Saudi Arabia: Published Implementing Regulation of the Personal Data Protection Law including cybersecurity regulation

On 7 September 2023, the final version of the Implementing Regulation of the Personal Data Protection Law (PDPL) was published. The Implementing Regulation stipulates that data controllers must implement comprehensive security measures to safeguard personal data and privacy. In the event of a data breach, the controller is obliged to notify the authority within 72 hours, providing a detailed account of the incident and the corrective measures that have been or will be taken. Furthermore, data controllers are required to notify affected data subjects if a breach may cause damage to their data or conflict with their rights or interests. The Implementing Regulation will be enforced once the PDPL becomes effective; the PDPL will be fully implemented on 14 September 2024, after the lapse of a one-year grace period.