On October 21, 2024, the Saudi Data & Artificial Intelligence Authority (SDAIA) published its Personal Data Breach Incidents Procedural Guide, addressing the necessary procedures to deal with personal data breaches and reduce the consequences and risks to data subjects. What is the scope of the guide? The guide applies to all data controllers subject to the provisions of the Personal Data Protection Law (PDPL) and its Implementing Regulations. What does SDAIA recommend for data breach cases? The guide breaks down the process of dealing with data breaches in three stages. Stage 1: Notification to SDAIA Controllers shall notify data breaches to SDAIA in a period not exceeding 72 hours from the
News
Saudi Arabia: SDAIA publishes guide on data breaches
October 23, 2024
Summary
The Saudi Data & Artificial Intelligence Authority (SDAIA) released a Personal Data Breach Incidents Procedural Guide on October 21, 2024, outlining steps for data controllers under the Personal Data Protection Law (PDPL) to handle personal data breaches. The guide details a three-stage process: immediate notification to SDAIA within 72 hours, containment measures including notifying affected individuals, and documentation of the breach and corrective actions. Notifications must include a comprehensive description of the breach, potential risks, and contact details of the controller or Data Protection Officer (DPO). The guide emphasizes clear communication to data subjects and coordination between processors and controllers in the event of a breach.