• Sectors we work in banner(2)

    Quick Reads

Safeguarding Data Privacy: Saudi Arabia's New Rules for Personal Data Protection Officers

Following the implementation of the Kingdom of Saudi Arabia’s (KSA) new Personal Data Protection Law (PDPL), the Saudi Data & AI Authority (SDAIA) has issued new rules for appointing Personal Data Protection Officers (DPOs). This represents a significant step in reinforcing data protection and privacy in Saudi Arabia. These rules are designed to align with international best practices and to ensure that entities processing personal data are doing so in a manner that respects individual rights and complies with the PDPL.

The requirement for certain data controllers to appoint a DPO is in line with similar requirements in other jurisdictions, such as the European Union's General Data Protection Regulation (GDPR). The criteria set forth for determining what constitutes large-scale processing and regular and systematic monitoring are crucial for controllers to understand whether they fall under the obligation to appoint a DPO.

DPO Requirements

The emphasis on the qualifications of the DPO, including academic background, experience, and knowledge of data protection and risk management, underscores the importance of the role. The DPO is not just a nominal position but is expected to have a substantive impact on the controller's data protection practices.

The flexibility in allowing the DPO to be either an employee or an external contractor provides controllers with the ability to choose the best arrangement for their operations. However, regardless of the employment status, the DPO's contact details must be made available to both the SDAIA and data subjects, a measure intended to enhance transparency and accountability.

The detailed roles and tasks of the DPO, including policy advising, contributing to data breach response plans, and monitoring regulatory updates, show that the DPO is expected to be actively involved in all aspects of data protection within their organisations.

The requirement for controllers to support the DPO with necessary resources and ensure their independence is also critical. It is envisaged that this will assist with preventing conflicts of interest and will also ensure that the DPO can perform their duties without undue influence from the controller.

Looking Ahead

The encouragement of training and professional development for DPOs is a forward-thinking approach that recognises the evolving nature of data protection laws and practices in the Kingdom. These new rules represent a comprehensive approach to data protection governance, ensuring that entities in KSA are held to a high standard when it comes to handling personal data.

Organisations should consider undertaking a review of their data policies and procedures to ensure that they are in compliance with KSA legislation.

Our thinking

  • Joseph Evans, Cassidy Fan and Jessica Boxford write for New Law Journal on the future of insolvency: a digital asset revolution

    Joseph Evans

    In the Press

  • Law 360 quotes Stewart Hey on the potential integration of the PSR into the FCA and the impact on APP fraud reimbursement

    Stewart Hey

    In the Press

  • Kevin Gibbs and Sadie Pitman write for CoStar on the need for investment in power infrastructure to support new data centres

    Kevin Gibbs

    In the Press

  • New code of practice for the cyber security of AI development

    Rebecca Steer

    Quick Reads

  • Extra Time: The business of women’s football in Africa

    Sarah Johnson

    Podcasts

  • Singaporean Court Declines to Revisit SIAC Registrar’s Administrative Decision

    Thomas R. Snider

    Insights

  • Ilona Bateson speaks at an event hosted by TheIndustry.fashion on the challenges and opportunities for fashion retailers in 2025

    Ilona Bateson

    In the Press

  • Swiss Anti-Corruption Laws: A Guide to Bribery Offences, Compliance, and Penalties

    Daniela Iselin

    Insights

  • Passage of the English Arbitration Act 2025 into Law

    Thomas R. Snider

    Insights

  • 5 trends to watch in International Arbitration in 2025

    Thomas R. Snider

    Insights

  • ESMA Consultation on Guidelines for the criteria to assess knowledge and competence under MiCA

    Charlotte Hill

    Insights

  • EU AI Act: Key provisions now in force

    Racheal Muldoon

    Insights

  • The FCA’s requirements for Payments Firms

    Charlotte Hill

    Insights

  • Mahmood v Standard Chartered Bank – A landmark decision in discrimination and victimisation but what does it mean for discrimination claims in the DIFC?

    Nick Hurley

    Insights

  • Digital Securities Sandbox Update

    Racheal Muldoon

    Insights

  • Property Patter: Challenges for commercial property in 2025

    Emma Humphreys

    Podcasts

  • A Closer Look at the Meaning of ‘Investor’ in Investment Treaty Arbitration

    Stephen Chan

    Insights

  • Rivals: Filming Locations and Considerations for Landed Estates

    Naomi Nettleton

    Insights

  • Beyond Dry January: The Rise of the Low and Non-Alcoholic Beverage Sector

    Iwan Thomas

    Insights

  • New food and drink ads regulation & impact on live sports broadcasts

    Sarah Johnson

    Insights

Back to top