Data Breach Response: The 72-Hour Plan

PDPL requires controllers to notify the Saudi Data and AI Authority (SDAIA) within 72 hours of discovering a breach that is likely to result in harm. Unjustified delay exposes to accountability and penalties.

Detection and classification: a mechanism to identify incidents — monitoring, internal reporting, initial classification (critical, high, medium, low). Classification determines response level and allocated resources.

Containment: isolate affected systems, stop the leak, prevent spread. Balance between speed and preserving evidence for investigation. Document every action taken.

SDAIA notification: typical content includes nature of the breach, data affected, approximate number of data subjects, potential consequences, and measures taken or planned. Official channels — the electronic portal or methods specified by the Authority.

The first hours after breach discovery are critical — SDAIA notification within 72 hours and structured incident management limit regulatory and legal risk.

Data subject notification: when harm is likely, PDPL requires notifying data subjects. Timing and content — including recommendations (password change, vigilance) — are determined case by case.

Evidence preservation: do not modify affected systems before preserving copies for forensics. Cooperate with internal or external forensic investigators. Chain of custody is essential for any subsequent legal action.

Coordination with NCA: cybersecurity incidents may also require notification to the National Cybersecurity Authority under ECC controls. Coordination between the DPO and security team ensures all reporting obligations are met.

Post-incident review: root cause analysis, update of controls and policies, team training on lessons learned. Document the incident and response for audit and improvement purposes.

References: Personal Data Protection Law PDPL — SDAIA. Essential Cybersecurity Controls ECC — NCA.