Data Privacy Officer

Overview

The Data Privacy Officer is the operational owner responsible for executing personal data protection requirements. The role maintains the privacy compliance evidence base, coordinates with business, IT, cybersecurity, legal, procurement, and vendors, and ensures that processing activities, data subject requests, privacy impact assessments, breaches, disclosures, processor activities, and cross-border transfers are documented and controlled.

Receive, validate, document, and coordinate responses to data subject requests including access, copy, correction, update, completion, destruction, and consent withdrawal. Ensure requests are acted upon within the required timelines and that extensions, refusals, and justifications are documented. Maintain records for oral and written requests. Operate or coordinate approved communication channels for data subject rights such as email, SMS, national address, electronic applications, or other lawful channels.

Prepare and maintain privacy notices that explain controller identity, contact details, processing purposes, legal basis, retention periods, rights, consent withdrawal, and whether processing is mandatory or optional. Ensure consent is freely given, specific, documented, and separate by processing purpose where required. Maintain consent withdrawal procedures and coordinate cessation of processing where consent is the sole legal basis. Support direct marketing and advertising controls, including opt‑out mechanisms, sender identity disclosure, consent evidence, and immediate halt of marketing upon withdrawal.

Create, maintain, and periodically update written records of personal data processing activities. Ensure records include controller details, DPO information where applicable, purposes, personal data transfers outside the Kingdom, and security measures. Make records available for internal review, audit, management reporting, or competent authority request.

Conduct and document privacy impact assessments for sensitive data, linked datasets, large‑scale or repetitive processing, monitoring, new technologies, automated decisions, or services likely to cause serious privacy harm. Assess processing purpose, legal basis, data sources, recipients, geographical scope, context, proportionality, severity and likelihood of harm, and mitigating controls. Coordinate re‑assessments when processing risks remain high or proposed processing may harm data subject privacy.

Assessments where processing relies on legitimate interest, ensuring necessity, balance of interests, reasonable expectations, and exclusion of sensitive data.

Maintain the personal data inventory and coordinate classification activities with business and system owners. Support classification based on impact, sensitivity, data type, business purpose, and regulatory requirements. Track application of classification controls including protective marking, access, usage, storage, data sharing, retention, disposal, archival, and declassification. Escalate unclear or high‑risk classification decisions to the Chief Data Privacy Officer.

Receive and review data sharing requests from internal or external parties. Preprocess safeguards, sharing duration, frequency, termination, and liability requirements. Review agreements or privacy schedules and coordinate approvals before data is shared. Maintain records of data sharing requests, decisions, agreements, controls, and evidence of implementation.

Maintain the register of personal data transfers or disclosures outside the Kingdom. Conduct transfer risk assessments where required, covering purpose, legal basis, transfer nature, geographical scope, safeguards, data minimization, potential material or moral effects, and mitigation controls. Validate use of approved safeguards such as standard contractual clauses, binding corporate rules, accreditation or certification, or other safeguards…