Personal Data Breach Incidents Procedural Guide Stage One says that as soon as a Controller becomes aware of a personal data breach that could harm individuals or violate their rights, they must notify SDAIA within 72 hours. This notice must be submitted via the National Data Governance Platform, and registration is required. The report must include a detailed description of the incident, the type and amount of data affected, the risks involved, the remedial actions taken, future mitigation plans, and whether the impacted individuals have been informed. If a Processor or third party experiences the breach, they must notify the Controller, who remains responsible for coordinating the official notice to SDAIA.
Controllers must inform SDAIA of serious personal data breaches within 72 hours via the National Platform, providing detailed incident information and response actions.
Personal Data Breach Incidents Procedural Guide Stage One
Notify SDAIA Promptly
Without prejudice to submitting any report or notice of personal data breach
pursuant to Regulations issued by the National Cybersecurity Authority (NCA) and any applicable regulations and rules in the Kingdom of Saudi Arabia, the Controller shall notify SDAIA within a period not exceeding (72) hours from the time it becomes aware of the incident and if the incident is expected to harm the personal data or data subjects or is in conflict with their rights or interests through personal data breach notification service provided by National Data Governance Platform. Registration on this platform is required to utilize such service. Upon a personal data breach, the Controller is required to compile a notice that includes:
Personal Data Breach Incidents Procedural Guide Stage One (1)
Include Full Details
Description of the personal data breach, including the time, date, how it occurred, and when the Controller became aware of the incident.
Personal Data Breach Incidents Procedural Guide Stage One (2)
Explain Risk Mitigation
Category of Data Subjects, their actual or approximate numbers, type and nature of the personal data.
Personal Data Breach Incidents Procedural Guide Stage One (3)
Mention Data Subjects
A description of risks arising from personal data breach, detailing actual or potential consequences and risks to personal data or the Data Subject, the remedial actions undertaken by Controller to prevent, mitigate, or minimize those risks. Furthermore, identifying appropriate future measures the Controller will implement to prevent or avoid the recurrence of the incident.
Personal Data Breach Incidents Procedural Guide Stage One (4)
Provide Contact Info
Indicating whether Data Subject has been or will be notified of personal data breach, breach in accordance with the requirements mentioned in the second stage of this guide.
Personal Data Breach Incidents Procedural Guide Stage One (5)
Contact details of the Controller or its personal data protection officer (if any) or any other person who has information about the incident being reported.
NOTE
Upon subsequent contracts as stated in Article (8) of the PDPL, the Processor or any other entity shall follow the above Notice Requirements in coordination with the Controller.
Explanation of Personal Data Breach Incidents Procedural Guide Stage One
Report high-risk breaches within 72 hours:
Personal Data Breach Incidents Procedural Guide Stage One says that if a personal data breach could harm data subjects or their rights, Controllers must report it to SDAIA within 72 hours of discovery using the National Data Governance Platform.
Describe the breach and affected data:
Personal Data Breach Incidents Procedural Guide Stage One (1) says that the notice must explain when and how the breach occurred, what data and individuals were involved, and the potential impact.
Outline current and future containment steps:
Personal Data Breach Incidents Procedural Guide Stage One (2) says that Controllers must share what they’ve done to limit harm and what they will do to prevent recurrence.
Indicate notification to affected individuals:
Personal Data Breach Incidents Procedural Guide Stage One (3) says that the notice should clarify if the individuals impacted have been or will be informed, linking to the next stage’s requirements.
Identify someone SDAIA can contact:
Personal Data Breach Incidents Procedural Guide Stage One (4) says that Controllers must share contact details of the DPO or someone knowledgeable about the incident.
Vendors can't report independently:
Personal Data Breach Incidents Procedural Guide Stage One (5) says that processors or third parties must inform the Controller, who is responsible for reporting to SDAIA.
