Saudi Arabia publishes guidance on data breach notification

29 Oct 2024    4 minute read
DT Featured Content

In brief

The Saudi Data and AI Authority (SDAIA) has published a procedural guide to data breach incidents, notification and response ("Guide"). The Guide supplements the existing notification obligations under the Saudi Personal Data Protection Law (PDPL) and provides organisations with guidance on the various stages of responding to a personal data breach incident. The Guide can be found here.

In this article, we have summarised the key takeaways for organisations to consider when implementing response procedures and mechanisms for responding to data breach incidents, including our observations on the extent to which notification obligations under the PDPL align with those under equivalent international legislation.

Contents

Key takeaways

Data protection laws commonly require organisations to inform relevant parties of incidents that affect personal data. These parties may include the data subjects whose personal data is affected, as well as regulatory authorities. The PDPL and its implementing regulations include such obligations on controllers (i.e., organisations that determine the purpose and manner of personal data processing) with a corresponding obligation on processors (i.e., third parties that process personal data on behalf of a controller) to notify the controller. This extends to any incident that leads to the disclosure, destruction or unauthorized access to personal data, whether intentional or accidental.

Breach notification can help regulatory authorities to take swift action to mitigate the risks associated with the breach by ensuring that organisations are responding to the incident and taking appropriate measures to secure personal data. These requirements also help to promote accountability and transparency within organisations that process personal data, as well as mitigate the impact of a data breach by ensuring that affected individuals have the necessary information to protect themselves from potential harm. Failure to report a data breach can result in both legal sanctions and reputational damage for the organisation.

The Guide is one of a series of guidance papers issued by SDAIA to support the implementation of the PDPL, which became effective in September 2024. Highlights of the Guide include:

  • Clarification of the reporting threshold: The PDPL states that controllers must notify SDAIA upon becoming aware of any breach, damage or illegal access to personal data in accordance with the implementing regulations. The regulations and the Guide clarify that reportable incidents are those that may harm personal data or the data subjects, or which conflict with the rights and interests of the data subjects. Some international laws impose a materiality threshold before the requirement to notify is triggered (for example, the US Federal Trade Commission's health breach notification rule imposes stricter requirements if the unsecured health data of more than 500 individuals is affected). The Guide does not contain any equivalent thresholds, which suggests that controllers under the PDPL must notify all breaches of any size.
  • Timeline for reporting: Similar to international standards such as the EU General Data Protection Regulation (GDPR), controllers must notify SDAIA of a data breach within 72 hours of becoming aware of such breach. Data subjects must be notified of the data breach "without undue delay" if the breach could harm their personal data or conflict with their rights and interests. However, while the GDPR contains exceptions to the obligation to notify data subjects of a breach (for example, where a controller has implemented appropriate protective measures that have been applied to the affected personal data, or where such notification would require disproportionate effort), there are no such exceptions in the PDPL.
  • Content of notifications: The Guide outlines the information that is required to be included in a notification to SDAIA, including a description of the breach and when/how it occurred, the category and number of data subjects affected by the breach, and an indication of the potential consequences of the incident. These requirements are consistent with the equivalent obligations under the GDPR, so multinationals operating in Saudi Arabia should be able to leverage elements of existing global data breach procedures with respect to breach notification under the PDPL.
  • Incident containment: The Guide provides examples of response and containment measures to be implemented by organisations that experience a data breach. While such examples include best practices that will be familiar to international practitioners – such as identifying the type and quantity of personal data, and the relevant individuals affected – the Guide also notes that organisations should identify the "types of breached personal data that can be changed" and that they should take action to change such data. This suggests that where passwords have been compromised, for example, organisations should act to change such passwords to mitigate risk. While the Guide is intended only to support organisations and does not impose specific legal obligations, this suggests that SDAIA expects organisations to be particularly proactive in working to mitigate risk and harm where possible.
  • Form of notification: Notifications to SDAIA must be made via the National Data Governance Platform. At the time of writing, the online service is only accessible to persons holding an Iqama or Saudi national ID number. In relation to notifications to data subjects, the Guide suggests that these should be made via their usual preferred method of communication (including SMS or email). If the breach extends to a large number of people in the Kingdom, controllers may also notify data subjects by way of a notice on the organisation's website or social media channels.

Next steps

The Guide provides some helpful direction for organisations subject to the PDPL on their obligations and how to manage the various stages of responding to a data breach incident. Organisations should allocate resource to assessing existing incident response procedures, considering the extent to which such procedures can be leveraged, and identifying where adjustments may be needed to align with the requirements under the PDPL.

To speak to us or for any assistance in relation to any data and technology-related matters, or issues generally, please feel free to contact one of the Baker McKenzie team members listed above.

Contact Information
Abdulrahman AlAjlan
Partner at BakerMcKenzie
Riyadh
Read my Bio
abdulrahman.alajlan@bakermckenzie.com
Dino Wilkinson
Partner at BakerMcKenzie
Abu Dhabi
Read my Bio
dino.wilkinson@bakermckenzie.com
Zahi Younes
Partner at BakerMcKenzie
Riyadh
Read my Bio
zahi.younes@bakermckenzie.com
Marilyn Acquah
Associate at BakerMcKenzie
London
Read my Bio
marilyn.acquah@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.