Understanding KSA’s PDPL in the Age of AI (English Version - by Pyxos Feb 2025)

Understanding KSA’s PDPL in the Age of AI (English Version - by Pyxos Feb 2025)

@pyxos
@pyxos
1 Follower
6 days ago 44
AI Summary
Bulleted
Text
Key Insights
  • 📜 Overview of PDPL: The presentation provides an overview of KSA's Personal Data Protection Law (PDPL) and related regulations like ROPA, DSR, and DIA.
  • 🧑‍💼 Audience: It clarifies who needs to comply with PDPL, emphasizing that compliance is mandatory and senior leadership must be aware of their liabilities.
  • ⚖️ Legal Consequences: Penalties for non-compliance can include imprisonment, highlighting the seriousness of adhering to the law.
  • 🔄 Continuous Compliance: It stresses the importance of not only becoming compliant but also remaining compliant over time.
  • 🤝 Consulting and Technology: The presentation suggests that a combination of consulting and technology can facilitate PDPL compliance within approximately 90 days.
#RiskManagement #DataPrivacy #PersonalData #KSA #PDPL #ComplianceStrategy #Technology #DataProtection #PrivacyLaws #AICompliance #Riyadh #RiyadhChamber #BayanAcademy
Understanding 
KSA’s PDPL in 
the Age of AI:
Best Practices for 
Compliance & Growth
1
Co-hos…
1/65
Varun Arora, VP of Partnerships & KSA Lead at Pyxos
Business builder and Country / Region Head for…
2/65
Pyxos: 
Helping you become compliant 
and remain compliant
Varun Arora
VP of Partnerships & Cou…
3/65
Concepts of Data Privacy
and KSA PDPL
Anurag Sushant
Senior PDPL Expert
4
4/65
Data Privacy and 
Data Protection
Data privacy, also known as information privacy, involves the p…
5/65
Personal Data
1 Broad Definition
Any information that relates to an 
identified or identifiable …
6/65
Data Subjects
Individuals whose personal 
data is collected, held, 
or processed, such as 
cust…
7/65
Data Processors and Consent
Data Processors
Entities that process personal data 
on behalf of th…
8/65
Data Breaches and 
Data Protection Officers
Data Breaches
Security incidents that result in the …
9/65
Data Processing and 
Regulatory Authorities
Data Processing
Any operation performed on personal …
10/65
Scope and
Applicability
11
11/65
Material Scope of the PDPL
The KSA PDPL applies to the processing of personal data of the individu…
12/65
Territorial Scope 
of the PDPL
The KSA PDPL applies to processing of personal 
data within KSA a…
13/65
Data Privacy
Principles
Ba
14
14/65
Lawfulness, Fairness, 
and Transparency
Legal Basis
Personal data must be processed 
lawfully, …
15/65
Purpose Limitation
Specified Purposes
Data must be collected for explicit 
and legitimate purpos…
16/65
Data Minimization
Collect Only What's Needed
Limit data collection to the minimum required 
for …
17/65
Accuracy and Storage Limitation
Accuracy
Personal data must be accurate and kept up-to-date.
Sto…
18/65
Integrity and Confidentiality
Security
Protect data against unauthorized 
access and loss.
Safe…
19/65
Accountability
Documentation
Maintain records to demonstrate compliance.
Audits
Regularly revie…
20/65
Lawful Grounds for 
Data Processing
21
21/65
Lawful Grounds for
Processing under the PDPL 
Consent
Freely given, specific, informed, and unam…
22/65
Lawful Grounds (Cont.)
4. Vital Interests
Process data to protect someone's 
life or prevent ser…
23/65
Rights of
Data Subjects
24
24/65
Data Subject Rights under the PDPL
Right to Access
Individuals can access their personal 
data, …
25/65
Compliance Requirements 
& Challenges
Anurag Sushant
Senior PDPL Expert
26
26/65
Accountability
& Obligations
27
27/65
Accountability in Action
Data Controllers Determine purposes and 
means of processing
Implement …
28/65
Data Protection by Design
Integrate Privacy
Implement data 
protection principles 
from the out…
29/65
Documentation and Cooperation
Records of Processing
Maintain comprehensive 
documentation of dat…
30/65
Data Protection Officers
Monitoring
Oversee data protection 
strategy and implementation.
Compl…
31/65
Auditing Privacy Programs
Assess Effectiveness
Evaluate the effectiveness 
of data protection 
…
32/65
Controllers Notify
Report breaches to authorities within 
72 hours.
Inform Individuals
Notify a…
33/65
Encryption
Implement robust encryption 
to protect personal data.
Access Controls
Establish com…
34/65
Data Protection 
Officer (DPO)
35
35/65
Responsibilities of the DPO
Monitoring Compliance
The DPO ensures the organization follows 
data…
36/65
Importance of the Data Protection Officer
Compliance & Strategy
The DPO helps organizations 
com…
37/65
International Data 
Transfers
As organizations operate globally, transferring personal data acros…
38/65
PDPL and International Transfers
Adequacy Decisions
The Regulator can determine 
if another coun…
39/65
Impact on Businesses 
& Data Subjects
Anurag Sushant
Senior PDPL Expert
40
40/65
Impact on Businesses - Penalties 
Sensitive Data Disclosure
The disclosure or publication 
of se…
41/65
Benefits of Privacy Compliance
Protect Privacy
Adhere to regulations to 
safeguard individuals' …
42/65
Case Study
43
43/65
Overview
Data from 87 million Facebook users was 
harvested without consent and used for 
politi…
44/65
Overview
H&M was penalized by the Hamburg DPA 
for unlawfully collecting and storing 
extensive …
45/65
PDPL Use Cases
B
a
46
46/65
AI and Automated Decision Making in Tech Industry
A tech company developed an AI-driven recruitmen…
47/65
Vendor Risk Management in Fintech Industry
Scenario
A financial services firm relies on third-par…
48/65
The Risks of AI 
in Compliance
Varun Arora
VP of Partnerships & Country Manager, KSA at Pyxos
49
49/65
Gen AI Training
● Will your prompt be used for training?
● If you train your own LLM, how will us…
50/65
Gen AI Location 
and Transparency
● Where is the Gen AI platform storing data?
● Data residency?…
51/65
Gen AI and Compliance - 
What you can do now
Minimize data access
Validate your tools Conduct Pr…
52/65
How can Technology help 
you in your PDPL Journey?
53
53/65
What Is The Role of Technology in PDPL?
Consent Operations
Data Subject Outreach
Consent Trackin…
54/65
Enablement
What happens if a customer wants you to remove 
his information?
You need:
● A polic…
55/65
Enablement
Self-Help Portal:
So your colleagues can ask the system what is compliant rather than …
56/65
Phase 1
Assessment, Gap Analysis, and 
Project Planning
 
Phase 2
Design and Development of 
…
57/65
Best Practices for 
PDPL Compliance
Anurag Sushant
Senior PDPL Expert
58
58/65
01 Start with the Assessments
PDPL Gap Assessment
Conduct PDPL gap 
assessments to analyse 
the…
59/65
02 Design a Robust Privacy Strategy
Develop Comprehensive 
PDPL Policies & Process
Create clear …
60/65
03 Use Technology to Enhance Protection
Encryption & Tokenization
Use encryption and tokenization…
61/65
04 Setup the DPO Function
Appoint a DPO
Designate or outsource a 
qualified privacy 
profession…
62/65
Summary of Learnings
Varun Arora
VP of Partnerships & Country Manager, KSA at Pyxos
63
63/65
What We Learnt, and Next Steps
● PDPL, ROPA, DSR, DIA
● Audience: Who needs to be compliant with …
64/65
Post Event Follow-Up
REACH OUT TO ME: varun@pyxos.ai or +65-9191-9195
● I am happy to help answer…
65/65

Understanding KSA’s PDPL in the Age of AI (English Version - by Pyxos Feb 2025)

  • 1. Understanding KSA’s PDPL in the Age of AI: Best Practices for Compliance & Growth 1 Co-hosted with Presented by KSA’s First PDPL-Focused Data Privacy Solution
  • 2. Varun Arora, VP of Partnerships & KSA Lead at Pyxos Business builder and Country / Region Head for Californian technology companies MBA, EPGM, AWS Architect Email: varun@pyxos.ai Website: https://www.pyxos.ai/ Anurag Sushant, Senior PDPL Expert Data Protection and Privacy Expert with global experience Formerly with KPMG and Deloitte MBA (Privacy Management) and Law CIPP/E, CIPM, and ISO Auditor Today’s PDPL Speakers 2
  • 3. Pyxos: Helping you become compliant and remain compliant Varun Arora VP of Partnerships & Country Manager, KSA at Pyxos 3
  • 4. Concepts of Data Privacy and KSA PDPL Anurag Sushant Senior PDPL Expert 4
  • 5. Data Privacy and Data Protection Data privacy, also known as information privacy, involves the proper handling of personal data. This includes how data is collected, stored, managed, and shared with third parties, as well as the individual's rights to control their personal information. Data Protection measures ensure the practical implementation of data privacy concepts. 5
  • 6. Personal Data 1 Broad Definition Any information that relates to an identified or identifiable individual, including names, addresses, email addresses, phone numbers, and IP addresses. 2 Applies to PDPL The Personal Data Protection Law covers the processing of personal data. 6
  • 7. Data Subjects Individuals whose personal data is collected, held, or processed, such as customers, employees, and website visitors. Data Controllers Entities that determine the purposes and means of processing personal data, like companies, government bodies, and organizations. Data Subjects and Data Controllers 7
  • 8. Data Processors and Consent Data Processors Entities that process personal data on behalf of the Data Controller or Data Fiduciary. Consent A critical aspect of the PDPL, referring to the freely given, specific, informed, and unambiguous indication of the data subject's wishes. 8
  • 9. Data Breaches and Data Protection Officers Data Breaches Security incidents that result in the accidental or unlawful destruction, loss, alteration, or unauthorized access to personal data. Data Protection Officers Individuals appointed to ensure compliance with data protection laws and act as a contact point for data subjects and authorities. 9
  • 10. Data Processing and Regulatory Authorities Data Processing Any operation performed on personal data, from collection to deletion. Regulatory Authorities Independent public authorities that oversee the application of data protection laws and enforce compliance. SDAIA is the Regulator in KSA. 10
  • 11. Scope and Applicability 11
  • 12. Material Scope of the PDPL The KSA PDPL applies to the processing of personal data of the individuals, including data collected, stored, or shared electronically. PDPL also includes the personal data of deceased individuals. 12
  • 13. Territorial Scope of the PDPL The KSA PDPL applies to processing of personal data within KSA and outside KSA if related to offering goods or services to Saudi residents. 13
  • 14. Data Privacy Principles Ba 14
  • 15. Lawfulness, Fairness, and Transparency Legal Basis Personal data must be processed lawfully, with a clear legal justification. Fair Practices Data handling must be fair and not misleading to individuals. Transparency Provide clear information to data subjects about data processing activities. 1 3 2 15
  • 16. Purpose Limitation Specified Purposes Data must be collected for explicit and legitimate purposes. Compatible Use Data cannot be used for unrelated or unexpected purposes. 16
  • 17. Data Minimization Collect Only What's Needed Limit data collection to the minimum required for the purpose. Reduce Risks Minimizing data reduces risks of breaches and misuse. 17
  • 18. Accuracy and Storage Limitation Accuracy Personal data must be accurate and kept up-to-date. Storage Limitation Data should not be kept longer than necessary. 18
  • 19. Integrity and Confidentiality Security Protect data against unauthorized access and loss. Safeguards Implement appropriate technical and organizational measures to ensure data integrity. 19
  • 20. Accountability Documentation Maintain records to demonstrate compliance. Audits Regularly review and assess data processing activities. Training Educate employees on data protection responsibilities. 1 2 3 20
  • 21. Lawful Grounds for Data Processing 21
  • 22. Lawful Grounds for Processing under the PDPL Consent Freely given, specific, informed, and unambiguous Contractual Obligation Processing essential for fulfilling a contract Legal Obligation Compliance with laws, regulations, or court orders 1 2 3 22
  • 23. Lawful Grounds (Cont.) 4. Vital Interests Process data to protect someone's life or prevent serious harm. 5. Public Interest Process data for tasks carried out in the public interest. 6. Legitimate Interests Process data based on the organization's legitimate interests. 23
  • 24. Rights of Data Subjects 24
  • 25. Data Subject Rights under the PDPL Right to Access Individuals can access their personal data, know how it's used, and obtain copies. Right to Correction & Destruction Individuals can request correction of inaccurate data and erasure of unnecessary data. Right to be Informed Individuals have the right to be informed about the legal basis and the purpose of the collection of their Personal Data. Right to Data Portability Individuals can request obtaining their Personal Data held by the Controller in a readable and clear format. 1 2 3 4 25
  • 26. Compliance Requirements & Challenges Anurag Sushant Senior PDPL Expert 26
  • 27. Accountability & Obligations 27
  • 28. Accountability in Action Data Controllers Determine purposes and means of processing Implement appropriate measures to ensure compliance Data Processors Process data on behalf of controllers Adopt strong security practices and assist controllers Joint Controllers Jointly determine purposes and means of processing Define roles and responsibilities transparently 28
  • 29. Data Protection by Design Integrate Privacy Implement data protection principles from the outset of system and product development. Data Minimization Process only the necessary personal data for each specific purpose. Security Measures Implement technical and organizational measures to protect personal data. 1 2 3 29
  • 30. Documentation and Cooperation Records of Processing Maintain comprehensive documentation of data processing activities. Regulatory Cooperation Provide information to data protection authorities to demonstrate compliance. Data Protection Impact Assessments Conduct DPIAs for high-risk processing activities. 30
  • 31. Data Protection Officers Monitoring Oversee data protection strategy and implementation. Compliance Ensure compliance with data protection laws. Point of Contact Act as a point of contact for data subjects and regulators. 31
  • 32. Auditing Privacy Programs Assess Effectiveness Evaluate the effectiveness of data protection measures. Identify Improvements Pinpoint areas for enhancing privacy practices. Ensure Compliance Verify adherence to policies and procedures. 1 2 3 32
  • 33. Controllers Notify Report breaches to authorities within 72 hours. Inform Individuals Notify affected individuals if the breach poses high risk. Processors Inform Promptly notify controllers of any discovered breaches. 1 2 3 Breach Notification 33
  • 34. Encryption Implement robust encryption to protect personal data. Access Controls Establish comprehensive access controls to limit data access. Regular Audits Conduct periodic security audits to identify and address vulnerabilities. Appropriate Technical & Organizational Measures 34
  • 35. Data Protection Officer (DPO) 35
  • 36. Responsibilities of the DPO Monitoring Compliance The DPO ensures the organization follows data protection laws. Advising on DPIAs The DPO oversees data protection impact assessments. Training & Awareness The DPO educates staff on data protection principles. Liaising with Authorities The DPO is the primary contact for data protection authorities. 36
  • 37. Importance of the Data Protection Officer Compliance & Strategy The DPO helps organizations comply with data protection laws and enhance data protection strategies. Trust Building The DPO fosters trust with customers, employees, and authorities. Risk Reduction The DPO helps mitigate the risk of data protection violations. 37
  • 38. International Data Transfers As organizations operate globally, transferring personal data across borders has become common. Ensuring compliance with data protection laws is crucial to safeguard privacy and maintain data integrity. B a 38
  • 39. PDPL and International Transfers Adequacy Decisions The Regulator can determine if another country/jurisdiction provides adequate data protection, allowing free data flow. Standard Contractual Clauses Standard Contractual Clauses (SCCs) are standardized and pre-approved model data protection to ensure appropriate safeguards for international transfers. Binding Corporate Rules Binding corporate rules (BCR) are data protection policies adhered to by companies established in the KSA for transfers of personal data outside the Kingdom within a group of undertakings or enterprises. 1 3 2 39
  • 40. Impact on Businesses & Data Subjects Anurag Sushant Senior PDPL Expert 40
  • 41. Impact on Businesses - Penalties Sensitive Data Disclosure The disclosure or publication of sensitive data contrary to the PDPL may result in penalties of imprisonment for up to two years or a fine of up to SAR 3,000,000. Violation of Transfer Provisions Violation of the data transfer provisions could result in imprisonment for up to one year and a fine of up to SAR 1,000,000. Violation of PDPL Provisions Repeated Violations Any of the fines could also be increased up to double the stated maximums for repeat offences and the court may order confiscation of funds gained as a result of breaching the law and/or require publication of the judgment in a newspaper or other media at the offender’s expense. 1 2 3 4 In respect of all other provision of the PDPL. the penalties are limited to a warning notice or a fine of up to SAR 5,000,000. 41
  • 42. Benefits of Privacy Compliance Protect Privacy Adhere to regulations to safeguard individuals' personal data rights. Build Trust Compliance fosters customer trust and loyalty in the organization. Mitigate Risks Avoid financial penalties, legal actions, and reputational damage. Ethical Practices Demonstrate a commitment to responsible data handling. Competitive Edge Stay ahead of the competition by establishing Privacy as a USP. Privacy Culture Promote a culture of data protection within the organization. 42
  • 43. Case Study 43
  • 44. Overview Data from 87 million Facebook users was harvested without consent and used for political profiling and targeted advertising. Concern Failure to obtain proper user consent and lack of transparency in data sharing. Regulatory Impact Fined $5 Billion by the U.S. Federal Trade Commission (FTC) for privacy violations. Faced scrutiny under GDPR as well. Business Impact Loss of user trust, decline in stock value, and global backlash. Triggered regulatory changes and stronger privacy laws worldwide. Facebook-Cambridge Analytica Scandal (2018) 44
  • 45. Overview H&M was penalized by the Hamburg DPA for unlawfully collecting and storing extensive personal data of employees. Concern H&M recorded sensitive employee data without proper grounds, violating GDPR principles of data minimization and purpose limitation. Regulatory Impact The €35.3 million fine was one of the highest GDPR penalties at the time, emphasizing the importance of employee data protection. Business Impact The case damaged H&M’s reputation, requiring to implement stricter data privacy policies and financial compensation for affected employees. H&M Employee Data Privacy Violation (2020) 45
  • 46. PDPL Use Cases B a 46
  • 47. AI and Automated Decision Making in Tech Industry A tech company developed an AI-driven recruitment platform that used algorithms to screen job applications. To comply with privacy regulations like PDPL, the company implemented transparency, fairness, and accountability measures in their AI systems. Points to Ponder ● Explainability ● Bias Mitigation ● User Rights ● Regulatory Preparedness ● Organisational Measures 47 Scenario
  • 48. Vendor Risk Management in Fintech Industry Scenario A financial services firm relies on third-party vendors for IT support, cloud storage, and payment processing. Recognizing the risks associated with third-party data handling, FinTrust implemented a robust Vendor Risk Management program. All vendors were required to comply with PDPL standards, and regular audits were conducted to ensure ongoing compliance. Points to Ponder ● Contractual Safeguards ● Regular Audits ● Shared Accountability ● Business Continuity ● Organisational Measures 48
  • 49. The Risks of AI in Compliance Varun Arora VP of Partnerships & Country Manager, KSA at Pyxos 49
  • 50. Gen AI Training ● Will your prompt be used for training? ● If you train your own LLM, how will use data from your core systems? Will you have to anonymize all information? ● Did you seek approval from your data subjects? ● Right to be forgotten… B a 50
  • 51. Gen AI Location and Transparency ● Where is the Gen AI platform storing data? ● Data residency? ● How is the model governed? ● Who has access to the data? 51
  • 52. Gen AI and Compliance - What you can do now Minimize data access Validate your tools Conduct Privacy Impact Assessments as Needed 1 2 3 4 Train your people 52
  • 53. How can Technology help you in your PDPL Journey? 53
  • 54. What Is The Role of Technology in PDPL? Consent Operations Data Subject Outreach Consent Tracking Consent History Data Governance Data Mapping Data Lineage Data Flow Tracking Access Management Risk Surface Control Data Retention System Enablement DSR Automation Self-Help Portal Periodic Training Become Compliant AND Remain Compliant 54
  • 55. Enablement What happens if a customer wants you to remove his information? You need: ● A policy for how to deal with this ● A documented method for a customer to be able to contact you regarding this ● A system that tracks these requests and ensures they are handled in 30 days ● A system that locates all databases where the customer’s data is sitting and deletes it automatically… ● Is this correct? ● NO! A system that notifies the DPO and seeks DPO consent first! 55
  • 56. Enablement Self-Help Portal: So your colleagues can ask the system what is compliant rather than ask the DPO… what happens if you ask the DPO? 56
  • 57. Phase 1 Assessment, Gap Analysis, and Project Planning Phase 2 Design and Development of Compliance Program Phase 3 Compliance Program Implementation “FAST START” SERVICES TECHNOLOGY DEPLOYMENT KICKOFF Pyxos helps you to achieve PDPL compliance in 90 days—and remain compliant with advanced technology and tools Initial testing and Monitoring Review (ongoing maintenance follows) Ongoing technology development and deployment Achieving Compliance 57 Details Redacted for Distribution
  • 58. Best Practices for PDPL Compliance Anurag Sushant Senior PDPL Expert 58
  • 59. 01 Start with the Assessments PDPL Gap Assessment Conduct PDPL gap assessments to analyse the current practices against the PDPL requirements. Record of Processing Activities (ROPA) Document all personal data processing activities, including purpose, data categories, and retention periods. Data Protection Impact Assessments (DPIA) Conduct DPIAs for high-risk processing activities and mitigate the risks before processing. i ii iii 59
  • 60. 02 Design a Robust Privacy Strategy Develop Comprehensive PDPL Policies & Process Create clear data protection policies outlining responsibilities, procedures, and compliance requirements. Include policies on data retention, breach notification, and third-party data sharing. Employee Training & Awareness Promote a privacy-first culture within the organization by regularly training staff on PDPL requirements, data handling best practices, and recognizing data breaches. Conduct Regular Assessments & Audits Schedule periodic internal and external audits to ensure ongoing compliance. Address audit findings promptly to strengthen data protection measures. 60 i ii iii
  • 61. 03 Use Technology to Enhance Protection Encryption & Tokenization Use encryption and tokenization for data at rest and in transit to safeguard against unauthorized access. Pseudonymization Use pseudonymization and anonymization to limit data exposure while maintaining utility and remove identifiers respectively. Privacy Co-pilot Tools Implement automated compliance reporting systems for continuous oversight. Use monitoring tools to detect unauthorized access. i ii iii 61
  • 62. 04 Setup the DPO Function Appoint a DPO Designate or outsource a qualified privacy professional/DPO with expertise in data protection to oversee compliance. Communication Channels Establish clear internal and external reporting and communication mechanisms for data protection concerns. Stay Updated with Regulator Monitor regulatory updates and engage with authorities to ensure ongoing compliance. i ii iii 62
  • 63. Summary of Learnings Varun Arora VP of Partnerships & Country Manager, KSA at Pyxos 63
  • 64. What We Learnt, and Next Steps ● PDPL, ROPA, DSR, DIA ● Audience: Who needs to be compliant with PDPL? ● PDPL compliance is not optional - it’s the law ● Penalties for not complying include imprisonment ● Your senior leadership must understand that they are liable ● It’s not enough to become compliant; you must remain compliant ● A mix of consulting and technology can get you there in as little as 90 days 64
  • 65. Post Event Follow-Up REACH OUT TO ME: varun@pyxos.ai or +65-9191-9195 ● I am happy to help answer questions DOWNLOAD TODAY’S MATERIALS ● Scan the QR code to gain access to portions of today’s presentation, as well as additional resources to guide your PDPL and AI journey in KSA. 65


  • Previous
  • Next
  • f Fullscreen
  • esc Exit Fullscreen
@pyxos

Share

Understanding KSA’s PDPL in the Age of AI (English Version - by Pyxos Feb 2025)

Embed code

Report Inappropriate Content on Jaunt

Choose the reason you are reporting: Understanding KSA’s PDPL in the Age of AI (English Version - by Pyxos Feb 2025) as inappropriate to Jaunt's content team.


Swipe LEFT
to view Related

Scroll DOWN
to read doc

Cookies to automatically collect, record, and share information about your interactions with our site for analytics purposes.
Cookies used to enable advertising on our site.

Login

OR

Forgot password?

Don't have an account? Sign Up