She forwarded one folder.
Sixty-three people didn't know.

It was an ordinary Monday morning in Riyadh.

Nour arrived at 8:45 AM, made tea before anyone else got in, and opened her inbox. Forty-one unread emails. She started from the top.

By 9:30 AM she had cleared most of them. The recruitment briefing call with Tariq was scheduled for Thursday. She wanted to give him a head start — some internal context about seniority levels, compensation bands, what the team actually looked like on paper.

She opened the shared HR drive. Found the folder she needed.

HR_Performance_Q4_2025

She attached it to a reply, typed a three-line note — "Thought this would help before Thursday's call. Let me know if you need anything else." — and hit send.

9:47 AM. Done. She moved to the next email.

Tariq had been their recruitment contact eighteen months ago. Good relationship. He had filled two senior roles for them in 2024. His name was familiar in her inbox. She had no reason to pause.

She did not know his contract had expired in December 2023.

She did not know the approved vendor list had not been updated since then.

She did not know that what she had just sent was no longer authorised.

Somewhere in another city, an inbox notification appeared.

Tomorrow — Chapter 2: What Was in the Folder.

Tariq opened the email at 11:03 AM.

He recognised the folder name. He had received files from this company before — back when the contract was live, when everything was signed and logged. This felt like a continuation of that relationship. He did not question it.

He downloaded the folder. Opened it.

HR_Performance_Q4_2025 contained performance review summaries for 63 employees across three regional offices. Every row was complete.

🪪 Full name and nationality

💰 Salary — to the exact riyal

📊 Performance score (1–5) and manager comments

📱 Personal mobile number

⏱ Notice period

📄 Contract type — permanent or fixed-term

Three years of hiring, reviewing, and updating — all of it, in one spreadsheet.

Tariq noted what he needed for the briefing. Saved the file to his desktop. Closed the email.

He said nothing. He had no reason to — from his side, this was a client sharing useful context. Routine.

Inside the firm: Nour answered twelve more emails that morning, joined a 2 PM meeting about Q2 headcount planning, and left the office at 6:30 PM.

Nobody inside the building knew the folder was now sitting on a laptop in a different city.

Nobody inside the building knew it would stay there for twenty-two days.

Tomorrow — Chapter 3: The Silence.

Twenty-two days passed.

Inside the firm, life continued exactly as it always had. The Thursday briefing call with Tariq went well — two shortlisted candidates by the end of the following week. Nour updated the tracker, arranged interview schedules, sent offer letters to two successful applicants.

New joiners arrived. She set up their system access, collected their documents, walked them through the onboarding checklist.

She sent emails. She forwarded files. She confirmed meetings.

Nothing felt wrong.

Outside the firm, the folder was still on Tariq's desktop. He had referred it — informally, as a benchmarking reference — to a contact who ran a headhunting practice. The contact was not bound by any agreement with the firm. He opened the spreadsheet and began working through it.

He was looking for names worth approaching.

Inside: 63 employees went about their working days. They had no idea their salaries, performance scores, and personal mobile numbers were sitting in a spreadsheet they had never consented to share.

Under Saudi PDPL, the moment that folder left the authorised boundary of the organisation, a clock started. 72 hours to notify SDAIA of a potential breach.

Nobody inside had started it. Nobody inside knew it existed.

The clock had been running for twenty-two days.

Tomorrow — Chapter 4: The Call.

The call came at 2:17 PM on a Thursday. Unknown number. Nour let it ring, then picked up.

It was Khalid — a senior structural engineer, twelve years at the firm, based in the Jeddah office.

He was calm but direct. A headhunter had approached him earlier that week. Sent a message through LinkedIn, then followed up by phone. The headhunter knew things that stopped Khalid mid-conversation.

His salary. To the exact riyal.

His notice period. Three months.

That his last performance review had been marked "exceeds expectations."

"Nobody outside should know that," he told Nour. "I've never put my salary anywhere. I've never spoken to a recruiter."

Nour thanked him, said she would look into it, and hung up.

She sat still for a moment. Then opened her sent folder.

She found the email in four minutes. HR_Performance_Q4_2025. Forwarded to Tariq. 9:47 AM, five weeks ago.

She pulled Tariq's contract from the vendor file. Signed October 2023. End date: December 2023.

She checked the approved vendor list. His name was still on it.

She called her manager. Her manager called legal. Legal contacted SDAIA.

By end of business, a formal investigation had been opened.

The investigators asked for four things:

📋 The data sharing log — "There isn't one."

✅ Consent records for the 63 employees — "We don't have those."

👤 The DPO appointment — "We haven't appointed one."

⏱ The breach notification — "We didn't know we needed to file one."

The 72-hour notification window had opened five weeks ago.

Fine ceiling: SAR 5,000,000. Rises to SAR 10,000,000 for repeat violations.

Tomorrow — Chapter 5: The Verdict.

The SDAIA investigation reconstructed the timeline in detail.

Email sent: Monday 9:47 AM.
File downloaded by unauthorised party: 11:03 AM same day.
First evidence of data being used externally: eleven days later.
Discovery by the company: Day 22.
Breach notification filed: Day 22 — twenty-one days and twenty-two hours after the 72-hour window opened.

This is what Saudi PDPL says about what happened. Not as background. As verdict.

The investigators did not blame Nour. The law did not either.

She had followed the process exactly as it existed. The approved vendor list had not been maintained. No training existed on what counted as a breach. No protocol told her what to do — or even that something had gone wrong.

The system failed before she opened her inbox that Monday morning.

Three things the company implemented after the verdict:

1. Appointed a Data Protection Officer. Now the first point of contact for any data sharing request involving personal data — internal or external. Named. Accountable. Reachable.

2. Built a 72-hour breach notification protocol. One page. On the intranet. What to do, who to tell, how to notify SDAIA. Printed and posted in every HR office. The clock starts at discovery — not when legal gets involved.

3. Enrolled every HR and operations staff member in role-specific PDPL training. Not a compliance seminar. Training built around what they actually do — handling performance files, salary data, vendor communications — and what Saudi law requires of them in those specific moments.

Nour still works there. She knows what to do now.

Does your team?

One course. Under 20 minutes. Built for the people handling files like HR_Performance_Q4_2025 every day.
training.cybernym.io/login/?tab=demo

Cybernym.io — Cyber Instincts. Built, Not Taught.