What is a DPO?
The Personal Data Protection Law (PDPL) makes it compulsory for some organisations to appoint a data protection officer (DPO), an expert in data protection law and practice. The PDPL calls for potential fines of up to (5,000,000SAR) in case of non compliances.
Does the PDPL mean that I must appoint a data protection officer (DPO)?
The PDPL specifies that the following types of organisation must appoint a DPO:
Controller shall appoint one or more individuals to be
responsible for protection of Personal Data in any of the following
cases:
1- Controller is a Public Entity that provides services involving Processing of
Personal Data on a large scale.
2- Controller core activities are based on processing operations that, by their
nature, require regular and systematic monitoring of Data Subjects.
3- Core activities of Controller are based on processing of sensitive Personal
Data.
Who can be a DPO?
DPO is the data protection focal point in the organization and he/she should possess expert knowledge on data protection laws and practices. They should have adequate experience in the data privacy domain and should understand the business of the organization. They should hold professional experience at managerial level in cyber security, risk compliance or IT department.
Where should / can the DPO be based?
The DPO can either be in-house or out-sourced, the smaller companies do not need a full-time DPO, they can out-source the role to a qualified market party based on a service contract.
What can I do if I cannot find a DPO for my organisation?
The PDPL allows organisations to outsource the role of DPO to a third-party service provider. It also recognises that many organisations will not need a full time DPO; the role may be filled on a part-time basis.
How to get DPO services?
If at any time, you choose to outsource / contract out your DPO with us,
You pay for a minimum of one hour per month
Your hour per month can be used as you wish
Additional hours can be purchased if required
What will a DPO for my Organization do?
Work with the board and senior management on the organisation’s privacy framework
Inform and advise the organisation about its obligations to comply with the PDPL.
Assist with Subject Access Requests, requests to be forgotten and the other rights of the data subject
Provide advice and guidance on data protection issues
Monitor compliance with the PDPL.
Draft policies and processes
Manage internal data protection activities
Advise on data protection impact assessments
Train staff
Conduct internal audits
Be the first point of contact for the supervisory authority
Be the first point of contact for individuals whose data is processed (employees, customers etc)
What do we have to do to support the DPO?
You must ensure that:
- The DPO is involved, closely and in a timely manner, in all data protection matters
- The DPO reports to the highest management level of your organisation, i.e. Board level
- The DPO operates independently and is not dismissed or penalised for performing their tasks
- You provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their PDPL obligations, and to maintain their expert level of knowledge
- You give the DPO appropriate access to personal data and processing activities
- You give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information
- You seek the advice of your DPO when carrying out a DPIA
- You record the details of your DPO as part of your records of processing activities
- This shows the importance of the DPO to your organisation and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn’t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.
What details do we have to publish about the DPO?
The PDPL requires you to:
1- The DPO must be appointed in writing, and the Controller must:
A. Document the appointment of the DPO if they are an employee of the
Controller.
B. Conclude an agreement with the external contractor when appointing a
contractor outside the Controller as the DPO.
2- The appointment of the DPO and their contact details must be promptly
announced within the Controller.
How much is it going to cost me?
Depending on the size and the nature of your business, a full time DPO can be very expensive. However, you have options to hire a part time DPO, or outsource / contract out the services of the DPO.
How can we help?
Having a DPO is one of the key ways of demonstrating compliance with the PDPL, we provide you best industry resources who can serve the role of Data Protection Officer (DPO) as a service for your organisation. You could require a DPO due to the mandatory requirements or you may wish to appoint one to demonstrate compliance to the applicable privacy law, your data subjects and your business partners as a visible part of your compliance framework.