- Introduction
The Personal Data Protection Law (PDPL) is Saudi Arabia’s first complete legal framework for data protection. It is enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA). As cybercrime increases quickly, the need for prompt data breach notifications is crucial. As cybercrime continues to rise around the world, over 422 million people were affected by data breaches in 2022.
- What is a Data Breach Under PDPL?
Under PDPL, a data breach means unauthorized access, disclosure, destruction, or alteration of personal data. This covers both intentional actions such as hacking or ransomware attacks and accidental breaches like misdirected emails or unintentional disclosures. Whether caused by internal mishandling or external cyber threats, all these incidents that compromise personal data are included in PDPL. Organizations must understand the wide range of possible breaches to prepare for appropriate and legal response measures.
- The Notification Timelines and Obligation
Under the PDPL, data controllers must notify SDAIA of any breach right away if there is a risk of harm to individuals or a violation of their rights. Unlike the GDPR’s 72-hour notification window, the PDPL does not set a specific timeframe, which highlights the need for quick action. The principle is clear: delays could lead to more potential harm. If the breach poses a high risk to individuals, organizations may also need to publicly disclose the incident to ensure transparency and protect affected data subjects.
Notifications must include:
- The nature of the breach,
- The categories of personal data impacted,
- And any steps taken to mitigate the harm.
Read Full Bog Here - Breach Alert: Understanding Data Breach Notification Requirements Under Saudi Arabia’s PDPL
