How Do You Prove PDPL Compliance in KSA?

1 Jun

On May 19th, we co-hosted a webinar with our collaborators at GCC Data Protection titled "So You Want to Prove PDPL Compliance in KSA?"

With enforcement of Saudi Arabia’s Personal Data Protection Law (PDPL) increasing, companies are asking a critical follow-up question: not just how to comply, but how to prove they’re compliant.

The discussion was led by three seasoned compliance leaders with deep regulatory, operational, and technical experience:

Laura Palmariello, Director, GCC Data Protection
Bilal Ghafoor, Director, GCC Data Protection
Jonathan Kass, Co-Founder & COO / VP of Operations, Pyxos

Together, they unpacked how proving compliance isn’t just a documentation exercise—it’s an ongoing, cultural, and technological transformation.

A summary of the event is included below, as is the full presentation (embedded from SlideShare).

A New Mindset for PDPL Compliance

"PDPL compliance is so much more qualitative and complex… it’s about demonstrating that your approach fits the context of your organization," said Laura Palmariello, who kicked off the session by distinguishing Saudi Arabia’s privacy law from checkbox-style frameworks like ISO 27001.

Instead of relying on static controls, PDPL demands what Laura called “documenting and justifying your decisions, even when there’s no fixed answer and no certificate at the end of it.”

PDPL requires organizations to not only have policies in place, but also to understand and explain why those policies make sense for their specific business. This focus on reasoning and context shaped the rest of the discussion.

Compliance as a Living System

Bilal Ghafoor picked up the thread by noting that ISO-style certifications offer a defined path to completion. Not so with PDPL.

“When it comes to the PDPL... it’s actually about the privacy programme that is constantly running in the background,” he shared.

Without a certificate to hang on the wall (yet), organizations must build up a portfolio of actions, decisions, and evidence that can stand up to audits from regulators, due diligence from partners, or scrutiny from customers.

That means mapping data flows, clarifying consent processes, and even pre-filling standard contractual clauses in anticipation of customer demands.

Technology, Trust & Competitive Advantage

Jonathan Kass closed the session by reframing compliance as not just a defensive move—but a growth strategy.

“While it may not be the unlock to winning a proposal,” he said, “I would suggest that a lack of a strong privacy and compliance programme is going to be a hindrance to winning business in the future in the Kingdom.”

He emphasized that privacy-first thinking must extend beyond internal teams to include vendors and partners:

“You’re only as strong as the weakest link in your chain of trust. If your goal is to truly demonstrate respect... your vendors and partners have to take their role as seriously as you do.”

Jonathan also offered practical steps organizations can take—like integrating consent tracking into daily workflows and using agentic AI tools to monitor data usage dynamically.

Full Presentation

So you want to prove PDPL Compliance in KSA? from Pyxos

Final Takeaways

There is no SDAIA-issued certificate of compliance today, which means organizations must build a defensible program and be ready to explain it.
Documentation alone isn’t enough; evidence of how you operate and make decisions is key.
Compliance can be a competitive advantage when embedded into operations, culture, and vendor management.

Resources to Get Started

Book a free 30 minute session with one of our PDPL Experts (calendar)
Take the PDPL Compliance Self Assessment (official SDAIA website)
Learn how to become an internal Privacy Champion (blog)

How AI was used in this post:

Analysis of webinar transcript
Assistance in editing human-written prose

webinarKSA PDPLPDPL ComplianceJonathan KassGCC Data ProtectionData Privacy ComplianceMindset ShiftCompetitive Advantage

Leslie Bradshaw