• Sectors we work in banner(2)

    Quick Reads

Safeguarding Data Privacy: Saudi Arabia's New Rules for Personal Data Protection Officers

Following the implementation of the Kingdom of Saudi Arabia’s (KSA) new Personal Data Protection Law (PDPL), the Saudi Data & AI Authority (SDAIA) has issued new rules for appointing Personal Data Protection Officers (DPOs). This represents a significant step in reinforcing data protection and privacy in Saudi Arabia. These rules are designed to align with international best practices and to ensure that entities processing personal data are doing so in a manner that respects individual rights and complies with the PDPL.

The requirement for certain data controllers to appoint a DPO is in line with similar requirements in other jurisdictions, such as the European Union's General Data Protection Regulation (GDPR). The criteria set forth for determining what constitutes large-scale processing and regular and systematic monitoring are crucial for controllers to understand whether they fall under the obligation to appoint a DPO.

DPO Requirements

The emphasis on the qualifications of the DPO, including academic background, experience, and knowledge of data protection and risk management, underscores the importance of the role. The DPO is not just a nominal position but is expected to have a substantive impact on the controller's data protection practices.

The flexibility in allowing the DPO to be either an employee or an external contractor provides controllers with the ability to choose the best arrangement for their operations. However, regardless of the employment status, the DPO's contact details must be made available to both the SDAIA and data subjects, a measure intended to enhance transparency and accountability.

The detailed roles and tasks of the DPO, including policy advising, contributing to data breach response plans, and monitoring regulatory updates, show that the DPO is expected to be actively involved in all aspects of data protection within their organisations.

The requirement for controllers to support the DPO with necessary resources and ensure their independence is also critical. It is envisaged that this will assist with preventing conflicts of interest and will also ensure that the DPO can perform their duties without undue influence from the controller.

Looking Ahead

The encouragement of training and professional development for DPOs is a forward-thinking approach that recognises the evolving nature of data protection laws and practices in the Kingdom. These new rules represent a comprehensive approach to data protection governance, ensuring that entities in KSA are held to a high standard when it comes to handling personal data.

Organisations should consider undertaking a review of their data policies and procedures to ensure that they are in compliance with KSA legislation.

Our thinking

  • Striking the Balance: Working Effectively with In-House Counsel on Large Construction Disputes

    Alim Khamis FCIArb

    Events

  • Charles Russell Speechlys advises the University of Strathclyde on the incorporation and establishment of its Bahrain Campus

    Gareth Mills

    News

  • CDR Magazine quotes Alim Khamis on Qatar’s new ‘Enforcement Law No. 4 of 2024’

    Alim Khamis FCIArb

    In the Press

  • Semiconductor Industry: Commercial & IP Considerations

    Rebecca Steer

    Insights

  • Martyn’s Law / the Protect Duty: new Bill published

    Rory Partridge

    Insights

  • Law 360 quotes Caroline Greenwell on the UK’s APP fraud reimbursement plan

    Caroline Greenwell

    In the Press

  • Arbitration in UAE and Saudi – where are we now?

    Peter Smith

    Insights

  • Charles Russell Speechlys advises Mainsail Partners in its $63 million growth equity investment in MirrorWeb

    Daniel Rosenberg

    News

  • Dubai Court Rules on Liability of Telecom Providers in Cases of Bank Fraud

    Ghassan El Daye

    Insights

  • Saudi Arabia publishes new foreign investment law

    Peter Smith

    Insights

  • Emergency Arbitrations – what they are and when to use them

    Alim Khamis FCIArb

    Insights

  • Charles Russell Speechlys hosts its second International Arbitration Conference in London

    Gareth Mills

    Quick Reads

  • AP News and over 170 US outlets quote Gareth Mills on the Google EU monopoly ruling

    Gareth Mills

    In the Press

  • Choosing the applicable law for a Construction Contract – the case for ‘the law of the DIFC’

    Glenn Bull

    Insights

  • Recent developments in directors’ liability in the UAE and England & Wales

    James Hyne

    Insights

  • Benoît Pasquier and Alex Needham write for City AM on ensuring a more equitable future at the Olympic Games

    Benoît Pasquier

    In the Press

  • Oasis and the Often Overlooked Benefit of Dynamic Pricing

    Nick White

    Quick Reads

  • Charles Russell Speechlys strengthens Corporate offering with the appointment of Ahmad Anani in Doha, Qatar

    Ahmad Anani

    News

  • Darren Bailey writes for City AM on the NFL’s decision to allow private equity investment

    Darren Bailey

    In the Press

Back to top