So you want to prove PDPL Compliance in KSA?

So you want to prove PDPL Compliance in KSA?

• 1. www.gccdataprotection.com So you want to prove PDPL Compliance in KSA? www.pyxos.ai presented May 19, 2025

• 2. Introductions

• 3. LAURA PALMARIELLO Director, GCC Data Protection IAPP CIPP/E | BCS Data Protection Practitioner Certified laura@gccdataprotection.com Director, GCC Data Protection IAPP CIPP/E | IAPP CIPM | BCS Data Protection Practitioner Certified bilal@gccdataprotection.com BILAL GHAFOOR Co-Founder & COO, Pyxos Previously: CTO and SVP at Futuredontics; CIO at Nationwide Insurance; COO for 3 KSA-based ventures | jonathan@pyxos.ai JONATHAN KASS Who We Are

• 4. Security: ISO27001 vs PDPL ISO: list of standards PDPL: “do what is necessary”

• 5. Quantitative vs Qualitative Requirements Have you had dinner? Was the food good?

• 6. It’s not the same as getting an ISO Certification ISO Standards Configurations Quantitative Processes Qualitative PDPL DSARs Time Quantitative Did you send everything? Qualitative Privacy notices Content Quantitative Clarity and completeness Qualitative

• 7. Binaries

• 8. Legal basis PDPL Certificates Article 33.2 The Competent Authority may grant licenses to entities that issue accreditation certificates to Controllers and Processors. The Competent Authority shall set the rules to regulate the issuance of such certificates.

• 9. Legal basis Who do you need to prove compliance to? SDAIA Public Companies

• 10. Legal basis How they look at you SDAIA Fines, stopping processing Audits, RoPA, breach investigations Companies Other suppliers Due diligence, then powers of audit Public Other suppliers Reputation, regulatory action

• 11. Legal basis How they look at you SDAIA Fines, stopping processing Audits, RoPA, breach investigations Companies Other suppliers Due diligence, then powers of audit Public Other suppliers Reputation, regulatory action

• 12. Legal basis Proving compliance • Documentation • Lack of complaints • NDMO checklist? SDAIA • Documentation Companies • Reputation • Reputation Public •(privacy notice, ease of consent, etc)

• 13. Legal basis Proving compliance • Documentation • Lack of complaints • NDMO checklist? SDAIA • Documentation Companies • Reputation • Reputation Public •(privacy notice, ease of consent, etc)

• 14. Legal basis Documentation Due diligence questionnaire Data Processing Clauses Data Transfers – SCCs & TRAs Privacy Impact Assessments Can I trust you?

• 15. Legal basis Do, repeat, do, repeat… and track!

• 16. Legal basis

• 17. Effective compliance is about change

• 18. No controls Effective compliance is about change to Required controls

• 19. Inconsistently thinking about data privacy Effective compliance is about change to Considering data privacy across operations

• 20. Added cost mindset Effective compliance is about change to Efficiency & opportunity mindset

• 21. Effective compliance is about change Health Insurance Portability and Accountability (HIPAA) Payment Card Industry Data Security Standards (PCI-DSS) General Data Protection Regulation (GDPR) Personal Data Protection Law (PDPL)

• 22. Considering data privacy across operations Required controls Efficiency & opportunity mindset In summary + +

• 23. Legal basis Culture change is at the core

• 24. Respecting our customers, coworkers, and partners Culture change is at the core

• 25. Culture change is at the core Protecting information that is valuable to them & us

• 26. Legal basis Incorporating this protection into our mission, it's part of our pride in our products & services Culture change is at the core

• 27. Legal basis Incorporating Protecting Respecting In summary + + Sustainable Culture Change

• 28. Leverage tech to make it easier & safer Start: Where in our workflows is personal data at risk? Think: Data Protection Impact Assessment i.e. DPIAs Ask: And how can we reduce that risk?

• 29. Leverage tech to make it easier & safer Existing systems & controls Risk Mitigation Risk Monitoring Documentation, evidence collection, reporting technology streamlines these ongoing steps

• 30. Pyxos Fusion: AI Powered Compliance Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. 30 An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data privacy risk mapping, compliance workflow management and automation, and data protection

• 31. Pyxos Fusion: AI Powered Compliance Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. 31 An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data privacy risk mapping, compliance workflow management and automation, and data protection

• 32. Pyxos Fusion: AI Powered Compliance Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. 32 An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data privacy risk mapping, compliance workflow management and automation, and data protection

• 33. Pyxos Fusion: AI Powered Compliance Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. 33 An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data privacy risk mapping, compliance workflow management and automation, and data protection

• 34. Pyxos Fusion: AI Powered Compliance Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. 34 An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data privacy risk mapping, compliance workflow management and automation, and data protection

• 35. Pyxos Fusion: AI Powered Compliance Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. 35 An end-to-end privacy and compliance solution, incorporating user consent, regulatory navigation, data privacy risk mapping, compliance workflow management and automation, and data protection

• 36. Leverage tech to make it easier & safer Existing systems & controls Documentation, evidence collection, reporting technology streamlines these ongoing steps technology powers dashboards & alerts to GRC team Risk Mitigation Risk Monitoring

• 37. Remember: Partners & vendors are in your chain of trust Signed agreements are not enough

• 38. Remember: Partners & vendors are in your chain of trust

• 39. Legal basis Make it add value: A privacy focus brings opportunity & trust

• 40. Encourage others Lead by example: Become a Privacy Champion Acknowledge efforts & results Reflect on your own behavior

• 41. Legal basis And start now… The best time to start was before September of 2024. The next best time is now.

• 42. Summary ● KSA PDPL compliance is different from ISO certification… don’t expect they work alike ● You must prove compliance to 3 parties: SDAIA, your customers, and the public ● Documentation alone isn’t enough… culture, clarity, and credibility all matter ● Compliance is a journey of change… critically in culture and mindset, not just process ● Manual oversight alone will fall short… technology gives you consistency and scale ● Your vendors and partners matter… they are part of your trust chain ● Start now… you will not only lead, but you’ll also get ahead

• 43. Thank You! Image Credit: By B.alotaby Own work, CC BY-SA 4.0 bilal@gccdataprotection.com jonathan@pyxos.ai laura@gccdataprotection.com Free 1-Hour PDPL Help for the First 10 Attendees We’re offering a free, 1-hour PDPL consultation or executive briefing to the first 10 attendees who email us at growth@pyxos.ai