How Smart Leaders Stay Ahead on Data Privacy Compliance
As enforcement increases for Saudi Arabia’s Personal Data Protection Law (PDPL), privacy is no longer just a legal issue—it’s a business risk and a leadership responsibility.
In this interview with Pyxos co-founder and VP of Operations Jonathan Kass, we explore lessons from his 25+ years working in highly regulated industries like insurance, healthcare, and aerospace.
We discuss how technical, operational, and legal leaders—CISOs, CTOs, CIOs, CCOs, CLOs—can act early, avoid delays, and build privacy into daily operations before it becomes a crisis.
🌱 Leslie Bradshaw, Pyxos VP of Research & Growth: Jonathan, you opened your piece with a personal breach story from 2024. Given the regulatory pressure we’re seeing globally, what’s your message to organizations who haven’t taken privacy seriously—yet?
🎙️ Jonathan Kass, Pyxos Co-Founder & VP of Operations: As I shared, it's very frustrating to see health care companies in the U.S. in 2024 still failing to protect PII. In every industry, it can always seem like privacy and data protection are challenges for another day, after we get to what’s most urgent in the business today. But privacy and data protection are urgent, and if they aren’t treated that way, your customers will know.
🌱 Leslie Bradshaw: In the piece, you trace your career back to aerospace engineering and as a technologist in the insurance industry—two highly regulated industries. Given the fixed deadline for PDPL compliance in Saudi, what lessons from those fields feel most urgent to apply right now?
🎙️ Jonathan Kass: The aerospace industry was one of the earliest to define software acquisition strategies—and while they are one of the ‘grandparents’ of the much-berated “waterfall” methodologies, the fact is that they attempted to implement disciplines in developing software products proactively, in order to ensure good outcomes, even in the earliest days of the practice of software development. It was an example of not waiting until the process had been perfected, but getting some standards in place up front to try to drive positive results.
Today we have similar challenges. For the past 20 years we’ve seen explosive growth in the collection, curation, and dissemination of personal data. And every time we think it can’t accelerate, a new technology—like generative AI for example—comes along and makes the risks of personal data being misused even greater.
So between the regulatory deadline, and the reality of how important it is to protect personal data, there is no time like the present to improve privacy practices.
🌱 Leslie Bradshaw: You talk about the moment you realized compliance could actually drive business growth. Why is that mindset shift so critical right now, especially for universities and enterprises facing public compliance deadlines?
🎙️ Jonathan Kass: When we began focusing on privacy as part of HIPAA, we were still relatively naive about the limitless potential for breaches and data misuse. Today everyone is aware that their personal information is likely at risk, if it hasn’t already been misappropriated. The public are much more educated on the value of their personal data, and have much higher expectations of the businesses and institutions they rely on to protect it. So I believe those institutions - like universities and enterprises as you mentioned - need to earn the public’s trust by building privacy into their day to day operations and mindset.
🌱 Leslie Bradshaw: You’ve worked in healthcare, insurance, now at a generative AI compliance company. With KSA’s PDPL enforcement picking up and a new wave of deadlines approaching, what’s the biggest risk leaders are underestimating?
🎙️ Jonathan Kass: All of us tend to underestimate risks, and overestimate our ability to manage problems as they arise. This can be a dangerous perspective when it comes to personal data privacy—the risks are very real today, and increasing exponentially with the advent of automated attacks on businesses and data systems. And as I shared, it is easy to underestimate how your customers and employees may feel about misuse of their data, which could lead to much more significant reputational damage as a result.
There is also the risk of waiting for a single perfect solution that will eliminate the concerns around personal data. As with many other business challenges, ‘waiting and hoping’ is not a great option.
🌱Leslie Bradshaw: Last one… having worn these hats a few times myself in past startups, we both know that founders, technology, legal, and ops leaders are juggling a lot. What’s the one thing you wish they’d internalize about the link between privacy, trust, and business resilience—before they’re forced to?
🎙️ Jonathan Kass: Privacy regulations can seem onerous, and it's important to look beyond the sometimes bureaucratic language and really understand what the individuals whose data is being protected need. When GDPR launched, what everyone immediately experienced was popups on websites—banners which almost no one pays attention to anymore, they just find the ‘accept’ button and move on.
But the regulations are really about ensuring that we only use the customer’s data when they give us permission, and we take appropriate measures to protect it from misuse and inappropriate exposure. Those seem like pretty reasonable expectations, and meeting them—and earning the customer’s trust in the process—can open up growth opportunities, not just check boxes for an audit.
🔑 Key Takeaways
1. Build structure early. Don’t wait for the perfect solution.
Privacy is complex, and waiting for an ideal fix only increases risk. Disciplined, proactive systems deliver better outcomes. Start with what you have, improve as you go, and give yourself time to adapt before enforcement hits.
2. Privacy mistakes affect more than systems—they affect people.
If people feel their data is not safe, the reputation of the company can suffer. Privacy must be treated as a human issue, not just a technical one.
3. Treat data with care, earn trust in return.
Related to the second point above, behind every regulation is a simple principle: use data with permission and protect it with care. When done right, compliance builds trust—and trust opens doors for growth.
4. Don’t delay.
Compliance isn’t a future problem. Customers and regulators are paying attention now, and waiting to act only increases your risks and costs.
📣 Want more insights like this?
Read Jonathan Kass’s full piece→ From Locked File Cabinets to the Cloud
