KSA DPO Appointment Rules Published

Saudi Arabia’s first ever data protection law becomes fully enforceable on 14th September 2024. The Personal Data Protection Law (PDPL) regulates the collection, handling, disclosure and use of personal data. Like many data protection laws around the world, including the UK GDPR, the PDPL contains a requirement for some Data Controllers to appoint a Data Protection Officer (DPO). On 8th July 2024 the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, published draft rules for the appointment of a DPO under the PDPL.

Who needs to appoint a DPO?

Article 5 of the draft rules states the following Data Controllers need to appoint a DPO:

  • A Public Entity that provides services involving processing of personal data on a large scale
  • A Controller whose core activities are based on processing operations that, by their nature, require regular and systematic monitoring of data subjects
  • A Controller whose core activities are based on processing of sensitive personal data.

Whilst there is no requirement for others to appoint a DPO, in our view, it is good practice to do so as it will help drive compliance forward especially in the initial phases of implementing the new law.

What skills does a DPO require?

Art 4 states that, when appointing a DPO, a Controller must ensure that the following requirements are met:

  • Having appropriate academic qualifications and experience in the field of Personal Data protection
  • Having sufficient knowledge of the Controller’s business and activities that involve processing of Personal Data
  • Having sufficient knowledge of Personal Data breach risks
  • Having sufficient knowledge of regulatory measures for Personal Data protection and other relevant organisational measures for performing DPO tasks.
  • Honesty and integrity, and not having been convicted of any offence involving dishonesty or breach of trust.

Who can be a DPO?

The DPO may be an executive, employee of the Controller or an external contractor. They must be appointed in writing and publicised within the Controller’s organisation.  Their contact details must be published in the Controller’s Privacy Notice.

Article 7 of the draft rules requires the Controller to immediately provide the regulator with contact details of the DPO upon their appointment through the National Data Governance Platform. Interestingly, the regulator has the power  to request replacement of a DPO if it is found that he/she is not competent.

Role and Task

DPO shall be responsible for the following tasks set out in Article 8:


1.     Providing support and advice regarding all aspects of Personal Data protection, including contributing to developing policies and internal procedures related to Personal Data protection at Controller.
2.     Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.
3.     Contributing to reviewing plans of response to Personal Data Breach incidents, and ensuring that such plans are adequate and effective.

4.     Preparing periodic reports regarding Controller activities related to processing of Personal Data, and providing recommendations to ensure compliance with provisions of the Law and its Regulations.
5.     Maintaining the confidentiality of Personal Data and its level of sensitivity, based on its classification and relevant regulatory requirements to determine the adequate level of protection and processing mechanism.
6.     Monitoring the Competent Authority’s issued laws, regulations and instructions and the equivalent, implementing any amendments thereto and informing the relevant departments of the same to ensure compliance therewith.
7.     Collaborating with individuals responsible for implementing activities related to AI ethics to ensure that the requirements of Personal Data protection and Data Subjects’ privacy are met.

Training for the DPO

The draft rules places great importance on training for and by the DPO. Article 9(4) states:

“The Controller shall work on training and developing DPO’s in the fields of Personal Data protection and support them in obtaining professional certificates in this field to ensure raising their efficiency.”

This has to be read alongside Article 4 and Article 8 (above). The latter states that one of the roles of the DPO is:

“Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.”

Organisations doing business in the Middle East need to carefully consider the impact of the new rules on. Thought must be given to the appointment and training of a suitably qualified DPO. Through our  KSA privacy programme, Act Now Training offers comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses

Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

One thought on “KSA DPO Appointment Rules Published”

  1. Pingback: International Transfers under Saudi Arabia’s New Data Protection Law – Your Front Page For Information Governance News

Leave a Reply

Discover more from Your Front Page For Information Governance News

Subscribe now to keep reading and get access to the full archive.

Continue reading