On 21 October 2024, the Saudi Data and AI Authority (SDAIA) issued the personal data breach incidents procedural guide, clarifying obligations under the Personal Data Protection Law. The guide outlines that controllers must notify SDAIA within 72 hours of becoming aware of a breach, particularly if it affects the data subjects' rights or interests. The notification must include details such as the time of the breach, the type of personal data involved, and any risks posed to affected individuals. Additionally, controllers are required to inform data subjects if the breach could result in harm, including identity theft or financial fraud. The guide lists 3 stages that data controllers have to follow. Stage one involves notifying SDAIA by submitting a detailed report on the breach. Stage two is focused on containment, where the controller must take steps to address the breach and limit its impact. Stage three requires documentation of the incident and the corrective actions taken.
Original source