In brief

The Saudi Data and AI Authority (SDAIA) has published a procedural guide to data breach incidents, notification and response (“Guide“). The Guide supplements the existing notification obligations under the Saudi Personal Data Protection Law (PDPL) and provides organizations with guidance on the various stages of responding to a personal data breach incident. The Guide can be found here.

In this article, we have summarized the key takeaways for organizations to consider when implementing response procedures and mechanisms for responding to data breach incidents, including our observations on the extent to which notification obligations under the PDPL align with those under equivalent international legislation.

Key takeaways

Data protection laws commonly require organizations to inform relevant parties of incidents that affect personal data. These parties may include the data subjects whose personal data is affected, as well as regulatory authorities. The PDPL and its implementing regulations include such obligations on controllers (i.e., organizations that determine the purpose and manner of personal data processing) with a corresponding obligation on processors (i.e., third parties that process personal data on behalf of a controller) to notify the controller. This extends to any incident that leads to the disclosure, destruction or unauthorized access to personal data, whether intentional or accidental.

Breach notification can help regulatory authorities to take swift action to mitigate the risks associated with the breach by ensuring that organisations are responding to the incident and taking appropriate measures to secure personal data. These requirements also help to promote accountability and transparency within organisations that process personal data, as well as mitigate the impact of a data breach by ensuring that affected individuals have the necessary information to protect themselves from potential harm. Failure to report a data breach can result in both legal sanctions and reputational damage for the organization.

The Guide is one of a series of guidance papers issued by SDAIA to support the implementation of the PDPL, which became effective in September 2024. Highlights of the Guide include:

  • Clarification of the reporting threshold: The PDPL states that controllers must notify SDAIA upon becoming aware of any breach, damage or illegal access to personal data in accordance with the implementing regulations. The regulations and the Guide clarify that reportable incidents are those that may harm personal data or the data subjects, or which conflict with the rights and interests of the data subjects. Some international laws impose a materiality threshold before the requirement to notify is triggered (for example, the US Federal Trade Commission’s health breach notification rule imposes stricter requirements if the unsecured health data of more than 500 individuals is affected). The Guide does not contain any equivalent thresholds, which suggests that controllers under the PDPL must notify all breaches of any size.
  • Timeline for reporting: Similar to international standards such as the EU General Data Protection Regulation (GDPR), controllers must notify SDAIA of a data breach within 72 hours of becoming aware of such breach. Data subjects must be notified of the data breach “without undue delay” if the breach could harm their personal data or conflict with their rights and interests. However, while the GDPR contains exceptions to the obligation to notify data subjects of a breach (for example, where a controller has implemented appropriate protective measures that have been applied to the affected personal data, or where such notification would require disproportionate effort), there are no such exceptions in the PDPL.
  • Content of notifications: The Guide outlines the information that is required to be included in a notification to SDAIA, including a description of the breach and when/how it occurred, the category and number of data subjects affected by the breach, and an indication of the potential consequences of the incident. These requirements are consistent with the equivalent obligations under the GDPR, so multinationals operating in Saudi Arabia should be able to leverage elements of existing global data breach procedures with respect to breach notification under the PDPL.
  • Incident containment: The Guide provides examples of response and containment measures to be implemented by organizations that experience a data breach. While such examples include best practices that will be familiar to international practitioners – such as identifying the type and quantity of personal data, and the relevant individuals affected – the Guide also notes that organizations should identify the “types of breached personal data that can be changed” and that they should take action to change such data. This suggests that where passwords have been compromised, for example, organizations should act to change such passwords to mitigate risk. While the Guide is intended only to support organizations and does not impose specific legal obligations, this suggests that SDAIA expects organizations to be particularly proactive in working to mitigate risk and harm where possible.
  • Form of notification: Notifications to SDAIA must be made via the National Data Governance Platform. At the time of writing, the online service is only accessible to persons holding an Iqama or Saudi national ID number. In relation to notifications to data subjects, the Guide suggests that these should be made via their usual preferred method of communication (including SMS or email). If the breach extends to a large number of people in the Kingdom, controllers may also notify data subjects by way of a notice on the organization’s website or social media channels.
Next steps

The Guide provides some helpful direction for organizations subject to the PDPL on their obligations and how to manage the various stages of responding to a data breach incident. Organizations should allocate resource to assessing existing incident response procedures, considering the extent to which such procedures can be leveraged, and identifying where adjustments may be needed to align with the requirements under the PDPL.

To speak to us or for any assistance in relation to any data and technology-related matters, or issues generally, please feel free to contact one of the Baker McKenzie team members listed above.

Author

Abdulrahman has 16 years of litigation and commercial experience. He represents clients at the Sharia Courts, the Board of Grievance, the SAMA Committee, Labor Committee, Committee for Negotiable Instruments and all other courts and tribunals. He has extensive arbitration experience, both as an arbitrator and also representing clients in arbitration proceedings.

Author

Dino Wilkinson leads Baker McKenzie’s IP, technology and data practice in the Middle East. He is recognised as one of the leading technology lawyers in the region with top-tier team and individual rankings in Chambers Global Guide and the Legal 500.

Author

Zahi specialises in the areas of cross-border and domestic mergers and acquisitions, divestitures, international and domestic joint ventures, global corporate reorganizations, securities and capital markets. He also has a focus on the Telecommunications and Information Technology, Healthcare and Pharmaceutical and Retail and Consumer Goods sectors. Zahi has 21 years of experience in the Middle East.

Author

Marilyn is an associate in the Intellectual Property, Data and Technology team based in London. She joined Baker McKenzie as a Trainee Solicitor in September 2020 and was admitted as a solicitor in England and Wales in September 2022. During her training, Marilyn was seconded to Baker McKenzie's Dubai office for six months and later to Google's commercial legal team for six months.