The Hidden Costs of Waiting to Comply with Saudi Arabia’s PDPL
In this Q&A, KSA Country Manager and VP of partnerships Varun Arora shares lessons from the field—and why starting early with PDPL compliance isn’t just smart, it’s essential.
🌱 Leslie Bradshaw, Pyxos VP of Research & Growth:
Q: In your article, you emphasized acting early and investing wisely. Sounds simple, but not easy. From a leadership perspective, how do you personally help clients move from hesitation to action—especially when the costs and risks feel so abstract?
🎙️ Varun Arora, KSA Country Manager & VP of Partnerships:
A: It’s really quite straightforward: act now and become compliant at cost “X” or delay this until the last minute and then become compliant at 3X the cost plus fines and loss of reputation, bringing your total cost to 5X or even 10X.
KSA’s PDPL became law in 2023 and became enforceable in September 2024. Companies have had a year to plan for compliance, to budget for compliance, but very many have not done so and are now being caught off guard. Universities, for example, have been told in no uncertain terms: “prove compliance or be prepared to be publicly listed as non-compliant”. The day is not far when SDAIA, or even CMA, start going after Saudi companies with similar directives, issuing fines, and publicly naming and shaming companies.
At that time, a large number of companies will seek to become compliant, and chase after the VERY small number of PDPL-trained service providers in the country, which will then double or triple their fees—it’s simple supply and demand—AND be forced to deliver in a manner that may cut corners, leaving these companies exposed to far greater risk than necessary.
CEOs and Boards will then ask:
“Who decided to delay this? Who decided that it was more important to save SAR 300,000 and risk fines, damages, and increased service-rates that are now costing us SAR 3,000,000?”
I wouldn’t want to be the executive having to answer these questions and say “we saved a little a few months ago, but now it’s costing us a lot more”.
🌱 Leslie Bradshaw: Since joining Pyxos, you’ve worked closely with experts like Anurag Sushant, Bilal Ghafoor, and Laura Palmariello. What have you learned from collaborating with them—and how has it shaped your own thinking around the KSA’s PDPL and how to support clients?
🎙️ Varun Arora: These are incredibly smart, deeply experienced professionals who are masters of their trade. They’ve learnt from GDPR and they can see what’s about to happen to companies in Saudi Arabia once enforcement commences, which has already started in a manner of speaking in the education space, with universities.
While each of them targets different industries and company-sizes, one thing that’s common across is their focus on educating clients:
“What is PDPL? Who does it apply to? What happens if you’re not compliant? How do you become compliant? How do you remain compliant?”
These are questions that clients—large and small—need answers to.
And we are here to help! We host regular webinars (we have a few coming up in May) and in-person seminars (we did one with the Riyadh Chamber of Commerce in February and will do more of these). We are also happy to do 1 or 2-hour workshops for enterprises, where we can answer their questions one-on-one.
🌱 Leslie Bradshaw: What’s been one of the most rewarding—or challenging—moments for you so far in building Pyxos' presence in the Kingdom? Any client interaction or milestone that sticks with you?
🎙️ Varun Arora: In February, we organised a joint event with the Riyadh Chamber of Commerce, titled “Understanding KSA’s PDPL in the Age of AI”. I was expecting—optimistically—maybe 50 people to show up. I was pleasantly surprised not only that close to 100 people attended, but also how “switched on” the audience was. Some attendees had driven hundreds of kilometers to attend.
As you know, I’m from Singapore, and most folks attending seminars there have their computers open in front of them and are busy answering email during the seminar, or messaging friends and colleagues on WhatsApp, or otherwise engaged in other activities such that only 10% of their brain is actually focused on the seminar.
In stark contrast, here in Riyadh, there wasn’t a single open computer, and almost no one used their phones during the duration of the event. It spoke to the respect this society has for someone who’s sharing their insights, people’s hunger to learn, and their desire to engage. A number of attendees approached me after the event, asking for the materials, so they could further teach their colleagues who were unable to attend. Such curiosity, involvement, and respect, speak volumes about a society and about the bright future for the country.
🌱 Leslie Bradshaw: Many of our readers are navigating data privacy compliance for the first time. What’s one piece of advice you’d offer to someone starting their journey?
🎙️ Varun Arora: Start. Just: start.
The subject can appear overwhelming, but we’ll work with you to make it easy to understand, to build consensus and momentum around you, and help you get from zero-to-hero in a matter of 3–4 months. And start now. Don’t wait for the penalties, don’t end up paying 3x and doing this in an environment of stress and fear, when you can do it right, and it might end up costing you less than 300,000 SAR.
🌱 Leslie Bradshaw: We often talk about “costs” of compliance in dollar terms, but what are some hidden costs companies and establishments overlook?
🎙️ Varun Arora: This one’s easy: the cost of non-compliance could be as much as 10X the cost of compliance. Look, we’re able to get reasonably sized companies to full compliance for as little as 300,000 SAR in as little as 4 months. Waiting for the threat of audits to knock on your door—or worse, for a serious, inadvertent infringement to occur that ends up with your being penalised for millions… Well, that just doesn’t make business sense.
It’s important to become compliant now, when costs are still low, when your company’s reputation has not been dragged through the mud, when you haven’t been held guilty of serious infringement and have been made to publish apology advertisements in the newspaper.
At Pyxos, we’re happy to help with your gap analysis; with PDPL-compliant frameworks and policies; with putting in place AI-driven software that makes compliance easier over the long term while keeping your costs low; and to help you build a culture of compliance within your company or establishment.
💡 Want to read the original article? Check out ➡️ KSA PDPL: 5 Tips to Manage Your Compliance Costs
