So you want to prove PDPL Compliance in KSA?

    So you want to prove PDPL Compliance in KSA?

    P
    @pyxos
    1 Follower
    1 month ago 5

    AIAI Summary

    toggle
    Bulleted
    toggle
    Text

    Key Insights

    www.gccdataprotection.com
So you want to prove 
PDPL Compliance in KSA? 
www.pyxos.ai
presented May 19, 2025
    1/43
    Introductions
    2/43
    LAURA PALMARIELLO
Director, GCC Data Protection
IAPP CIPP/E | BCS Data Protection 
Practitioner Certified
laura@gccdataprotection.com
Director, GCC Data Protection
IAPP CIPP/E | IAPP CIPM | BCS Data Protection 
Practitioner Certified
bilal@gccdataprotection.com
BILAL GHAFOOR
Co-Founder & COO, Pyxos
Previously: CTO and SVP at Futuredontics; 
CIO at Nationwide Insurance; COO for 3 
KSA-based ventures | jonathan@pyxos.ai
JONATHAN KASS
Who We Are
    3/43
    Security: ISO27001 vs PDPL
ISO: list of 
standards
PDPL: “do 
what is 
necessary”
    4/43
    Quantitative vs Qualitative Requirements
Have you 
had dinner?
Was the 
food good?
    5/43
    It’s not the same as getting an ISO Certification
ISO Standards
Configurations Quantitative
Processes Qualitative
PDPL
DSARs
Time Quantitative
Did you send 
everything?
Qualitative
Privacy notices
Content Quantitative
Clarity and 
completeness
Qualitative
    6/43
    Binaries
    7/43
    Legal basis
PDPL Certificates
Article 33.2
The Competent Authority may grant licenses 
to entities that issue accreditation certificates 
to Controllers and Processors. The 
Competent Authority shall set the rules to 
regulate the issuance of such certificates.
    8/43
    Legal basis
Who do you need to prove compliance to?
SDAIA
Public
Companies
    9/43
    Legal basis
How they look at you
SDAIA
Fines, 
stopping 
processing
Audits, RoPA, 
breach 
investigations
Companies
Other 
suppliers
Due diligence, 
then powers 
of audit
Public
Other 
suppliers
Reputation, 
regulatory 
action
    10/43
    Legal basis
How they look at you
SDAIA
Fines, 
stopping 
processing
Audits, RoPA, 
breach 
investigations
Companies
Other 
suppliers
Due diligence, 
then powers 
of audit
Public
Other 
suppliers
Reputation, 
regulatory 
action
    11/43
    Legal basis
Proving compliance
• Documentation
• Lack of complaints
• NDMO checklist?
SDAIA
• Documentation
Companies • Reputation
• Reputation
Public •(privacy notice, ease of consent, etc)
    12/43
    Legal basis
Proving compliance
• Documentation
• Lack of complaints
• NDMO checklist?
SDAIA
• Documentation
Companies • Reputation
• Reputation
Public •(privacy notice, ease of consent, etc)
    13/43
    Legal basis
Documentation
Due diligence 
questionnaire
Data Processing 
Clauses
Data Transfers – SCCs 
& TRAs
Privacy Impact 
Assessments
Can I trust 
you?
    14/43
    Legal basis
Do, repeat, do, repeat… and track!
    15/43
    Legal basis
    16/43
    Effective compliance is about change
    17/43
    No controls
Effective compliance is about change
to
 Required controls
    18/43
    Inconsistently thinking 
about data privacy 
Effective compliance is about change
to
Considering data privacy 
across operations
    19/43
    Added cost
mindset
Effective compliance is about change
to
Efficiency & opportunity
mindset
    20/43
    Effective compliance is about change
Health Insurance 
Portability and 
Accountability 
(HIPAA)
Payment Card 
Industry Data Security 
Standards (PCI-DSS)
General Data 
Protection 
Regulation
(GDPR)
Personal Data 
Protection Law
(PDPL)
    21/43
    Considering data privacy 
across operations 
Required controls Efficiency & opportunity 
mindset
In summary
+ +
    22/43
    Legal basis
Culture change is at the core
    23/43
    Respecting
our customers, 
coworkers, and 
partners
Culture change is at the core
    24/43
    Culture change is at the core
Protecting 
information that is 
valuable to them & us
    25/43
    Legal basis
Incorporating 
this protection into 
our mission, it's part 
of our pride in our 
products & services
Culture change is at the core
    26/43
    Legal basis
Incorporating
Protecting
Respecting
In summary
+
+
Sustainable Culture 
Change
    27/43
    Leverage tech to make it easier & safer
Start:
Where in our workflows is personal 
data at risk?
Think: 
Data Protection Impact Assessment 
i.e. DPIAs
Ask: 
And how can we reduce that risk?
    28/43
    Leverage tech to make it easier & safer
Existing 
systems 
& controls
Risk 
Mitigation
Risk 
Monitoring
Documentation, 
evidence 
collection, 
reporting
technology 
streamlines these 
ongoing steps
    29/43
    Pyxos Fusion: AI Powered Compliance 
Navigate
Provides a comprehensive toolset 
designed to guide stakeholders through 
understanding legal requirements, 
developing organizational policies, and 
managing enablement initiatives.
Illuminate
AI-powered data discovery and privacy 
risk mapping toolset that provides 
comprehensive visibility and control 
over an organization’s data landscape.
Orchestrate
Streamlines PDPL compliance by 
automating and managing critical 
workflows for Records of Processing 
Activities (ROPA), Data Subject Access 
Requests (DSARs), and third-party risk 
assessments, ensuring auditable data 
protection across the organization.
Consent
Automates the process of obtaining, 
storing, and managing user consent for 
data collection and processing.
Protect
Safeguards sensitive information 
intercepting data flows, applying robust 
encryption, and implementing advanced 
obfuscation techniques. With AI continuously 
analyzing data flows, Protect ensures that 
data remains secure and compliant 
throughout its lifecycle. 
30
An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data 
privacy risk mapping, compliance workflow management and automation, and data protection
    30/43
    Pyxos Fusion: AI Powered Compliance 
Navigate
Provides a comprehensive toolset 
designed to guide stakeholders through 
understanding legal requirements, 
developing organizational policies, and 
managing enablement initiatives.
Illuminate
AI-powered data discovery and privacy 
risk mapping toolset that provides 
comprehensive visibility and control 
over an organization’s data landscape.
Orchestrate
Streamlines PDPL compliance by 
automating and managing critical 
workflows for Records of Processing 
Activities (ROPA), Data Subject Access 
Requests (DSARs), and third-party risk 
assessments, ensuring auditable data 
protection across the organization.
Consent
Automates the process of obtaining, 
storing, and managing user consent for 
data collection and processing.
Protect
Safeguards sensitive information 
intercepting data flows, applying robust 
encryption, and implementing advanced 
obfuscation techniques. With AI continuously 
analyzing data flows, Protect ensures that 
data remains secure and compliant 
throughout its lifecycle. 
31
An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data 
privacy risk mapping, compliance workflow management and automation, and data protection
    31/43
    Pyxos Fusion: AI Powered Compliance 
Navigate
Provides a comprehensive toolset 
designed to guide stakeholders through 
understanding legal requirements, 
developing organizational policies, and 
managing enablement initiatives.
Illuminate
AI-powered data discovery and privacy 
risk mapping toolset that provides 
comprehensive visibility and control 
over an organization’s data landscape.
Orchestrate
Streamlines PDPL compliance by 
automating and managing critical 
workflows for Records of Processing 
Activities (ROPA), Data Subject Access 
Requests (DSARs), and third-party risk 
assessments, ensuring auditable data 
protection across the organization.
Consent
Automates the process of obtaining, 
storing, and managing user consent for 
data collection and processing.
Protect
Safeguards sensitive information 
intercepting data flows, applying robust 
encryption, and implementing advanced 
obfuscation techniques. With AI continuously 
analyzing data flows, Protect ensures that 
data remains secure and compliant 
throughout its lifecycle. 
32
An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data 
privacy risk mapping, compliance workflow management and automation, and data protection
    32/43
    Pyxos Fusion: AI Powered Compliance 
Navigate
Provides a comprehensive toolset 
designed to guide stakeholders through 
understanding legal requirements, 
developing organizational policies, and 
managing enablement initiatives.
Illuminate
AI-powered data discovery and privacy 
risk mapping toolset that provides 
comprehensive visibility and control 
over an organization’s data landscape.
Orchestrate
Streamlines PDPL compliance by 
automating and managing critical 
workflows for Records of Processing 
Activities (ROPA), Data Subject Access 
Requests (DSARs), and third-party risk 
assessments, ensuring auditable data 
protection across the organization.
Consent
Automates the process of obtaining, 
storing, and managing user consent for 
data collection and processing.
Protect
Safeguards sensitive information 
intercepting data flows, applying robust 
encryption, and implementing advanced 
obfuscation techniques. With AI continuously 
analyzing data flows, Protect ensures that 
data remains secure and compliant 
throughout its lifecycle. 
33
An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data 
privacy risk mapping, compliance workflow management and automation, and data protection
    33/43
    Pyxos Fusion: AI Powered Compliance 
Navigate
Provides a comprehensive toolset 
designed to guide stakeholders through 
understanding legal requirements, 
developing organizational policies, and 
managing enablement initiatives.
Illuminate
AI-powered data discovery and privacy 
risk mapping toolset that provides 
comprehensive visibility and control 
over an organization’s data landscape.
Orchestrate
Streamlines PDPL compliance by 
automating and managing critical 
workflows for Records of Processing 
Activities (ROPA), Data Subject Access 
Requests (DSARs), and third-party risk 
assessments, ensuring auditable data 
protection across the organization.
Consent
Automates the process of obtaining, 
storing, and managing user consent for 
data collection and processing.
Protect
Safeguards sensitive information 
intercepting data flows, applying robust 
encryption, and implementing advanced 
obfuscation techniques. With AI continuously 
analyzing data flows, Protect ensures that 
data remains secure and compliant 
throughout its lifecycle. 
34
An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data 
privacy risk mapping, compliance workflow management and automation, and data protection
    34/43
    Pyxos Fusion: AI Powered Compliance 
Navigate
Provides a comprehensive toolset 
designed to guide stakeholders through 
understanding legal requirements, 
developing organizational policies, and 
managing enablement initiatives.
Illuminate
AI-powered data discovery and privacy 
risk mapping toolset that provides 
comprehensive visibility and control 
over an organization’s data landscape.
Orchestrate
Streamlines PDPL compliance by 
automating and managing critical 
workflows for Records of Processing 
Activities (ROPA), Data Subject Access 
Requests (DSARs), and third-party risk 
assessments, ensuring auditable data 
protection across the organization.
Consent
Automates the process of obtaining, 
storing, and managing user consent for 
data collection and processing.
Protect
Safeguards sensitive information 
intercepting data flows, applying robust 
encryption, and implementing advanced 
obfuscation techniques. With AI continuously 
analyzing data flows, Protect ensures that 
data remains secure and compliant 
throughout its lifecycle. 
35
An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data 
privacy risk mapping, compliance workflow management and automation, and data protection
    35/43
    Leverage tech to make it easier & safer
Existing 
systems 
& controls
Documentation, 
evidence 
collection, 
reporting
technology 
streamlines these 
ongoing steps
technology powers 
dashboards & 
alerts to GRC team
Risk 
Mitigation
Risk 
Monitoring
    36/43
    Remember: Partners & vendors are 
 in your chain of trust
Signed 
agreements 
are not 
enough
    37/43
    Remember: Partners & vendors are 
 in your chain of trust
    38/43
    Legal basis
Make it add value:
A privacy focus brings opportunity & trust
    39/43
    Encourage others
Lead by example:
Become a Privacy Champion
Acknowledge
efforts & results
Reflect on your own 
behavior
    40/43
    Legal basis
And start now…
The best time to start was before September of 2024.
The next best time is now.
    41/43
    Summary
● KSA PDPL compliance is different from ISO certification… don’t expect they work alike
â—Ź You must prove compliance to 3 parties: SDAIA, your customers, and the public
● Documentation alone isn’t enough… culture, clarity, and credibility all matter
● Compliance is a journey of change… critically in culture and mindset, not just process
● Manual oversight alone will fall short… technology gives you consistency and scale
● Your vendors and partners matter… they are part of your trust chain
● Start now… you will not only lead, but you’ll also get ahead
    42/43
    Thank You!
Image Credit: By B.alotaby 
Own work, CC BY-SA 4.0
bilal@gccdataprotection.com 
jonathan@pyxos.ai
laura@gccdataprotection.com
Free 1-Hour PDPL Help for the First 10 Attendees
We’re offering a free, 1-hour PDPL consultation or executive 
briefing to the first 10 attendees who email us at growth@pyxos.ai
    43/43

    So you want to prove PDPL Compliance in KSA?

    • 1. www.gccdataprotection.com So you want to prove PDPL Compliance in KSA? www.pyxos.ai presented May 19, 2025
    • 2. Introductions
    • 3. LAURA PALMARIELLO Director, GCC Data Protection IAPP CIPP/E | BCS Data Protection Practitioner Certified laura@gccdataprotection.com Director, GCC Data Protection IAPP CIPP/E | IAPP CIPM | BCS Data Protection Practitioner Certified bilal@gccdataprotection.com BILAL GHAFOOR Co-Founder & COO, Pyxos Previously: CTO and SVP at Futuredontics; CIO at Nationwide Insurance; COO for 3 KSA-based ventures | jonathan@pyxos.ai JONATHAN KASS Who We Are
    • 4. Security: ISO27001 vs PDPL ISO: list of standards PDPL: “do what is necessary”
    • 5. Quantitative vs Qualitative Requirements Have you had dinner? Was the food good?
    • 6. It’s not the same as getting an ISO Certification ISO Standards Configurations Quantitative Processes Qualitative PDPL DSARs Time Quantitative Did you send everything? Qualitative Privacy notices Content Quantitative Clarity and completeness Qualitative
    • 7. Binaries
    • 8. Legal basis PDPL Certificates Article 33.2 The Competent Authority may grant licenses to entities that issue accreditation certificates to Controllers and Processors. The Competent Authority shall set the rules to regulate the issuance of such certificates.
    • 9. Legal basis Who do you need to prove compliance to? SDAIA Public Companies
    • 10. Legal basis How they look at you SDAIA Fines, stopping processing Audits, RoPA, breach investigations Companies Other suppliers Due diligence, then powers of audit Public Other suppliers Reputation, regulatory action
    • 11. Legal basis How they look at you SDAIA Fines, stopping processing Audits, RoPA, breach investigations Companies Other suppliers Due diligence, then powers of audit Public Other suppliers Reputation, regulatory action
    • 12. Legal basis Proving compliance • Documentation • Lack of complaints • NDMO checklist? SDAIA • Documentation Companies • Reputation • Reputation Public •(privacy notice, ease of consent, etc)
    • 13. Legal basis Proving compliance • Documentation • Lack of complaints • NDMO checklist? SDAIA • Documentation Companies • Reputation • Reputation Public •(privacy notice, ease of consent, etc)
    • 14. Legal basis Documentation Due diligence questionnaire Data Processing Clauses Data Transfers – SCCs & TRAs Privacy Impact Assessments Can I trust you?
    • 15. Legal basis Do, repeat, do, repeat… and track!
    • 16. Legal basis
    • 17. Effective compliance is about change
    • 18. No controls Effective compliance is about change to Required controls
    • 19. Inconsistently thinking about data privacy Effective compliance is about change to Considering data privacy across operations
    • 20. Added cost mindset Effective compliance is about change to Efficiency & opportunity mindset
    • 21. Effective compliance is about change Health Insurance Portability and Accountability (HIPAA) Payment Card Industry Data Security Standards (PCI-DSS) General Data Protection Regulation (GDPR) Personal Data Protection Law (PDPL)
    • 22. Considering data privacy across operations Required controls Efficiency & opportunity mindset In summary + +
    • 23. Legal basis Culture change is at the core
    • 24. Respecting our customers, coworkers, and partners Culture change is at the core
    • 25. Culture change is at the core Protecting information that is valuable to them & us
    • 26. Legal basis Incorporating this protection into our mission, it's part of our pride in our products & services Culture change is at the core
    • 27. Legal basis Incorporating Protecting Respecting In summary + + Sustainable Culture Change
    • 28. Leverage tech to make it easier & safer Start: Where in our workflows is personal data at risk? Think: Data Protection Impact Assessment i.e. DPIAs Ask: And how can we reduce that risk?
    • 29. Leverage tech to make it easier & safer Existing systems & controls Risk Mitigation Risk Monitoring Documentation, evidence collection, reporting technology streamlines these ongoing steps
    • 30. Pyxos Fusion: AI Powered Compliance Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. 30 An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data privacy risk mapping, compliance workflow management and automation, and data protection
    • 31. Pyxos Fusion: AI Powered Compliance Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. 31 An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data privacy risk mapping, compliance workflow management and automation, and data protection
    • 32. Pyxos Fusion: AI Powered Compliance Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. 32 An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data privacy risk mapping, compliance workflow management and automation, and data protection
    • 33. Pyxos Fusion: AI Powered Compliance Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. 33 An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data privacy risk mapping, compliance workflow management and automation, and data protection
    • 34. Pyxos Fusion: AI Powered Compliance Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. 34 An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data privacy risk mapping, compliance workflow management and automation, and data protection
    • 35. Pyxos Fusion: AI Powered Compliance Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. 35 An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data privacy risk mapping, compliance workflow management and automation, and data protection
    • 36. Leverage tech to make it easier & safer Existing systems & controls Documentation, evidence collection, reporting technology streamlines these ongoing steps technology powers dashboards & alerts to GRC team Risk Mitigation Risk Monitoring
    • 37. Remember: Partners & vendors are in your chain of trust Signed agreements are not enough
    • 38. Remember: Partners & vendors are in your chain of trust
    • 39. Legal basis Make it add value: A privacy focus brings opportunity & trust
    • 40. Encourage others Lead by example: Become a Privacy Champion Acknowledge efforts & results Reflect on your own behavior
    • 41. Legal basis And start now… The best time to start was before September of 2024. The next best time is now.
    • 42. Summary â—Ź KSA PDPL compliance is different from ISO certification… don’t expect they work alike â—Ź You must prove compliance to 3 parties: SDAIA, your customers, and the public â—Ź Documentation alone isn’t enough… culture, clarity, and credibility all matter â—Ź Compliance is a journey of change… critically in culture and mindset, not just process â—Ź Manual oversight alone will fall short… technology gives you consistency and scale â—Ź Your vendors and partners matter… they are part of your trust chain â—Ź Start now… you will not only lead, but you’ll also get ahead
    • 43. Thank You! Image Credit: By B.alotaby Own work, CC BY-SA 4.0 bilal@gccdataprotection.com jonathan@pyxos.ai laura@gccdataprotection.com Free 1-Hour PDPL Help for the First 10 Attendees We’re offering a free, 1-hour PDPL consultation or executive briefing to the first 10 attendees who email us at growth@pyxos.ai


    • ↑ Previous
    • ↓ Next
    • f Fullscreen
    • esc Exit Fullscreen