What Counts as a Data Breach Under Saudi Law?
A personal data breach under the PDPL is any incident that results in — or is likely to result in — unauthorized access, loss, destruction, alteration, or disclosure of personal data. This can include:
- A company's database being hacked
- An employee accidentally emailing your personal information to the wrong person
- Loss of a device containing unencrypted personal data
- Unauthorized internal access to your records
The critical threshold is likelihood of harm to you as the data subject. Not every technical incident automatically triggers notification duties, but anything that could realistically damage your interests does.
---
The 72-Hour Notification Rule
One of the most important provisions of the PDPL for data subjects is the 72-hour breach notification requirement. Under Article 13:
- When a breach occurs that is likely to cause harm, the Controller must notify SDAIA within 72 hours of becoming aware of it
- The Controller must also notify affected Data Subjects — including you — without undue delay if the breach is likely to result in serious harm
This means that if your data has been compromised, you should receive a notification from the organization responsible. That notification should include:
- A description of the nature of the breach
- The categories and approximate volume of data affected
- The likely consequences of the breach
- Steps the organization is taking to address it
- What you can do to protect yourself
---
What Organizations Are Required to Do After a Breach
Following a breach, the Controller must:
- Contain the breach and prevent further unauthorized access or loss
- Assess the risk to affected individuals
- Notify SDAIA within 72 hours
- Inform affected individuals if the breach poses a high risk to their rights and interests
- Document the breach — including what happened, who was affected, and what remedial steps were taken
- Cooperate with SDAIA during any investigation
Failure to notify or cooperate can result in significant additional penalties beyond those for the breach itself.
---
Steps to Take If You Suspect Your Data Has Been Breached
If you believe an organization in Saudi Arabia has suffered a breach involving your data:
1. Contact the Organization Directly
Reach out to the Controller — or their Data Protection Officer if one has been appointed — and ask:
- Whether a breach has occurred
- Whether your data was affected
- What steps are being taken
Request a written response and keep a copy.
2. Monitor Your Accounts
- Watch for unusual activity on your bank accounts, credit cards, and email
- Be alert to signs of identity theft, especially if sensitive data like your ID number or financial details were involved
- Consider changing passwords for accounts associated with the breached service
3. File a Complaint with SDAIA
If the organization fails to inform you of a breach they are legally obligated to report, or if they do not take adequate steps to protect your interests, you can:
- File a complaint directly with SDAIA through their official channels
- Request that SDAIA investigate whether the organization met its notification and security obligations
4. Seek Legal Advice
If you have suffered actual harm — financial loss, reputational damage, or distress — as a result of a breach, consulting a lawyer can help you understand whether you have grounds for further action.
---
Penalties for Organizations That Fail to Manage Breaches Properly
Organizations that fail to comply with breach notification requirements or that do not take adequate security measures face:
- Fines of up to SAR 5 million
- Doubled fines if Sensitive Data was involved
- Criminal penalties, including up to 2 years imprisonment, for intentional or malicious disclosure of personal data
- Publication of the penalty — which can severely damage a company's reputation
---
Practical Prevention Tips for Expats
- Limit the personal data you share with organizations to what is strictly necessary
- Use strong, unique passwords for Saudi online government portals and service accounts
- Enable two-factor authentication wherever possible
- Be cautious of phishing attempts — fraudsters may exploit a breach to impersonate legitimate Saudi organizations
- Keep records of which organizations hold your data so you know who to contact in an emergency