Data Privacy Officer

1.

The Data Privacy Officer is the operational owner

responsible for executing personal data protection requirements.

The role

maintains the privacy compliance evidence base, coordinates with business, IT,

cybersecurity, legal, procurement, and vendors, and ensures that processing

activities, data subject requests, privacy impact assessments, breaches,

disclosures, processor activities, and cross-border transfers are documented

and controlled

2.

·

Receive, validate, document,

and coordinate responses to data subject requests including access, copy,

correction, update, completion, destruction, and consent withdrawal.

·

Ensure requests are acted

upon within the required timelines and that extensions, refusals, and

justifications are documented.

·

Verify requester identity

before executing rights requests and maintain records for oral and written

requests.

·

Operate or coordinate

approved communication channels for data subject rights such as email, SMS,

national address, electronic applications, or other lawful channels.

·

Prepare and maintain privacy

notices that explain controller identity, contact details, processing purposes,

legal basis, retention periods, rights, consent withdrawal, and whether

processing is mandatory or optional.

·

Coordinate consent capture

and evidence, ensuring consent is freely given, specific, documented, and

separate by processing purpose where required.

·

Maintain consent withdrawal

procedures and coordinate cessation of processing where consent is the sole

legal basis.

Support direct marketing and advertising controls,

including opt-out mechanisms, sender identity disclosure, consent evidence, and

immediate halt of marketing upon withdrawal

·

Create, maintain, and

periodically update written records of personal data processing activities.

·

Ensure records include

controller details, DPO information where applicable, purposes, personal data

categories, data subject categories, retention periods, disclosure recipients,

transfers outside the Kingdom, and security measures.

Make records available for internal review, audit,

management reporting, or competent authority request

·

Conduct and document privacy

impact assessments for sensitive data, linked datasets, large-scale or

repetitive processing, monitoring, new technologies, automated decisions, or

services likely to cause serious privacy harm.

·

Assess processing purpose,

legal basis, data sources, recipients, geographical scope, context,

proportionality, severity and likelihood of harm, and mitigating controls.

·

Coordinate re-assessments

when processing risks remain high or proposed processing may harm data subject

privacy.

·

Support legitimate interest

assessments where processing relies on legitimate interest, ensuring necessity,

balance of interests, reasonable expectations, and exclusion of sensitive data.

·

Maintain the personal data

inventory and coordinate classification activities with business and system

owners.

·

Support classification based

on impact, sensitivity, data type, business purpose, and regulatory

requirements.

·

Track application of

classification controls including protective marking, access, usage, storage,

data sharing, retention, disposal, archival, and declassification.

·

Escalate unclear or high-risk

classification decisions to the Chief Data Privacy Officer.

·

Receive and review data

sharing requests from internal or external parties.

·

Validate purpose, legal

basis, data minimization, classification, authorization, data type,

preprocessing, safeguards, sharing duration, frequency, termination, and

liability requirements.

·

Prepare data sharing

agreements or privacy schedules and coordinate approvals before data is shared.

·

Maintain records of data

sharing requests, decisions, agreements, controls, and evidence of

implementation.

·

Maintain the register of

personal data transfers or disclosures outside the Kingdom.

Conduct transfer risk

assessments where required, covering purpose, legal basis, transfer nature,

geographical scope, safeguards, data minimization, potential material or moral

effects, and mitigation controls.

·

Validate use of approved

safeguards such as standard contractual clauses, binding common rules,

accreditation/certification, or other safeguards approved by the competent

authority.

·

Monitor transfers for changes

in safeguards, sub-processors, countries, transfer purpose, or regulatory

conditions and escalate issues requiring halt or remediation.

·

Review third-party and

processor privacy questionnaires, due diligence evidence, and contractual

privacy clauses.

·

Ensure processor agreements

define processing purpose, personal data categories, processing duration,

breach notification duties, foreign regulatory exposure, mandatory disclosures,

sub-processors, and data destruction/return requirements.

·

Track processor and

sub-processor approvals, objections, assurance reviews, and remediation

actions.

·

Coordinate periodic processor

compliance assessments and maintain evidence.

Coordinate with cybersecurity

and incident response teams to identify whether a security incident qualifies

as a personal data breach.

·

Prepare breach analysis

including time/date/circumstances, data categories, number of affected data

subjects, type of personal data, risks, actions taken, future mitigation, and

contact details.

·

Support notification to the

competent authority within the required timeframe where applicable.

Prepare data subject

notification content in simple and clear language where the breach may harm

data subjects or conflict with their rights or interests.·

Maintain breach reports,

corrective actions, supporting evidence, and lessons learned.

Maintain retention and

destruction procedures for personal data, including operational data, archived

data, and backups where applicable.

·

Coordinate destruction

requests and ensure notifications are sent to parties to whom data was

previously disclosed when required.

·

Ensure personal data

accuracy, completeness, timeliness, correction documentation, and notification

to relevant recipients following correction.

·

Track disposal evidence and

escalate gaps in secure destruction or retention compliance.

Conduct privacy awareness

activities and maintain attendance, communication, and training evidence.

·

Perform periodic privacy

compliance checks and prepare dashboards for the Chief Data Privacy Officer.

·

Maintain audit-ready evidence

for policies, procedures, assessments, rights requests, breaches, transfers,

processors, data sharing, and corrective actions.·

Follow up remediation plans

and report overdue risk items.

3.

Required Deliverables Owned by the Data Privacy Officer

Data subject rights register and request evidence.

·

Privacy notice register and consent/withdrawal evidence.

·

Records of processing activities register.

·

Privacy impact assessments and legitimate interest assessments.

Personal data inventory and classification evidence.

·

Data sharing request register and data sharing agreements.

·

Cross-border transfer register and transfer risk assessments.

Processor due diligence records, contract review evidence, and sub-processor approval records.

Personal data breach notification packs and corrective action evidence.

·

Retention, destruction, correction, and data quality records.

Privacy compliance dashboard and awareness records.