Saudi Arabia: Adopted SDAIA’s Rules for Appointing Personal Data Protection Officer

Adopted SDAIA’s Rules for Appointing Personal Data Protection Officer

On 27 August 2024, the Saudi Data and Artificial Intelligence Authority (SDAIA) adopted and published the Rules for Appointing Personal Data Protection Officers (DPO). The Rules apply to all controllers covered by provisions of the Law and its Implementing Regulations and aim to set minimum requirements for appointing DPOs, including adequate qualifications in data protection, knowledge of risk knowledge and regulatory requirements, and ethical integrity. The Rules requires appointment of DPO for entities processing personal data on a large scale, engaging in systematic data monitoring, or processing sensitive data. The Rules expand the responsibilities of DPO to include policy development, reviewing data breach response plans, preparing compliance reports, and participating in training and transfer of knowledge activities.

Original source

Scope

Policy Area

Data governance

Policy Instrument

Data protection regulation

Regulated Economic Activity

cross-cutting

Implementation Level

national

Government Branch

executive

Government Body

data protection authority

Complete timeline of this policy change

Hide details

2024-07-08

in consultation

On 8 July 2024, the Saudi Data and Artificial Intelligence Authority (SDAIA) opened a public consul…

2024-08-06

processing consultation

On 6 August 2024, the Saudi Data and Artificial Intelligence Authority (SDAIA) closes the public co…

2024-08-27

adopted

On 27 August 2024, the Saudi Data and Artificial Intelligence Authority (SDAIA) adopted and publish…

Description

Adopted SDAIA’s Rules for Appointing Personal Data Protection Officer

Scope

Complete timeline of this policy change