What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Saudi Arabia’s new Personal Data Protection Law (PDPL) states that controllers (such as employers) can designate one or more staff members to be responsible for implementing the PDPL and associated regulations. Note that entities outside of Saudi Arabia who process the personal data of Saudi Arabia residents will be required to appoint a licensed representative in the country.
The regulations are still in development and should provide more clarity about Data Protection Officers responsibilities and requirements.