Saudi PDPL · First Step
PDPL Gap
Assessment
Before you remediate anything, you need to know exactly where you stand. A TCSA gap assessment maps your real data flows against the PDPL, its Implementing Regulations, and the Transfer Regulations — and returns a risk-ranked register your team can execute, not a generic checklist.
The natural first phase of a PDPL programme: findings become the remediation backlog, so no work is thrown away.
KSA PDPL (SDAIA) · Implementing & Transfer Regulations · Last reviewed June 2026
Direct Answer
What a gap assessment actually tells you
A PDPL gap assessment answers three questions with evidence: which of your processing activities fall under the law, where your current practices fall short of specific provisions, and what to fix first given the realistic exposure — SAR 5 million administrative fines per violation, criminal liability for unlawful sensitive-data disclosure, and the commercial risk of failing a Saudi enterprise customer’s vendor review.
Assessment Scope
The eight domains we test
These are the areas where SDAIA expectations and real-world practice diverge most often — and where enforcement and enterprise customers look first.
Data inventory & RoPA
Whether every processing activity is identified and recorded — purposes, data categories, recipients, transfers, retention — at the standard SDAIA expects a controller to produce on request.
Lawful bases & consent
Each activity mapped to a valid basis under the PDPL’s consent-first model, with consent records that show it was specific, informed, and withdrawable.
Privacy notices
Whether notices exist for every collection point, state the purpose, basis, and rights before processing starts, and match what your systems actually do.
Data subject rights readiness
Intake channels, identity verification, fulfilment workflow, and whether you can actually meet the response window in the Implementing Regulations.
Cross-border transfers
Every flow out of the Kingdom mapped to a lawful pathway under the Transfer Regulations — and flagged where a transfer risk assessment is required.
Breach readiness
Whether your incident process can detect, assess, and notify SDAIA within 72 hours — and notify affected individuals where their interests are at risk.
Vendors & processor contracts
Which third parties touch personal data, whether contracts impose PDPL-grade obligations, and where processor risk is unmanaged.
DPO & registration triggers
Whether your processing trips the DPO-appointment or SDAIA National Data Governance Platform registration triggers — and what to file if it does.
How It Runs
Four steps, no theatre
Scope & interviews
We establish which entities, products, and data flows are in scope — including the extraterritorial test for foreign entities serving KSA residents — then interview the owners of marketing, HR, product, and IT data.
Evidence review
Notices, consent records, contracts, RoPA, security controls, and breach procedures are reviewed against the PDPL, its Implementing Regulations, and the Transfer Regulations — clause by clause, not by generic checklist.
Risk-ranked gap register
Every gap is logged with the specific provision it offends, the realistic exposure (administrative fines, criminal referral for sensitive-data disclosure, customer-contract risk), and a priority.
Remediation roadmap & briefing
You get a sequenced plan — quick wins first, structural fixes second — sized for your team, plus a leadership briefing that turns the register into decisions and owners.
Deliverables
What lands in your inbox
Scoping and fees are confirmed on a short call — we provide a fixed, all-inclusive quote based on entity count, system landscape, and whether cross-border transfer analysis is in scope. Gulf engagements are quoted in SAR, AED, or USD.
PDPL Gap Assessment — FAQs
Straight answers before you commit to anything.
What is a PDPL gap assessment?
A structured comparison of how your organisation actually collects, uses, shares, and protects personal data against what the Saudi PDPL, its Implementing Regulations, and the Personal Data Transfer Regulations require. The output is not a pass/fail verdict — it is a risk-ranked register of specific gaps, each tied to the provision it offends, plus a sequenced plan to close them.
How long does a PDPL gap assessment take?
Typically two to four weeks depending on entity count, the number of systems holding personal data, and how much documentation already exists. It is the natural first phase of the 6–12 week end-to-end PDPL programme: the gap register becomes the remediation backlog.
We are already GDPR compliant. Do we still need a PDPL gap assessment?
Yes — but it will be faster. A mature GDPR programme covers much of the operational ground, and we reuse it. The assessment then focuses on what is PDPL-specific: the consent-first lawful basis model, SDAIA registration and DPO triggers, Saudi-form privacy notices, the Kingdom’s own transfer mechanisms (EU SCCs do not satisfy them), and the 72-hour breach clock to SDAIA.
What do you need from us to run the assessment?
Access to the people who own the data — typically marketing, HR, product, IT, and legal — plus existing documentation: privacy notices, contracts with vendors, any records of processing, and security policies. Engagements run remotely with structured working sessions; no Saudi office visit is required for the assessment itself.
What happens after the gap assessment?
Most clients move directly into remediation: notices, RoPA, DSR and breach workflows, transfer safeguards, and — where triggered — DPO appointment and SDAIA platform registration. TCSA can deliver that as a project, and our virtual DPO service can then operate the programme. The gap register is written so your own team can execute it without us if you prefer.
Continue your PDPL research
- The PDPL hub — the Saudi and UAE laws, obligations, and penalties in one place.
- PDPL compliance audit — for programmes already running that need independent validation.
- DPO as a Service — when your processing trips the DPO-appointment triggers.
- PDPL vs GDPR — what carries over from an EU programme and what must be localised.
Written By Expert Auditors
Keep Exploring
Related Reading
PDPL Compliance (KSA & UAE)
Saudi Arabia's SDAIA-enforced privacy law and the UAE's federal PDPL.
Read morePDPL Implementation
Phased roadmap for PDPL compliance across KSA and UAE operations.
Read morePDPL Audit
Internal and external audit requirements under the PDPL.
Read moreWhat Is the PDPL?
Saudi and UAE Personal Data Protection Laws — scope, rights, penalties.
Read moreMiddle East — UAE & Saudi Arabia
How we serve Gulf banks, vendors and enterprises, remote + on-site.
Read moreSAMA CSF & BCM
The Saudi Central Bank's cyber and continuity frameworks, demystified.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours