Applying the Technology Adoption Lifecycle Framework to PDPL Compliance in KSA

Why only a small percentage of companies are complying with KSA’s new data privacy law

Written by James Beriker, Founder & CEO at Pyxos

Saudi Arabia’s Personal Data Protection Law (PDPL) became fully enforceable in September 2024, marking what will soon be widely recognized as the most consequential regulatory milestone in the Kingdom’s economic history. Forgive the hyperbole, but there has never been a law enacted in the Kingdom that has had as little cultural context or history—that completely resets the rules for how companies engage with their employees and customers. It is, indeed, an aspirational law, catapulting KSA from no data privacy laws to one of the most rigorous data privacy regulatory frameworks in the world.

What is PDPL?

PDPL is a data privacy compliance framework modeled on the EU’s General Data Protection Regulation (GDPR), considered to be the global standard for protecting data privacy. PDPL applies to any company that processes the personal information of Saudi residents, including employees. The law was passed to support the Kingdom’s Vision 2030 digital transformation and innovation objectives. PDPL has an established penalty framework, including fines of up to SAR 5M (doubled for repeat offences) and imprisonment for up to 2 years. The Saudi Data and AI Authority (SDAIA), the governing authority, has issued a comprehensive set of implementing regulations. It is widely understood in the Kingdom that SDAIA will start enforcing the law in the near term in order to achieve its Vision 2030 goal of broad-based compliance with the law.

When and how will PDPL be enforced?

What will the early days of enforcement look like? It will come in the form of reminders to public companies that they have to register with SDAIA and appoint a DPO (already happened), requests for information on the status of compliance, followed by formal investigations, audits, and fines. The first wave of enforcement activity will target high-profile companies that process significant volumes of personal information, especially those that process sensitive information as part of their core business. As the regulators did in the early days of the GDPR, these very public early regulatory actions against select high profile and high-risk companies will be intended to act as catalysts to drive broad-based compliance with the law. The regulators understand that compliance will not happen without active enforcement in the form of very public sanctions against high-profile companies.

And yet, actual compliance in the market tells an alarmingly different story. By my own estimates, based on the many discussions I am having on the ground in the Kingdom with business leaders, consultants from global and regional firms, government officials, and data privacy professionals, less than 10% of companies are materially compliant with PDPL a full 8 months after the law became fully enforceable. A select few are compliant, but most remain unaware, unprepared, or under the false impression that compliance is a “check-the-box” requirement that can be easily and quickly accomplished if and when SDAIA enforces the law. This is striking given the law-abiding nature of the Kingdom—more on that later.

The Technology Adoption Lifecycle

To develop a better understanding of where we are in the “adoption curve” of PDPL compliance and how we might move from the status quo of very low adoption to majority adoption, it is helpful to apply the Technology Adoption Lifecycle framework. Originally used to describe the uptake of new innovations, we can apply this framework to assess the expected diffusion of behavior among KSA companies in moving towards full adoption.

One important note before we jump into the analysis: in most applications of this framework, adoption of new innovations is voluntary, based on personal risk tolerance, openness to new ideas and paradigms, and access to information and resources. The move from one phase to another is truly based on behavioral shifts at both the micro and macro levels. In the case of PDPL compliance, there is an extraneous factor you don’t normally have when analyzing the adoption of new innovations: the threat (and eventual reality) of compliance enforcement that removes choice and forces people to change their behavior despite their own views or beliefs. This does not take away from the usefulness of this framework, but it does foretell that movement through the bell curve will be much faster than normal when enforcement begins.

Phase 1: The Innovators

The first group—the “innovators”—are likely already compliant or soon to be compliant. They fit into two distinct categories: those with “imperatives” to comply and the “thoughtful stewards” who make the decision to comply.  

Imperatives

The “imperatives” group has a compelling business reason to comply with the law. They are the largest, highest profile companies in the Kingdom with significant sovereign ownership or control—and have to be first to support the new law. Others in this category are public companies, who all received notices from SDAIA requiring them to register with the regulatory agency and appoint a Data Protection Officer (DPO)— as well as companies that are in the process of going public on the Saudi Exchange. Others in the “imperatives” category are in an RFP/ sales process with a large private or public sector prospect, where PDPL compliance is required for bidding on the business. Finally, we have just learned through two different credible sources that the Ministry of Education has mandated that all public universities be fully compliant with PDPL by October 2025. I am not aware of any similar actions by other government ministries or authorities but imagine that this tactic could effectively drive compliance for entities that receive public funding.

In a sense, this “imperatives” group are being forced to comply based on externalities that they cannot control or ignore. They are not willfully prioritizing compliance because they believe in the inherent value of data privacy for their customers or business or to support Vision 2030, but because they have no choice.

Thoughtful Stewards

The “thoughtful stewards”— typically led by a forward-thinking CEOs who understand the importance of PDPL to their business and want to contribute to the realization of the digital transformation objectives of Vision 2030. They make the choice to invest in compliance as both a strategic enabler and a way of avoiding business, legal, and financial risk. The leaders of these organizations have foresight, they have read the “tea leaves,” and know from the progression of GDPR regulatory activity in the EU that the “education” phase is behind them and that aggressive enforcement is coming. They want to be prepared—and aspire to be one of the first among their peers to be compliant with the law.

💡Often these leaders realize that early compliance will protect their brand, which they regard as a key asset that drives their differentiation and growth.

They are also protecting their enterprise value as they learned from the GDPR experience that companies that were fined early in the enforcement process suffered severe reputational damage, lost significant market value, and were unable to recover in less than 2 years. Finally, they recognize that PDPL compliance is not a “check-the-box” exercise and that the process of becoming and staying PDPL compliant is a “heavy lift” that takes time and specialized resources-- and requires a wholesale transformation in the day-to-day operations and culture of their companies. In some cases, companies in this category have an easier path to compliance as they have operations in other jurisdictions where they have had to comply with data privacy laws, including GDPR. For these “thoughtful stewards,” waiting is not an option.

Innovators

The “innovators” have humility in terms of what they don’t know and are committed to enabling the law, transforming their cultures, and developing strong internal capabilities. They also come to understand that ongoing compliance requires technology and tools to streamline their operations and control their costs of compliance. They are the future case studies of effective compliance and business transformation– they are setting the standard for others in the Kingdom.

Pyxos, the data privacy compliance solutions company where I am a co-founder and CEO, currently works only with “innovators”. We provide “build-operate-transfer” services using PDPL experts to enable initial compliance and build internal capabilities—and then deploy an AI-based technology solution to help enable ongoing compliance. The “innovators” are our early pilot customers who, with us, are driving the development of agentic capabilities to embed PDPL requirements into daily operations, automate highly manual and time consuming workflows, reduce the possibility of human error, and easily demonstrate compliance and defend any audit or investigation.

Phase 2: The Early Adopters

Right behind the “innovators” is a second, very large group of medium to large sized enterprises across B2B, B2C, and B2B2C that process significant volumes of personal information in their normal business operations. These “early adopters” have not yet started their compliance journey but will be the first group following the “innovators” given that they are squarely in the crosshairs of SDAIA. They have between zero and complete understanding of PDPL and its implications on their businesses. Unlike the “innovators,” however, they have no motivation to act– no external “imperative” or conviction that it is in their company’s best interest to act. This group will only invest in data privacy compliance after SDAIA begins enforcing the law.

Companies in this phase of the adoption curve break out into two distinct groups: the “blissfully ignorant” and the “knowing avoiders.”

Blissfully Ignorant

The “blissfully ignorant” know little to nothing about the law and go on about their businesses with their “heads in the sand.” It is hard to say whether their ignorance of the law is a conscious or unconscious effort to avoid the reality of the law— or truly based on not having any information or knowledge about the law. I think it is something in between for this group, based largely on a fundamental lack of cultural context or history, given that data privacy is a new concept in the Kingdom, with no precedent. I will get into this concept at the end of this post as it has much broader implications for the adoption of PDPL.  

Knowing Avoiders

The “knowing avoiders” have fluency in the law and understand the potential impact on their businesses but have decided to wait— making a calculated decision to accept the risk of non-compliance vs. spending the time, resources, and disrupting their businesses to comply with the law. They understand that compliance is a “heavy lift” and want to understand the “risk vs. reward” calculus— to validate the level of compliance required and weigh the hard dollar benefits of investing in compliance. This group is not completely oblivious, but are willing to wait and see, which I characterized in a previous post as “playing chicken with the law.”  

Phase 3 and Beyond: The Early Majority, Late Majority, and Laggards

I chose to combine these three phases into a single analysis as these companies share similar characteristics, even though they are likely to adopt data privacy compliance on different timelines and with differing levels of urgency.

• The “early majority”, typically companies that process significant volumes of personal information and are at risk when enforcement begins, will “tip” the bell curve over the top.

• The momentum they create, will eventually push the “late majority” and the “laggards” to act.

• The “early majority” differs from the “early adopters” because they have not made a decision either way and are waiting for validation, watching their peers, and will act only when the cost of doing nothing becomes greater than the cost of action. They typically don’t forge their own path, but move with the herd

💡We believe that once SDAIA issues its first wave of enforcement actions, which most expect by the end of 2025, the “innovators” will largely be immune to regulatory action, having set the standard for PDPL compliance.

The “early adopters” will move quickly, with some scrambling to comply. Given their relative size and profile, the “early adopters” are at the highest risk of regulatory intervention following the first wave. After the “early adopters”, the “early majority” will move together, getting conviction in unison that they now have to comply—and will bring the “late majority” and the “laggards” with them.

This process starts slowly, as in all cases of the diffusion of new technologies. However, unlike most adoption curves, compliance will accelerate aggressively once we are in the “early adopter” phase due, of course, to the legal imperative that will create the momentum in the market.

It needs to be pointed out, though, that the desire to comply may not match up to the ability to comply. Specifically, groups that follow the “innovators” will be faced with another challenge that may significantly slow their ability to comply, specifically the scarcity of experienced resources in the Kingdom to support PDPL compliance, particularly on an accelerated timeline. This will create demand in the market that cannot be easily satisfied, due the lack of PDPL specialists in the Kingdom.

The Underlying Reason

As I said earlier, and in previous posts, it is curious to me (especially as a former attorney) that compliance levels are so low a full 8 months after PDPL became fully enforceable. KSA is a country that is inherently law-abiding, has respect for the role of government in personal and business life, and has a deeply ingrained moral and ethical code rooted in religion. So, why are so many Saudi companies not complying with an important law tied to a critical national initiative?

💡Although I believe enforcement will be the stick that ultimately drives adoption, I don’t think lack of enforcement is the only reason for low levels of compliance. The underlying reason is more sociological than pragmatic. The decision-makers at most Saudi companies lack cultural context, given that data privacy is a new concept in the Kingdom, with no history or legal precedent. This applies to all but the “innovators” who are the mavericks that achieved compliance despite the lack of that context,

Contrast this with the EU, where GDPR emerged from a decades-long history of data protection legislation, beginning with national data protection laws in Germany (1970) and Sweden (1973), followed by France (1978) and the UK (1984), long before any EU-wide regulation. These early laws laid the cultural and legal groundwork for the 1995 EU Data Protection Directive, which paved the way for GDPR in 2016. By the time GDPR became enforceable in 2018, European citizens expected that their data would be protected, and companies had nearly 50 years of institutionalized experience and precedent in managing data privacy risks and integrating compliance into business operations.

Saudi Arabia, by contrast, had no formal data privacy framework before PDPL. There were no prior laws or industry norms—or institutionalized experience with data privacy. As I said earlier, PDPL catapulted the Kingdom from having no laws to having a rigorous regulatory regime modeled on GDPR, but without the foundational historical or legal context. As a result, Saudi business leaders face a steep curve. Many are struggling to interpret the law's requirements or impact, unable to lean on precedent or internal expertise, and without long-standing privacy norms embedded in their culture. This lack of context makes it extremely difficult for companies—especially those in the “early adopter” and later phases of adoption—to comprehend the requirements of PDPL or appreciate the legal, financial, and reputational risks of non-compliance. For them, the law feels abstract, external, and disconnected from their organizational realities and culture—until, of course, enforcement makes it real.

This context gap is a very significant reason why only a very few Saudi companies are compliant with this new law.

💡So, the big question is:  as enforcement kicks in, and we move through the phases of adoption, will companies beyond the “innovators” be able to overcome this lack of cultural and historical context and institutionalized experience to adapt quickly enough to avoid regulatory intervention—and enable the Kingdom to achieve its Vision 2030 goals?

I suspect that we are facing a highly chaotic five years as we move through the adoption curve, but that like so many other transformative initiatives related to Vision 2030, Saudi companies will find a way.