We are the experts in GCC Privacy Law Compliance

We specialize in practical compliance while protecting commercial outcomes

With over 20 years' experience, global IAPP FIP, CIPP/E, CIPM, AIGP and ISO 27701 Lead Implementer certifications, we are the experts in the KSA PDPL, the UAE PDPL, and the data protection laws of all GCC countries.

How long does a privacy program take?

Our programs are usually 15-40 days – we can deliver as fast as you can work with us.

With most clients, our projects take 1-3 months to deliver – we work at your pace.

We minimize disruption to your operations

What does compliance cost?

Tell us a little more and we can give you a guideline estimate – but contact us for a tailored quotation. Discounts for non-profits and others available.

Dynamic Cost Calculator

Cost Estimator

Total Estimated Cost:

This is a guideline estimate only. Please contact us for an exact quotation. Discounts for non-profits and others available.

PDPL and Privacy Projects Completed

45+

KSA PDPL Projects

30+

Other GCC Privacy Projects

150+

GDPR Projects

Compliance is not a one-time thing.

We don’t want you to always depend on consultants

We ask you to nominate someone as DPO. We take that person, train them, then deliver the program with them, mentoring and upskilling them so that they can take our roadmap and ensure continuous compliance.

Bilal Ghafoor,
Managing Director

IAPP CIPP/E CIPM FIP

Bilal has 15 years’ experience in data protection and has led privacy programs globally, including some of the largest tech companies in KSA.

Laura Palmariello, Senior Associate

IAPP AIGP CIPP/E FIP

Laura has diverse experience in many industries, from energy to education and is our resident AI governance expert. She is known for practical advice.

Our Products

RoPA

Records of Processing Activities are a legal requirement. A catalogue of your data, showing what you do and compliance risks. We conduct detailed interviews with your business units to understand what they do with personal data, do some discovery and then use the RoPA to manage your risks

Staff Training

We train and mentor your nominated DPO, using the compliance program as a learning tool. We also create all staff training and awareness messages.

Framework, Strategy and Operating Model

These are not theoretical – we tailor these to your company set up and operations so you can manage future compliance.

Data Protection Policy

This underpins what you do, responsibilities and risk appetites. It underpins the legal obligations and corporate stance.

Data Breaches

Handy toolkits for all staff to detailed guidance for your DPO and C-Suite, a complete manual to manage issues and learn lessons.

Data Subject Rights

How to handle requests from customers and staff for copies of information, withdrawal of consent, corrections or other rights.

Vendor management

From tender invitations, shortlisting, due diligence, risk assessments and contracts. We make sure your vendors look after your data.

International Data Transfers

Sending data outside the country is complex – we help you navigate the legal difficulties and do your transfer risk assessments.

Lawful basis and consent management

Identification of lawful bases and we dive into your consent statements and operations to give clients control of their choices.

AI and Tech Development

We look at the data protection aspects of your AI or tech development to make sure that you are compliant with privacy laws.

Marketing Policy

Marketing, whether through emails, phone calls, social media or events is covered by the law. We help you comply and keep you effective.

Privacy notices and cookies

We write your external and staff privacy policies in clear language to promote transparency and trust. We also manage your cookies.

Privacy Impact Assessments

Privacy impact assessment are mandatory under privacy laws. We assess your high risk processing and mitigate risks

SDAIA Self-Assessment

We use the SDAIA/NDMO self assessments to help you understand your compliance and issue you with a report.

Every week on a Tuesday we publish a newsletter on the PDPL. It is packed with practical insights on how to comply with the law as well as analysis of privacy trends.

We have the highest-rated introductory course to the KSA PDPL on Udemy. It is normally $19.99 but contact us for a voucher that will get you access for free.

Sectors we have worked in

Energy

Non-profit

Manufacture

Justice

Government

Education

Commerce

Health

Digital

Saudi Arabia

The Personal Data Protection Law (issued pursuant to Royal Decree No. M/19 of 9/2/1443 H, as amended by Royal Decree No. M/148 dated 5/9/1444H) (“PDPL”)

United Arab Emirates (UAE)

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (“PDPL”)

Bahrain

Law No. 30 of 2018 with respect to Personal Data Protection (“PDPL”)

Qatar

Law No. (13) of 2016 Concerning Personal Data Protection (“the Data Protection Law”)

Oman

Royal Decree No. 6 of 2022 promulgating the law on the protection of personal data dated 9 February 2022

Kuwait

Kuwait Law No. 20 of 2014, on Electronic Transactions (the “E-Commerce Law”) and Kuwait Law No. 63 of 2015, on Combating Cyber Crimes the (“Cybercrime Law”)

DIFC & ADGM

DIFC Law No. 5 of 2020 on Data Protection Law (“DPL”)

ADGM Data Protection Regulations 2021

UK & European Union

UK & European GDPR