Personal Data Breach Incidents Procedural Guide Stage Two says that after discovering a personal data breach, the Controller must swiftly take action to contain the incident. This includes identifying the breached data and affected individuals, securing or changing exposed data (like passwords or credit card numbers), and evaluating the potential harm. If the breach poses risks to individuals’ rights, safety, or finances, the Controller must notify those affected without delay. The notification must be clear and actionable, using communication methods suitable to the audience—ranging from direct messages to public announcements if the impact is widespread.
Contain the breach, secure the data, and notify affected individuals clearly and promptly if there is any risk to them.
Personal Data Breach Incidents Procedural Guide Stage Two
Contain the Breach
The Controller shall implement response and containment procedures for personal data breach incident in accordance with best international practices and relevant regulatory requirements, including, but not limited to, the following measures to control personal data breach incidents:
Personal Data Breach Incidents Procedural Guide Stage Two (1)
Include Full Details
Identifying type and quantity of personal data.
Personal Data Breach Incidents Procedural Guide Stage Two (2)
Explain Risk Mitigation
Identifying type of breached personal data that can be changed (such as email addresses, passwords, confidential inquiries, credit card numbers, etc.) and taking actions to change this breached data.
Personal Data Breach Incidents Procedural Guide Stage Two (3)
Mention Data Subjects
Identifying individuals affected by data breach incident based on type of personal data breached.
Personal Data Breach Incidents Procedural Guide Stage Two (4)
Provide Contact Info
The Controller shall notify the Data Subjects without undue delay if this results in damage to their data or conflicts with their rights or interests, including, but not limited to: Damages related to exercising the right of the data subject, physical harm such as stalking and assault, or economic damage, such as fraud or identity theft.
Personal Data Breach Incidents Procedural Guide Stage Two - Notice Methods (1)
The Controller may notify the Data Subject by any appropriate means in accordance with the preferred methods for communication by the Data Subject, including, but not limited to text messages, or e-mail.
Personal Data Breach Incidents Procedural Guide Stage Two - Notice Methods (2)
If the breach damage extends to a large group of people at the national level, the Controller may, provided, that the content of the notice complies with the applicable law requirements in the Kingdom, in addition to the provisions mentioned in paragraph (1) above, notify the Data Subject by other means, including, but not limited to, Controller’s website, official controller’s accounts on social media platforms, or media.
Personal Data Breach Incidents Procedural Guide Stage Two - Notice Description
Include Key Details
The notice provided to the Data Subject shall be in a clear and simple manner and shall include the following:
Personal Data Breach Incidents Procedural Guide Stage Two - Notice Description (1)
A detailed explanation of personal data breach incident.
Personal Data Breach Incidents Procedural Guide Stage Two - Notice Description (2)
An explanation of the potential risks arising from that incident and the measures taken to prevent, avoid, or mitigate such consequences.
Personal Data Breach Incidents Procedural Guide Stage Two - Notice Description (3)
The Controller’s Name, contact details and its DPO (if any) or any other appropriate means of communication with the Controller.
Personal Data Breach Incidents Procedural Guide Stage Two - Notice Description (4)
Guidelines and necessary advice that may assist the affected Data Subject in taking appropriate actions to avoid potential risks or mitigate their consequences, such as economic damages ex. fraud or identity theft.
Explanation of Personal Data Breach Incidents Procedural Guide Stage Two
Act quickly to mitigate damage:
Personal Data Breach Incidents Procedural Guide Stage Two says that Controllers must take immediate measures to contain the breach by identifying affected data, securing modifiable data, and understanding the scope of impact.
Link data to individuals:
Personal Data Breach Incidents Procedural Guide Stage Two also says to determine who was affected by the breach based on the type of data involved, to prepare appropriate response actions.
Trigger notification to Data Subjects:
Personal Data Breach Incidents Procedural Guide Stage Two also says that if the breach harms or risks individual rights, safety, or finances (e.g., fraud, stalking), Controllers must notify impacted individuals without undue delay.
Choose suitable communication methods:
Personal Data Breach Incidents Procedural Guide Stage Two also says to use the Data Subject’s preferred channel (e.g., SMS, email). If the breach affects many people, notify via website, social media, or media—ensuring message content is lawful.
What the notice must contain:
Personal Data Breach Incidents Procedural Guide Stage Two also says that notifications should include a clear explanation of the incident, potential risks, mitigation measures, and contact information of the Controller or DPO.
Guidance to affected individuals:
Personal Data Breach Incidents Procedural Guide Stage Two also says to share steps Data Subjects can take to reduce the risk or recover, such as monitoring for identity theft or securing accounts.
