Saudi Personal Data Protection Law gives every KSA resident enforceable rights over their personal data: access, rectification, erasure, portability, objection. The legal reality has been clear since 2024. The operational reality — the actual workflow that turns a customer request into a fulfilled response within statutory timelines — is what most organizations are still figuring out.
Here’s the workflow that works.
Step 1: Public-facing request form
A simple form on your website with a clear submission path. Required fields: requester name, identity verification document, type of right being exercised (access, rectification, erasure, portability, objection), specific data scope.
Form posts to backend ticketing system (HubSpot, Jira, ServiceNow). Auto-acknowledgment to requester within seconds.
Step 2: Identity verification (3-5 days)
PDPL requires verifying that the requester is actually the data subject. Document review (photo of national ID) plus optional second factor (recent transaction reference, account-specific question). Document this verification — auditors will ask.
Step 3: Data discovery (5-15 days)
The hardest part. Where does this person’s data live? CRM, ERP, marketing platform, support ticketing, billing, backups, archives. Most organizations don’t know.
A pre-built data inventory accelerates this dramatically. Each system has a known schema, a known retention period, a known person responsible. Without inventory, every request becomes archaeology.
Step 4: Response preparation
Format depends on the right being exercised:
- Access: machine-readable export (JSON, CSV) plus human-readable summary
- Rectification: corrected data plus confirmation of correction across systems
- Erasure: deletion confirmation plus exception list (legal-hold data may be retained)
- Portability: structured export in interoperable format
- Objection: cessation of processing plus evidence
Step 5: Fulfillment (within 30 days statutory)
Response delivered via secure channel. Subject acknowledges receipt. Response and evidence chain archived for 7 years (regulator audit requirement).
Step 6: Audit trail
Every step logged. Time stamps, owners, evidence. The audit trail is the difference between “we have a PDPL program” and “we have evidence of a PDPL program.”
Common pitfalls
Forgotten data stores — backups, ex-employee mailboxes, third-party processor data. Inventory is the foundation.
Manual workflow — works at low volume, breaks at scale. Automation pays off above ~5 requests/month.
Erasure exceptions — legal hold, contractual retention, audit requirements. Document the exceptions; explain to subject in response.
→ GRC service → | Cloud Security Posture → | Vulnerability Management →