The Risks of Delaying KSA PDPL Compliance: Why Early Action Matters (by Pyxos - May 2025)

The Risks of Delaying KSA PDPL Compliance: Why Early Action Matters (by Pyxos - May 2025)

• 1. The Risks of Delaying KSA PDPL Compliance: Why Early Action Matters May 5, 2025 Co-Founder & CEO Pyxos, Inc. Senior PDPL Expert Pyxos, Inc. Country GM. KSA Pyxos, Inc. Leading the discussion are distinguished speakers:

• 2. 2 Welcome Today’s webinar is part of an ongoing KSA PDPL Education Series, co-hosted by: Thank you for joining us today

• 3. Varun Arora, Country GM, KSA ● Country / Region Head for Californian technology companies ● Venture Builder focusing on building corporate ventures in KSA, MENA, Europe ● MBA, EPGM, AWS Architect Anurag Sushant, Senior PDPL Expert ● Data Protection and Privacy Expert with global experience formerly with KPMG and Deloitte ● MBA (Privacy Management) and Law ● CIPP/E, CIPM, and ISO Auditor Brief Introduction: Today’s Speakers 3 James Beriker, Co-Founder, President & CEO ● Five-time venture backed technology company CEO; former operating exec at Yahoo! ● Former EVP at Mach49, global incubator, focusing on venture building in KSA. ● Former IP and corporate attorney.

• 4. Born in KSA Incubated by the TONOMUS Venture Studio at NEOM, Pyxos was designed to meet NEOM’s complex data privacy needs. PDPL-First The only solution built to address KSA’s Personal Data Protection Law (PDPL). In-Region Expertise Tailored solutions delivered by a local, hands-on expert team with deep experience in KSA’s regulatory requirements and global privacy standards. Services + Technology The only solution to combine both services and technology to enable continuous compliance. Pyxos is Built for Data Privacy Compliance in KSA

• 5. 5 Today’s Agenda ● PDPL Enforcement: What’s happening now in KSA? ● Learnings from Europe’s GDPR ● Why smart companies don’t delay ● How to implement KSA’s PDPL in 4 Phases ● Where tech makes the difference: Automation after implementation

• 6. 6 A New Era of Data Responsibility in KSA Saudi Arabia’s Personal Data Protection Law (PDPL) is now fully enforceable ● Data privacy is a central requirement for the Kingdom’s Vision 2030 transformation goals– and SDAIA has less than 5 years to achieve broad-based adoption of PDPL. ● SDAIA has published a comprehensive set of regulatory updates clarifying the law– the legal, technical, and operational framework necessary for organizations to comply are all in place. ● The penalty framework is established - and robust. ● GDPR shows us what happens next… Organizations are expected not just to collect and use data—but to protect it

• 7. 7 Fines for non-compliance started slowly and then accelerated to drive compliance The GDPR Story: Business Disruption, High Costs, Heavy Fines KSA can learn from the evolution of data privacy enforcement in the EU 2022 2.4B 2021 1.5B 2020 243M 2019 73M 2018 0.5M GDPR fines (€) 384% CAGR (2018-2024) 2023 4.5B 2024 5.6B May 2018 GDPR Enacted $400M $877M $41M $26M $59.8M $269M $23.8M $13M

• 8. 8 The Risks of Waiting for KSA Companies & Establishments Doing nothing is not the safer option, it’s actually the riskier one What waiting to comply will cost you: ● Enforced penalties, including up to SAR 5M & 2 years imprisonment ● Emergency spending to fix gaps ● Harm to your brand’s public image ● Missed trust-building opportunities with customers and partners ● Or even worse: a loss of trust with your most valued customers

• 9. 9 Starting Early Gives You Options Early action means lower costs and low-impact on your daily operations What starting today to comply will bring you: ● More time to assess and adjust ● Better vendor and talent availability ● Reduced cost, clearer planning ● Stronger internal understanding across teams ● Compliance on your time scale, not rushed to meet an audit

• 10. 10 Up Next ● How to implement KSA’s PDPL in 4 Phases (Anurag Sushant) ● Where tech makes the difference: Automation after implementation (Varun Arora)

• 11. How to Implement PDPL 11

• 12. Data Privacy Implementation - Plan of Action 4-phased approach for Data Privacy Implementation based on KSA’s PDPL and the other applicable regulations. ✔ Hold discussions with relevant stakeholders from different teams within the organization ✔ Obtain an understanding of the people, process, technology and governance structure with respect to data privacy ✔ Prepare and Finalize in-depth project plan – Kickoff Deck ✔ Perform harmonization of all in-scope regulations and finalize the rationalized controls ✔ Review the relevant policies and documents to analyze the current system ✔ Analyze the flow of data and business processes ✔ Conduct Privacy Gap Assessment for the entire organization against the Rationalized Privacy Controls ✔ Develop a report listing all areas of improvement ✔ Design the implementation roadmap for the remediation of gaps ✔ Design and draft Privacy policies, procedures, forms, templates and guidelines ✔ Design and draft Privacy notice(s) and Consent Forms ✔ Draft the relevant agreements and templates for Data Transfers and Processing ✔ Design the Incident and breach response model ✔ Design Data Subject Request (DSR) Response mechanism ✔ Update or create privacy training material and review with management ✔ Set up privacy by design model (if applicable) ✔ Set up Record of Processing Activities (ROPA) ✔ Finalize draft documentation for review and roll out ✔ Executive Summary Report ✔ Provide PMO support for the stakeholders to implement the recommendations ✔ Third party risk treatment rollout ✔ Implementation Tracker with Status ✔ Rollouts of all the Policies, Forms, Procedures, Templates & guidelines ✔ Operationalization and distribution of privacy notices ✔ Conduct privacy awareness sessions and trainings within the organization ✔ Rollout of Breach Response plan ✔ Appointment of a DPO ✔ Conduct DPIA/PIA for the high-risk processing activities ✔ Rollout of DSAR Response plan ✔ Train the Privacy Officer/PoC to handle and respond to DSRs Phase 1: Assessments Phase 2: Design & Develop Phase 3: Implementation ✔ Ongoing program improvement ✔ Train the internal privacy officer/PoC to keep a regular check on the privacy framework ✔ Conduct a test run on all the rollouts ✔ Assist the privacy officer/PoC in monitoring the developed framework for 1 week POST-COMPLIANCE: DPO to handle the privacy operations on day-to-day basis and keep monitoring the compliance regularly (mandatory regulatory requirement). 12 Phase 4: Test & Monitor

• 13. Phase 1: Assessment Discussions with stakeholders and understanding of the people, process, technology and governance structure with respect to data privacy Meeting with representatives from various departments within the organisation (e.g., HR, IT, Legal, Marketing, Operations) who handle or have access to personal data to understand their roles, responsibilities, and awareness regarding data privacy practices. Prepare and finalize in-depth Project Plan – Kickoff Deck 13 1 2 Perform harmonization of all in-scope regulations and finalize the rationalized controls 3 Kickoff Deck summarizes the project plan in a clear and concise presentation format creating a detailed plan for the entire data privacy compliance project, outlining the activities, timelines, resources, and deliverables for each phase. Identifying all relevant data privacy regulations that apply to organisation’s operations. This might include the KSA PDPL, SDAIA Guidelines, NDMO Guidelines etc. Then Analyzing any potential conflicts or overlaps between these regulations and determine the most stringent requirements that need to be met.

• 14. Phase 1: Assessment (Cont.) Review the relevant policies and documents to analyze the current system Review existing policies and documents to assess their alignment with KSA PDPL requirements and identify any gaps or areas needing improvement. Analyze the flow of data and business processes Identify all data repositories and sources within the organisation to gain a comprehensive understanding of the data landscape and potential privacy risks. Map out the lifecycle of data within the organisation's business processes to identify areas where personal data is collected, stored, processed, or transmitted, ensuring compliance at each stage. 14 4 5 Conduct Privacy Gap Assessments and Impact Assessments Evaluate existing privacy practices against KSA PDPL requirements to identify areas of non-compliance or gaps in privacy controls, ensuring comprehensive coverage across all departments and functions. Assess the potential privacy risks associated with specific data processing activities, identifying measures to mitigate these risks and ensure compliance with KSA PDPL requirements. 6 Building upon the findings from the Assessment phase, we will move to the Design & Develop phase

• 15. PHASE 2 Design & Develop 15

• 16. Phase 2: Design & Develop Report on Improvement Areas A report will be prepared to categorize the gaps in the organisation's data privacy practices based on severity and prioritize them for remediation. Implementation Roadmap A detailed plan that outlines the steps required to address the identified gaps. The roadmap specifies timelines, resources needed, and ownership for each remediation activity. Organizational Privacy Model A framework that defines the organisation's approach to data privacy is designed. The model should outline roles and responsibilities for data privacy within the organization, including data ownership, access controls, and accountability. 16 1 3 Design & Develop Documents The most important stage where we draft for you documents essential for data privacy compliance which include Privacy policies, Procedures, Forms, Templates, Guidelines, Privacy Notices and Consent Forms. 4 2

• 17. Phase 2: Design & Develop (Cont.) Transfer and Processing Agreements Standard agreements and templates for situations where the organisation needs to transfer or process personal data to third parties (vendors, service providers, etc.). These agreements ensure that data is handled securely and complies with relevant regulations. Incident and Breach Response Model A comprehensive plan outlining how the organisation will identify, contain, report, and recover from a data security breach will be designed mentioning the roles and responsibilities for various teams and communication protocols for notifying relevant stakeholders. 17 5 6 DSR Response Mechanism A framework for handling Data Subject Requests (DSRs) outlining procedures for receiving and verifying DSRs, identifying relevant data, and providing individuals with access to their personal data as mandated by regulations. 7

• 18. Phase 2: Design & Develop (Cont.) Privacy Training Material Training material for employees on data privacy policies and procedures is designed covering topics like data security best practices, handling data subject requests, and recognizing and reporting data breaches. Privacy by Design (if applicable) Integrating data privacy considerations into the organisation’s existing processes and systems. This ensures that privacy is considered throughout the data lifecycle, from collection to disposal. 18 8 9 Record of Processing Activities (ROPA) A ROPA process as required by regulations is set up, which is a documented inventory of all the organisation’s data processing activities, including details about the data collected, purpose of processing, legal basis and retention periods. 10 Following the Design & Develop phase, we move on to the breakdown of the stages involved in the Implementation phase

• 19. PHASE 3 Implementation 19

• 20. Phase 3: Implementation Finalize Documentation for Management Review Finalizing all the documents created in the Design & Develop phase to ensure the documents are clear, concise, and easy to understand for all stakeholders. Executive Summary Report A high-level report summarizing the entire data privacy compliance project. It includes key findings from the assessment, implemented solutions, and expected outcomes. PMO Support in Implementation Provide Project Management Office (PMO) support to the organisation’s stakeholders during implementation facilitating communication, tracking progress, managing resources, and resolving any roadblocks encountered. 20 1 3 Third-Party Risk Treatment Rollout Implementation of the strategies designed to address data privacy risks associated with third-party vendors and service providers. 4 2

• 21. Phase 3: Implementation (Cont.) Implementation Tracker and Status Report An implementation tracker to monitor the progress of all activities outlined in the roadmap is developed and a regular status reports for the organisation’s management on the overall implementation progress is generated. Policy and Procedure Rollout Officially launching the finalized policies, procedures, forms, templates, and guidelines and these documents are effectively communicated to all relevant personnel within the organisation. Incident Response Plan Rollout Implementation of the Incident and Breach Response Plan designed in the previous phase. This involves testing the plan, assigning roles and responsibilities for incident response, and ensuring all personnel understand the procedures to follow. 21 5 7 Privacy Awareness Training Privacy awareness training sessions for employees across different departments on the new data privacy policies, procedures, and their roles in maintaining compliance. 8 6 By successfully implementing these stages, the organisation will establish the core data privacy compliance framework within the organization. Next is testing and monitoring of the implementation.

• 22. PHASE 4 Test & Monitor 22

• 23. 23 Phase 4: Test & Monitor Ongoing Program Improvement This stage focuses on continuously identifying areas for improvement within the implemented data privacy program. Reviewing processes, regulations, and industry best practices to identify opportunities to enhance effectiveness. PoC to Keep a Regular Check on the Privacy Framework This stage equips the organisation's designated privacy officer (PO) or point of contact (PoC) with the knowledge and skills to monitor the data privacy program independently. Test Run on All the Rollouts Simulating real-world scenarios are deployed to test the effectiveness of the newly implemented data privacy controls and procedures. 1 2 Assistance in Monitoring the Developed Framework for 1 Week During the initial week, we will work alongside the organisation's privacy officer/PoC to monitor the implemented framework in action. This provides hands-on support and ensures a smooth transition to their independent monitoring capabilities. 4 3 By the end of all the four phases, the organisation would have a KSA PDPL compliant Data Protection & Privacy Framework.

• 24. Key Deliverables These are the list of deliverables for all the 4-phases of the implementation. ✔ Detailed Project Plan and Kickoff Deck ✔ Rationalized Control Framework ✔ Document Review Report ✔ Data Flow Report ✔ Detailed Privacy Gap Analysis Report with recommendations ✔ Detailed Improvement Plan with implementation roadmap ✔ Privacy compliant external Privacy Notices (for both customers and employees) ✔ Privacy compliant internal Privacy Policies (all mandatory policies) ✔ Privacy compliant internal Privacy Procedures and Guidelines ✔ Privacy compliant Privacy Forms and Templates ✔ Privacy compliant Cookie Policy ✔ Breach Response Plan ✔ Data Subject Request (DSR) Response Plan ✔ Privacy based Privacy Training module for employees ✔ Privacy by Design Plan for the Products (if applicable) ✔ Record of Processing Activities ✔ Executive Summary Report ✔ Management Discussions and Approval of the Privacy Design ✔ Implementation Tracker with active updates on rollout status and challenges ✔ Third-party Risk Treatment Report ✔ Privacy awareness sessions and trainings within the organization ✔ DPIA Report for the required processing (Product-based) ✔ Appointment of a DPO ✔ Training of the Data Protection Officer/PoC to handle and respond to Data Subject Requests Phase 1: Assessments Phase 2: Design & Develop Phase 3: Implementation ✔ Training of the Data Protection Officer/PoC to keep a regular check on the privacy framework ✔ Internal Test Report ensuring compliance 24 Phase 4: Test & Monitor

• 25. Where Tech Makes the Difference 25

• 26. What Is The Role of Technology in PDPL? Consent Operations Data Subject Outreach Consent Tracking Consent History Data Governance Data Mapping Data Lineage Data Flow Tracking Access Management Risk Surface Control Data Retention System Enablement DSR Automation Self-Help Portal Periodic Training Become Compliant AND Remain Compliant 26

• 27. Consent Operations Direct Marketing Requires Consent ● You can’t email / WhatsApp someone just because you have their email / mobile number Consent Must be Granular ● What activity did Ahmed consent to ● What mode of communication did Ahmed consent to Consent Tracking & History ● Who withdrew / amended consent, when, how 27

• 28. Access Management Risk Surface Control: ● Risk cannot be eliminated, but it CAN be managed… From here To here And here 28

• 29. DSR Management A customer may ask for his data to be removed ● Doing this manually costs up to $1m annually 29 Company with 1m customer records may receive up to 578 access / deletion requests which may cost up to $1,524 each; Gartner and DataGrail

• 30. Enablement Self-Help Portal: So your colleagues can ask the system what is compliant rather than ask the DPO… 30

• 31. Pyxos Fusion: AI Powered PDPL Compliance Platform Navigate Provides a comprehensive toolset designed to guide stakeholders through understanding legal requirements, developing organizational policies, and managing enablement initiatives. Illuminate AI-powered data discovery and privacy risk mapping toolset that provides comprehensive visibility and control over an organization’s data landscape. Orchestrate Streamlines PDPL compliance by automating and managing critical workflows for Records of Processing Activities (ROPA), Data Subject Access Requests (DSARs), and third-party risk assessments, ensuring auditable data protection across the organization. Consent Automates the process of obtaining, storing, and managing user consent for data collection and processing. Protect Safeguards sensitive information intercepting data flows, applying robust encryption, and implementing advanced obfuscation techniques. With AI continuously analyzing data flows, Protect ensures that data remains secure and compliant throughout its lifecycle. Modules to navigate legal requirements, inventory data sources, automate workflows, empower individual consent, and protect data. 31

• 32. Thank you! Varun Arora Country GM, KSA Mobile: +65-9191-9195 Email: varun@pyxos.ai For more information, please contact: 32