with the appointment of Racheal Muldoon

    David Collins

    News

  • Energy Transition Disputes: What we're seeing and what we're expecting

    Peter Brabant

    Insights

  • Charles Russell Speechlys strengthens Dubai litigation team with appointment of tenth Partner, Maher Al Nashar

    Maher Al Nashar

    News

  • Charles Russell Speechlys appoints new Corporate Partner in Singapore

    Simon Green

    News

  • SIAC's New Insolvency Arbitration Protocol

    Abdul Azeem

    Quick Reads

  • In-House Insights - Building and Contributing to High-Performing In-House Legal Teams

    Megan Paul

    Insights

  • Cheltenham Cyber Roundtable Insights

    Rebecca Steer

    Quick Reads

  • A new Cyber Security and Resilience Bill

    Rebecca Steer

    Quick Reads

  • An Overview of the Court of Arbitration for Sport

    Benoît Pasquier

    Insights

  • United Arab Emirates Private M&A Comparative Guide

    William Reichert

    Insights

  • The United Arab Emirates – Seeking Remedies for Financial Crime

    James Colautti

    Insights

  • In-House Insights: Building and Contributing to high performing In-House Legal Teams

    Megan Paul

    Events

  • A product of reform: new rules for supply to EU enter force

    Jamie Cartwright

    Insights

  • Georgina Muskett writes for Property Week on property development and telecoms operators

    Georgina Muskett

    In the Press

  • Digital Assets consultation: an opportunity to influence a once-in-a-generation reform

    Rebecca Wright

    Insights

Back to top