Understanding KSA’s PDPL in the Age of AI (English Version - by Pyxos Feb 2025)

Understanding KSA’s PDPL in the Age of AI (English Version - by Pyxos Feb 2025)

• 1. Understanding KSA’s PDPL in the Age of AI: Best Practices for Compliance & Growth 1 Co-hosted with Presented by KSA’s First PDPL-Focused Data Privacy Solution

• 2. Varun Arora, VP of Partnerships & KSA Lead at Pyxos Business builder and Country / Region Head for Californian technology companies MBA, EPGM, AWS Architect Email: varun@pyxos.ai Website: https://www.pyxos.ai/ Anurag Sushant, Senior PDPL Expert Data Protection and Privacy Expert with global experience Formerly with KPMG and Deloitte MBA (Privacy Management) and Law CIPP/E, CIPM, and ISO Auditor Today’s PDPL Speakers 2

• 3. Pyxos: Helping you become compliant and remain compliant Varun Arora VP of Partnerships & Country Manager, KSA at Pyxos 3

• 4. Concepts of Data Privacy and KSA PDPL Anurag Sushant Senior PDPL Expert 4

• 5. Data Privacy and Data Protection Data privacy, also known as information privacy, involves the proper handling of personal data. This includes how data is collected, stored, managed, and shared with third parties, as well as the individual's rights to control their personal information. Data Protection measures ensure the practical implementation of data privacy concepts. 5

• 6. Personal Data 1 Broad Definition Any information that relates to an identified or identifiable individual, including names, addresses, email addresses, phone numbers, and IP addresses. 2 Applies to PDPL The Personal Data Protection Law covers the processing of personal data. 6

• 7. Data Subjects Individuals whose personal data is collected, held, or processed, such as customers, employees, and website visitors. Data Controllers Entities that determine the purposes and means of processing personal data, like companies, government bodies, and organizations. Data Subjects and Data Controllers 7

• 8. Data Processors and Consent Data Processors Entities that process personal data on behalf of the Data Controller or Data Fiduciary. Consent A critical aspect of the PDPL, referring to the freely given, specific, informed, and unambiguous indication of the data subject's wishes. 8

• 9. Data Breaches and Data Protection Officers Data Breaches Security incidents that result in the accidental or unlawful destruction, loss, alteration, or unauthorized access to personal data. Data Protection Officers Individuals appointed to ensure compliance with data protection laws and act as a contact point for data subjects and authorities. 9

• 10. Data Processing and Regulatory Authorities Data Processing Any operation performed on personal data, from collection to deletion. Regulatory Authorities Independent public authorities that oversee the application of data protection laws and enforce compliance. SDAIA is the Regulator in KSA. 10

• 11. Scope and Applicability 11

• 12. Material Scope of the PDPL The KSA PDPL applies to the processing of personal data of the individuals, including data collected, stored, or shared electronically. PDPL also includes the personal data of deceased individuals. 12

• 13. Territorial Scope of the PDPL The KSA PDPL applies to processing of personal data within KSA and outside KSA if related to offering goods or services to Saudi residents. 13

• 14. Data Privacy Principles Ba 14

• 15. Lawfulness, Fairness, and Transparency Legal Basis Personal data must be processed lawfully, with a clear legal justification. Fair Practices Data handling must be fair and not misleading to individuals. Transparency Provide clear information to data subjects about data processing activities. 1 3 2 15

• 16. Purpose Limitation Specified Purposes Data must be collected for explicit and legitimate purposes. Compatible Use Data cannot be used for unrelated or unexpected purposes. 16

• 17. Data Minimization Collect Only What's Needed Limit data collection to the minimum required for the purpose. Reduce Risks Minimizing data reduces risks of breaches and misuse. 17

• 18. Accuracy and Storage Limitation Accuracy Personal data must be accurate and kept up-to-date. Storage Limitation Data should not be kept longer than necessary. 18

• 19. Integrity and Confidentiality Security Protect data against unauthorized access and loss. Safeguards Implement appropriate technical and organizational measures to ensure data integrity. 19

• 20. Accountability Documentation Maintain records to demonstrate compliance. Audits Regularly review and assess data processing activities. Training Educate employees on data protection responsibilities. 1 2 3 20

• 21. Lawful Grounds for Data Processing 21

• 22. Lawful Grounds for Processing under the PDPL Consent Freely given, specific, informed, and unambiguous Contractual Obligation Processing essential for fulfilling a contract Legal Obligation Compliance with laws, regulations, or court orders 1 2 3 22

• 23. Lawful Grounds (Cont.) 4. Vital Interests Process data to protect someone's life or prevent serious harm. 5. Public Interest Process data for tasks carried out in the public interest. 6. Legitimate Interests Process data based on the organization's legitimate interests. 23

• 24. Rights of Data Subjects 24

• 25. Data Subject Rights under the PDPL Right to Access Individuals can access their personal data, know how it's used, and obtain copies. Right to Correction & Destruction Individuals can request correction of inaccurate data and erasure of unnecessary data. Right to be Informed Individuals have the right to be informed about the legal basis and the purpose of the collection of their Personal Data. Right to Data Portability Individuals can request obtaining their Personal Data held by the Controller in a readable and clear format. 1 2 3 4 25

• 26. Compliance Requirements & Challenges Anurag Sushant Senior PDPL Expert 26

• 27. Accountability & Obligations 27

• 28. Accountability in Action Data Controllers Determine purposes and means of processing Implement appropriate measures to ensure compliance Data Processors Process data on behalf of controllers Adopt strong security practices and assist controllers Joint Controllers Jointly determine purposes and means of processing Define roles and responsibilities transparently 28

• 29. Data Protection by Design Integrate Privacy Implement data protection principles from the outset of system and product development. Data Minimization Process only the necessary personal data for each specific purpose. Security Measures Implement technical and organizational measures to protect personal data. 1 2 3 29

• 30. Documentation and Cooperation Records of Processing Maintain comprehensive documentation of data processing activities. Regulatory Cooperation Provide information to data protection authorities to demonstrate compliance. Data Protection Impact Assessments Conduct DPIAs for high-risk processing activities. 30

• 31. Data Protection Officers Monitoring Oversee data protection strategy and implementation. Compliance Ensure compliance with data protection laws. Point of Contact Act as a point of contact for data subjects and regulators. 31

• 32. Auditing Privacy Programs Assess Effectiveness Evaluate the effectiveness of data protection measures. Identify Improvements Pinpoint areas for enhancing privacy practices. Ensure Compliance Verify adherence to policies and procedures. 1 2 3 32

• 33. Controllers Notify Report breaches to authorities within 72 hours. Inform Individuals Notify affected individuals if the breach poses high risk. Processors Inform Promptly notify controllers of any discovered breaches. 1 2 3 Breach Notification 33

• 34. Encryption Implement robust encryption to protect personal data. Access Controls Establish comprehensive access controls to limit data access. Regular Audits Conduct periodic security audits to identify and address vulnerabilities. Appropriate Technical & Organizational Measures 34

• 35. Data Protection Officer (DPO) 35

• 36. Responsibilities of the DPO Monitoring Compliance The DPO ensures the organization follows data protection laws. Advising on DPIAs The DPO oversees data protection impact assessments. Training & Awareness The DPO educates staff on data protection principles. Liaising with Authorities The DPO is the primary contact for data protection authorities. 36

• 37. Importance of the Data Protection Officer Compliance & Strategy The DPO helps organizations comply with data protection laws and enhance data protection strategies. Trust Building The DPO fosters trust with customers, employees, and authorities. Risk Reduction The DPO helps mitigate the risk of data protection violations. 37

• 38. International Data Transfers As organizations operate globally, transferring personal data across borders has become common. Ensuring compliance with data protection laws is crucial to safeguard privacy and maintain data integrity. B a 38

• 39. PDPL and International Transfers Adequacy Decisions The Regulator can determine if another country/jurisdiction provides adequate data protection, allowing free data flow. Standard Contractual Clauses Standard Contractual Clauses (SCCs) are standardized and pre-approved model data protection to ensure appropriate safeguards for international transfers. Binding Corporate Rules Binding corporate rules (BCR) are data protection policies adhered to by companies established in the KSA for transfers of personal data outside the Kingdom within a group of undertakings or enterprises. 1 3 2 39

• 40. Impact on Businesses & Data Subjects Anurag Sushant Senior PDPL Expert 40

• 41. Impact on Businesses - Penalties Sensitive Data Disclosure The disclosure or publication of sensitive data contrary to the PDPL may result in penalties of imprisonment for up to two years or a fine of up to SAR 3,000,000. Violation of Transfer Provisions Violation of the data transfer provisions could result in imprisonment for up to one year and a fine of up to SAR 1,000,000. Violation of PDPL Provisions Repeated Violations Any of the fines could also be increased up to double the stated maximums for repeat offences and the court may order confiscation of funds gained as a result of breaching the law and/or require publication of the judgment in a newspaper or other media at the offender’s expense. 1 2 3 4 In respect of all other provision of the PDPL. the penalties are limited to a warning notice or a fine of up to SAR 5,000,000. 41

• 42. Benefits of Privacy Compliance Protect Privacy Adhere to regulations to safeguard individuals' personal data rights. Build Trust Compliance fosters customer trust and loyalty in the organization. Mitigate Risks Avoid financial penalties, legal actions, and reputational damage. Ethical Practices Demonstrate a commitment to responsible data handling. Competitive Edge Stay ahead of the competition by establishing Privacy as a USP. Privacy Culture Promote a culture of data protection within the organization. 42

• 43. Case Study 43

• 44. Overview Data from 87 million Facebook users was harvested without consent and used for political profiling and targeted advertising. Concern Failure to obtain proper user consent and lack of transparency in data sharing. Regulatory Impact Fined $5 Billion by the U.S. Federal Trade Commission (FTC) for privacy violations. Faced scrutiny under GDPR as well. Business Impact Loss of user trust, decline in stock value, and global backlash. Triggered regulatory changes and stronger privacy laws worldwide. Facebook-Cambridge Analytica Scandal (2018) 44

• 45. Overview H&M was penalized by the Hamburg DPA for unlawfully collecting and storing extensive personal data of employees. Concern H&M recorded sensitive employee data without proper grounds, violating GDPR principles of data minimization and purpose limitation. Regulatory Impact The €35.3 million fine was one of the highest GDPR penalties at the time, emphasizing the importance of employee data protection. Business Impact The case damaged H&M’s reputation, requiring to implement stricter data privacy policies and financial compensation for affected employees. H&M Employee Data Privacy Violation (2020) 45

• 46. PDPL Use Cases B a 46

• 47. AI and Automated Decision Making in Tech Industry A tech company developed an AI-driven recruitment platform that used algorithms to screen job applications. To comply with privacy regulations like PDPL, the company implemented transparency, fairness, and accountability measures in their AI systems. Points to Ponder ● Explainability ● Bias Mitigation ● User Rights ● Regulatory Preparedness ● Organisational Measures 47 Scenario

• 48. Vendor Risk Management in Fintech Industry Scenario A financial services firm relies on third-party vendors for IT support, cloud storage, and payment processing. Recognizing the risks associated with third-party data handling, FinTrust implemented a robust Vendor Risk Management program. All vendors were required to comply with PDPL standards, and regular audits were conducted to ensure ongoing compliance. Points to Ponder ● Contractual Safeguards ● Regular Audits ● Shared Accountability ● Business Continuity ● Organisational Measures 48

• 49. The Risks of AI in Compliance Varun Arora VP of Partnerships & Country Manager, KSA at Pyxos 49

• 50. Gen AI Training ● Will your prompt be used for training? ● If you train your own LLM, how will use data from your core systems? Will you have to anonymize all information? ● Did you seek approval from your data subjects? ● Right to be forgotten… B a 50

• 51. Gen AI Location and Transparency ● Where is the Gen AI platform storing data? ● Data residency? ● How is the model governed? ● Who has access to the data? 51

• 52. Gen AI and Compliance - What you can do now Minimize data access Validate your tools Conduct Privacy Impact Assessments as Needed 1 2 3 4 Train your people 52

• 53. How can Technology help you in your PDPL Journey? 53

• 54. What Is The Role of Technology in PDPL? Consent Operations Data Subject Outreach Consent Tracking Consent History Data Governance Data Mapping Data Lineage Data Flow Tracking Access Management Risk Surface Control Data Retention System Enablement DSR Automation Self-Help Portal Periodic Training Become Compliant AND Remain Compliant 54

• 55. Enablement What happens if a customer wants you to remove his information? You need: ● A policy for how to deal with this ● A documented method for a customer to be able to contact you regarding this ● A system that tracks these requests and ensures they are handled in 30 days ● A system that locates all databases where the customer’s data is sitting and deletes it automatically… ● Is this correct? ● NO! A system that notifies the DPO and seeks DPO consent first! 55

• 56. Enablement Self-Help Portal: So your colleagues can ask the system what is compliant rather than ask the DPO… what happens if you ask the DPO? 56

• 57. Phase 1 Assessment, Gap Analysis, and Project Planning Phase 2 Design and Development of Compliance Program Phase 3 Compliance Program Implementation “FAST START” SERVICES TECHNOLOGY DEPLOYMENT KICKOFF Pyxos helps you to achieve PDPL compliance in 90 days—and remain compliant with advanced technology and tools Initial testing and Monitoring Review (ongoing maintenance follows) Ongoing technology development and deployment Achieving Compliance 57 Details Redacted for Distribution

• 58. Best Practices for PDPL Compliance Anurag Sushant Senior PDPL Expert 58

• 59. 01 Start with the Assessments PDPL Gap Assessment Conduct PDPL gap assessments to analyse the current practices against the PDPL requirements. Record of Processing Activities (ROPA) Document all personal data processing activities, including purpose, data categories, and retention periods. Data Protection Impact Assessments (DPIA) Conduct DPIAs for high-risk processing activities and mitigate the risks before processing. i ii iii 59

• 60. 02 Design a Robust Privacy Strategy Develop Comprehensive PDPL Policies & Process Create clear data protection policies outlining responsibilities, procedures, and compliance requirements. Include policies on data retention, breach notification, and third-party data sharing. Employee Training & Awareness Promote a privacy-first culture within the organization by regularly training staff on PDPL requirements, data handling best practices, and recognizing data breaches. Conduct Regular Assessments & Audits Schedule periodic internal and external audits to ensure ongoing compliance. Address audit findings promptly to strengthen data protection measures. 60 i ii iii

• 61. 03 Use Technology to Enhance Protection Encryption & Tokenization Use encryption and tokenization for data at rest and in transit to safeguard against unauthorized access. Pseudonymization Use pseudonymization and anonymization to limit data exposure while maintaining utility and remove identifiers respectively. Privacy Co-pilot Tools Implement automated compliance reporting systems for continuous oversight. Use monitoring tools to detect unauthorized access. i ii iii 61

• 62. 04 Setup the DPO Function Appoint a DPO Designate or outsource a qualified privacy professional/DPO with expertise in data protection to oversee compliance. Communication Channels Establish clear internal and external reporting and communication mechanisms for data protection concerns. Stay Updated with Regulator Monitor regulatory updates and engage with authorities to ensure ongoing compliance. i ii iii 62

• 63. Summary of Learnings Varun Arora VP of Partnerships & Country Manager, KSA at Pyxos 63

• 64. What We Learnt, and Next Steps ● PDPL, ROPA, DSR, DIA ● Audience: Who needs to be compliant with PDPL? ● PDPL compliance is not optional - it’s the law ● Penalties for not complying include imprisonment ● Your senior leadership must understand that they are liable ● It’s not enough to become compliant; you must remain compliant ● A mix of consulting and technology can get you there in as little as 90 days 64

• 65. Post Event Follow-Up REACH OUT TO ME: varun@pyxos.ai or +65-9191-9195 ● I am happy to help answer questions DOWNLOAD TODAY’S MATERIALS ● Scan the QR code to gain access to portions of today’s presentation, as well as additional resources to guide your PDPL and AI journey in KSA. 65