Data Protection Officer

Job Purpose

The Data Protection Officer (DPO) is responsible for overseeing the company’s data protection and privacy compliance framework, ensuring alignment with applicable data protection laws and regulations, including the Saudi Personal Data Protection Law (PDPL), internal policies, and contractual obligations.

The DPO will monitor compliance, advise management on privacy obligations, support the implementation of privacy controls, handle data subject rights matters, coordinate with internal departments, and act as the focal point for privacy governance and regulatory engagement where required.

Key Responsibilities

1. Privacy Governance and Compliance

• Develop, implement, maintain, and continuously improve the company’s privacy and personal data protection framework.
• Ensure compliance with Saudi PDPL, implementing regulations, and related regulatory requirements.
• Establish and maintain privacy policies, procedures, standards, registers, and controls.
• Monitor compliance across all business units that collect, process, store, share, or delete personal data.
• Provide practical guidance to management on privacy risks, obligations, and control requirements.

2. Data Inventory and Records Management

• Maintain Records of Processing Activities (ROPA) and data flow mapping across the organization.
• Identify categories of personal data, purposes of processing, retention periods, legal basis, processors, and third-party transfers.
• Ensure personal data inventories remain updated and aligned with operational practices.

3. Data Subject Rights and Consent Management

• Oversee processes for managing data subject requests such as access, correction, destruction, and withdrawal of consent, where applicable.
• Ensure proper logging, tracking, review, and closure of data subject requests within required timelines.
• Review and monitor consent collection mechanisms and privacy notices for adequacy and compliance.

4. Risk Assessment and Privacy by Design

• Lead or review Privacy Impact Assessments / DPIAs and Legitimate Interest Assessments where required.
• Ensure privacy requirements are embedded into new systems, applications, projects, vendor onboarding, HR practices, and operational processes.
• Advise project teams on privacy-by-design and privacy-by-default principles.

5. Third-Party and Contractual Compliance

• Review and advise on privacy clauses in contracts, DPAs, NDAs, outsourcing agreements, and vendor arrangements.
• Assess third-party processors and service providers for privacy compliance obligations.
• Support due diligence activities for vendors handling personal data.

6. Incident and Breach Management

• Support the personal data breach management process, including reporting, documentation, investigation, and corrective action tracking.
• Coordinate with IT, Legal, Compliance, HR, and management during privacy incidents.
• Maintain breach logs and lessons-learned reports.

7. Awareness, Training, and Culture

• Develop and deliver privacy awareness programs and role-based training across the company.
• Promote a strong privacy culture and ensure employees understand their responsibilities for handling personal data.
• Provide targeted awareness to HR, Recruitment, Finance, Payroll, Operations, and IT teams.

8. Monitoring, Audit, and Reporting

• Conduct periodic privacy compliance reviews and control assessments.
• Track remediation actions, observations, and improvement plans.
• Prepare privacy dashboards, compliance reports, and management updates for senior leadership and committees.
• Support internal and external audits related to privacy and data protection.

9. Regulatory and Internal Coordination

• Serve as the internal point of contact for data protection matters.
• Coordinate with regulators, legal advisors, consultants, and auditors on privacy-related matters when needed.
• Advise management on regulatory developments and emerging privacy risks.

Qualifications

• Bachelor’s degree in law, Information Security, Cybersecurity, Compliance, Risk Management, Business Administration, or related field.
• Professional certifications are preferred, such as:
• CIPP/E, CIPP/M, CIPM, CIPT
• ISO 27701 Lead Implementer / Lead Auditor
• CDPSE or similar privacy / governance certifications

Experience

• Minimum [2–4] years of experience in data protection, privacy compliance, legal compliance, governance, risk, or information security.
• Experience in designing or managing privacy compliance programs.
• Experience with data mapping, DPIA, vendor reviews, breach handling, and policy development.
• Experience working with Saudi regulatory requirements and PDPL is strongly preferred.

Knowledge and Skills

• Strong understanding of personal data protection laws, especially Saudi PDPL.
• Good knowledge of governance, risk, compliance, and information security principles.
• Ability to translate legal and regulatory requirements into practical business controls.
• Strong policy drafting, documentation, and reporting skills.
• Strong stakeholder management and communication skills.
• Ability to handle confidential and sensitive matters with professionalism.
• Analytical thinking, attention to detail, and problem-solving ability.
• Ability to work cross-functionally with HR, Recruitment, Operations, Finance, Payroll, Legal, and IT.