📚 Knowledge Base

The PDPL grants individuals (data subjects) comprehensive rights over their personal data: 1) Right to access - obtain confirmation of data processing and access their data; 2) Right to rectification - correct inaccurate or incomplete data; 3) Right to erasure - request deletion under certain conditions; 4) Right to restrict processing - limit how data is used; 5) Right to data portability - receive data in a structured format and transfer to another controller; 6) Right to object - oppose processing for specific purposes; 7) Right to withdraw consent - revoke previously given consent; 8) Right to lodge complaints with SDAIA. Controllers must respond to requests within 30 days and provide clear mechanisms for exercising these rights without discrimination or retaliation.

The PDPL restricts international data transfers to ensure continued protection. Personal data can only be transferred outside Saudi Arabia if: 1) The destination country has adequate data protection standards as determined by SDAIA; 2) Appropriate safeguards are implemented through binding corporate rules, standard contractual clauses approved by SDAIA, or certification mechanisms; 3) Explicit consent is obtained from the data subject after being informed of transfer risks; 4) The transfer is necessary for contract performance, legal claims, protecting vital interests, or public interest purposes; 5) Prior approval from SDAIA is obtained when required. Organizations must document transfer mechanisms, conduct transfer impact assessments, and ensure recipients maintain equivalent protection levels. Unauthorized transfers can result in penalties up to SAR 2 million.

The PDPL establishes fundamental data protection principles that organizations must follow: 1) Lawfulness and Transparency - personal data must be processed lawfully with clear purpose communicated to data subjects; 2) Purpose Limitation - data collected only for specified, explicit, and legitimate purposes; 3) Data Minimization - only necessary data should be collected and processed; 4) Accuracy - organizations must ensure data is accurate and up-to-date; 5) Storage Limitation - data retained only as long as necessary for the processing purpose; 6) Integrity and Confidentiality - appropriate security measures must protect data from unauthorized access, loss, or damage. Organizations must implement technical and organizational measures aligned with SAMA CSF and NCA ECC frameworks to demonstrate compliance with these principles, supporting Vision 2030's digital transformation objectives.

Under PDPL, valid consent for processing personal data must meet specific criteria: 1) Freely Given - consent must be voluntary without coercion or negative consequences for refusal; 2) Specific - consent must relate to clearly defined processing purposes; 3) Informed - data subjects must receive clear information about the controller's identity, processing purposes, data types, retention periods, and their rights; 4) Unambiguous - consent must be through clear affirmative action (pre-ticked boxes are invalid); 5) Documented - organizations must maintain records of consent; 6) Withdrawable - data subjects can withdraw consent at any time. For sensitive personal data (health, biometric, genetic, religious, political data), explicit consent is required. Financial institutions must align consent mechanisms with SAMA CSF requirements, while all organizations should implement NCA ECC controls for consent management systems. Proper consent management supports Saudi Arabia's Vision 2030 goal of building trust in the digital economy.

PDPL mandates specific data breach notification requirements: 1) Authority Notification - organizations must notify the Saudi Data and Artificial Intelligence Authority (SDAIA) within 72 hours of becoming aware of a breach that poses risks to data subjects' rights; 2) Individual Notification - if the breach poses high risk to individuals, affected data subjects must be notified without undue delay in clear, plain language; 3) Breach Documentation - maintain detailed records of all breaches including facts, effects, and remedial actions; 4) Notification Content - include breach nature, likely consequences, measures taken/proposed, and contact point for information. Organizations should implement incident response plans aligned with NCA ECC-1:2018 Domain 5 (Cybersecurity Incident Management) and SAMA CSF controls. Response steps include: containment, assessment, eradication, recovery, and lessons learned. Financial institutions must also comply with SAMA's specific breach reporting requirements. Effective breach management supports Vision 2030's cybersecurity resilience objectives and maintains public trust in digital services.

Institutions must establish a formal Enterprise Risk Management (ERM) program that includes cybersecurity risk as a key component. This involves conducting annual comprehensive risk assessments using recognized methodologies (ISO 27005, NIST, or equivalent), identifying and classifying information assets, mapping threat landscapes specific to Saudi financial sector, and documenting risk treatment plans. The risk assessment must cover all SAMA CSF domains including Cybersecurity Governance, Risk Management, Third-Party Management, and Incident Management. Results must be documented in Arabic and English, presented to senior management and board quarterly, and used to prioritize security investments. Risk registers must be maintained and updated continuously, with critical and high risks requiring immediate remediation plans approved by executive management.

SAMA requires financial institutions to develop and maintain a comprehensive cybersecurity policy framework including: Information Security Policy, Acceptable Use Policy, Access Control Policy, Incident Response Plan, Business Continuity and Disaster Recovery Plans, Third-Party Risk Management Policy, Data Classification and Handling Policy, Cryptography Policy, and Change Management Policy. All policies must be documented in Arabic (with English translations acceptable), approved by board of directors, reviewed annually, and communicated to all employees. Institutions must maintain detailed procedures, work instructions, and evidence of policy enforcement. Documentation must include risk assessment reports, audit logs, compliance matrices mapping SAMA controls to implemented measures, training records, incident reports, and vendor security assessments. All documentation must be retained for minimum 7 years and made available to SAMA auditors upon request.

SAMA CSF requires institutions to implement a robust Third-Party Risk Management (TPRM) program. Steps include: establishing a vendor inventory with risk classification (critical, high, medium, low), conducting pre-engagement security assessments for all vendors handling sensitive data or critical systems, including mandatory cybersecurity clauses in contracts with right-to-audit provisions, performing annual security reviews of critical vendors, requiring vendors to demonstrate compliance with relevant standards (ISO 27001, PCI-DSS), maintaining vendor risk registers, and ensuring data residency requirements align with Saudi data localization regulations. For cloud service providers and critical technology vendors, institutions must conduct on-site assessments, review SOC 2 Type II reports, verify incident response capabilities, and ensure vendors have cyber insurance. All third-party access must be monitored, logged, and reviewed regularly. Vendors must notify the institution within 24 hours of any security incidents affecting services provided.

SAMA mandates that financial institutions establish a formal Cyber Incident Response Team (CIRT) with 24/7 availability and documented incident response procedures. Critical incidents must be reported to SAMA within 1 hour of detection, with preliminary incident reports submitted within 24 hours and detailed post-incident reports within 72 hours. Reportable incidents include: unauthorized access to customer data, ransomware attacks, DDoS attacks affecting services, data breaches, system compromises, and any incident affecting business operations. Institutions must maintain incident response playbooks covering detection, containment, eradication, recovery, and lessons learned phases. Annual incident response drills and tabletop exercises are mandatory. Institutions must integrate with Saudi National Cybersecurity Authority (NCA) reporting mechanisms and participate in sector-wide threat intelligence sharing. All incidents must be logged in a centralized system with root cause analysis, impact assessment, and corrective actions documented. Board of directors must be briefed on all critical incidents within 48 hours.

The NCA Essential Cybersecurity Controls (ECC) is a comprehensive cybersecurity framework developed by Saudi Arabia's National Cybersecurity Authority to protect critical infrastructure and government entities. It consists of 114 cybersecurity controls organized into 5 domains: Cybersecurity Governance, Cybersecurity Defense, Cybersecurity Resilience, Third-Party and Cloud Computing Cybersecurity, and Industrial Control Systems Cybersecurity. The framework is mandatory for all government entities and critical national infrastructure operators in Saudi Arabia and aims to establish a baseline security posture across the Kingdom.

The NCA ECC framework comprises five main domains: 1) Cybersecurity Governance (establishing policies, procedures, and organizational structure), 2) Cybersecurity Defense (implementing protective measures like access control, network security, and malware protection), 3) Cybersecurity Resilience (ensuring business continuity, incident response, and disaster recovery), 4) Third-Party and Cloud Computing Cybersecurity (managing external service providers and cloud security), and 5) Industrial Control Systems Cybersecurity (protecting OT environments). Implementation follows a maturity-based approach with three levels, where organizations must achieve Level 1 compliance within specified timeframes before progressing to higher maturity levels.

Organizations subject to NCA ECC must follow a phased implementation approach. The process begins with conducting a gap analysis against the 114 controls to identify current compliance status. Organizations must then develop a remediation plan and implement controls based on their classification (government entity, critical infrastructure operator, or essential service provider). Typically, Level 1 maturity controls must be implemented within 6-12 months from the assessment date. Organizations must conduct annual self-assessments and submit compliance reports to NCA through the Cybersecurity Compliance Platform (CCP). NCA may conduct audits to verify compliance, and non-compliance can result in penalties ranging from warnings to financial fines up to SAR 5 million.

Under NCA ECC Domain 2 (Cybersecurity Defense), organizations must implement comprehensive access control measures including: establishing a formal identity and access management (IAM) program, implementing multi-factor authentication (MFA) for all remote access and privileged accounts, enforcing least privilege principles, conducting regular access reviews and recertification, implementing strong password policies aligned with NCA guidelines, segregating duties for critical functions, and maintaining detailed audit logs of access activities. Organizations must also implement privileged access management (PAM) solutions for administrative accounts, ensure secure authentication mechanisms for all systems, and establish procedures for timely provisioning and de-provisioning of user accounts, especially during employee onboarding and offboarding processes.

NCA ECC Domain 3 (Cybersecurity Resilience) requires organizations to establish comprehensive incident response capabilities including: developing and maintaining an incident response plan aligned with NCA's incident classification framework, establishing a Computer Security Incident Response Team (CSIRT) with defined roles and responsibilities, implementing 24/7 security monitoring and detection capabilities, establishing incident reporting procedures to NCA within specified timeframes (critical incidents within 1 hour, high severity within 24 hours), conducting regular incident response drills and tabletop exercises, maintaining forensic investigation capabilities, implementing business continuity and disaster recovery plans with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), and conducting annual testing of backup and recovery procedures. Organizations must also maintain incident documentation and conduct post-incident reviews to improve security posture.