National Data Management Office (NDMO)
The National Data Management Office (NDMO) is the national regulatory and reference body for data management and governance in the Kingdom of Saudi Arabia. It is responsible for establishing governance policies, mechanisms, standards, and controls related to data and artificial intelligence (AI) and monitoring compliance with them after approval. The office was established in 2019. It is organizationally affiliated with the Saudi Data and Artificial Intelligence Authority (SDAIA).
Objectives of NDMO
NDMO seeks to achieve several objectives, including: Developing a national data governance framework, defining the policies and regulations for data management, governance, and protection, promoting a culture of data sharing, enabling integration among government entities, supporting government entities in formulating policies and executing their plans, and maintaining the privacy of personal data and the confidentiality of sensitive data.
The office objectives also include: Protecting individuals' rights when handling personal and public data by government entities, preserving the digital national sovereignty over personal data, enhancing public oversight standards of public entities' performance, increasing trust in data-driven services, and improving the level of electronic services and transactions to achieve integration.
Policies of NDMO
The office contributes to advancing the maturity of the data and AI field. It has issued seven national data governance policies, including: Data Classification Policy, which protects national data confidentiality across four levels: Top Secret, Secret, Restricted, and Public, and Personal Data Protection Policy, which regulates the collection, processing, and sharing of personal data while preserving digital national sovereignty over it.
Among the seven policies is the Information Sharing Policy, which is concerned with enhancing the sharing of data and access to it from its original sources. This policy fosters collaboration among government entities. Additionally, the Freedom of Information Policy regulates the public's access to public information or obtaining it from government entities in all its forms.
The Children's Personal Data Protection Policy serves as a supportive framework for relevant entities to safeguard children from potential risks, including violence, abuse, assault, threats, harm, or exploitation, that may arise from the collection and processing of their personal data through websites and digital applications.
The General Rules for the Transfer of Personal Data Outside Saudi Arabia aim to maintain digital national sovereignty over personal data and provide the best levels of protection when transferring personal data outside Saudi Arabia.
Implementation of NDMO Policies
The policies and controls issued by NDMO apply to all forms of data, regardless of their source, format, or nature. This includes paper records, meetings, communications via messaging platforms and apps, emails, data stored on electronic media, audio and video tapes, maps, photos, manuscripts, handwritten documents, and any form of registered data.