GRC — Flagship Service

UAE PDPL Compliance Advisory

Build a defensible Personal Data Protection Law compliance program in 4 – 6 weeks — data mapping, privacy notices, consent workflows, breach-notification process, DPIA methodology, and cross-border transfer assessment. Enforcement is ramping. Reactive compliance costs more.

AED 15,000 – 35,000 GRC Mastery · ISO 27001 LA 4 – 6 weeks

Book a 30-min Scoping Call →

Jump to FAQ

What it is

A focused advisory engagement that takes your organisation from unassessed exposure to defensible PDPL compliance — with the documentation, processes, and governance artefacts you need to answer a regulator, a customer question, or a data-subject request.

We map every flow of personal data in your business (employees, customers, suppliers, leads, marketing contacts), identify where legal bases are weak or missing, author the instruments you need (privacy notices, consent records, processing registers, DPIAs, transfer assessments), and operationalise the processes that keep you compliant as your business changes.

Led by a practitioner holding GRC Mastery and ISO 27001 Lead Auditor credentials — so the deliverables align with both UAE PDPL and international privacy frameworks if you plan to pursue ISO 27701 or GDPR adequacy later.

What this is not

Not legal advice. We deliver the compliance program; your legal counsel reviews instruments before execution.

Not a template download. Every artefact is authored to your actual data flows, not copy-paste from a library.

Not a DPO retainer. DPO-as-a-Service launches in 2027; this engagement is a one-time build.

Not an incident-response service. We set up the breach-notification process; actual response support is a separate engagement.

Who this is for

A client or enterprise procurement has asked for PDPL compliance evidence as a condition of contract.

Your legal or compliance team has flagged PDPL risk and you need an actionable program, not more memos.

You're a SaaS, fintech, e-commerce, healthcare, or HR-tech business — sectors where personal data is the product.

You had a data-subject request or near-incident that exposed gaps in your processes.

You're pursuing ISO 27001 or ISO 27701 and want a PDPL-aligned foundation that feeds both programs.

What you get

Data inventory & map — every category of personal data you process, with source, purpose, legal basis, retention, access, and location.
Record of Processing Activities (RoPA) — PDPL-aligned register ready for regulator submission if required.
Privacy notice(s) — customer-facing, employee-facing, and any sector-specific variants authored to your actual processing.
Consent & legal-basis register — where consent applies, how it's captured and evidenced; where alternative legal bases are used, the justification.
Data Subject Request (DSR) workflow — request intake, identity verification, response SLA, template responses, decision log.
Breach-notification process — detection criteria, decision tree, UAE Data Office notification template, data-subject notification template.
DPIA methodology & example — when to trigger a DPIA, the assessment template, and one completed DPIA for your highest-risk processing.
Cross-border transfer assessment — mapped transfers, required safeguards, SCC templates or alternative legal instruments.
DPO requirement assessment — whether your processing triggers a mandatory DPO, with justification.
Staff awareness briefing — 90-minute session for key teams on PDPL obligations and day-to-day handling.

How we deliver

Scoping & discovery

Week 1

Business overview, extraterritoriality assessment, stakeholder interviews, data-flow mapping kick-off, existing-documentation review.

Data mapping & RoPA

Week 2

Complete data inventory, RoPA drafting, legal-basis assessment, cross-border transfer identification.

Instrument authoring

Weeks 3 – 4

Privacy notices, consent records, DSR workflow, breach-notification process, DPIA template + one completed DPIA, SCC / transfer instruments.

Operationalisation

Weeks 4 – 5

Staff briefing delivery, process testing, tools/platforms recommendations, roll-out plan.

Handover & ongoing support

Week 6

Final documentation package, 90-minute handover workshop, 30-day question-support window.

Pricing

Published range

AED 15k – 35k

Per engagement. Written quote within 48 hours of scoping call.

What drives the price:

Organisation size & data complexity
Number of distinct processing activities
Cross-border transfer volume
Sensitive-data categories (health, biometric, minors)
Add-on: DPIAs beyond the one included

Commercial terms

Deposit: 50% at signing
Net terms: Net-30
Quote validity: 30 days
Start lead time: 1 – 2 weeks
ISO 27001 Implementation bundle: 10% discount if bought together

Your cert-backed lead

Engagement Lead

Manoj Prabhakaran

ISO 27001 Lead Auditor · GRC Mastery · CPTS · CDSA · Security+ · Azure Cloud Security

Focus: Data mapping, RoPA, privacy instrument authoring, DPIA methodology, cross-border transfer assessment. Approach: every document authored to your actual processing — not copy-paste templates.

Frequently asked questions

Does PDPL actually apply to my business?

Almost certainly yes. PDPL applies to any UAE entity that processes personal data, regardless of sector or size. If you have employees, customers, or suppliers whose data is stored in or moves through UAE jurisdiction, you're in scope. The only narrow exclusions are personal-use and certain government processing.

What's the penalty for non-compliance?

Administrative fines defined by the UAE Data Office are the primary risk today. Regulatory enforcement has ramped substantially in 2025 – 2026, and the reputational cost of a data-breach disclosure tends to be larger than the fine itself. Early compliance is materially cheaper than reactive compliance.

How long does a PDPL program take to build?

4 – 6 weeks for a typical UAE SME with moderate data complexity. Larger organisations or those with cross-border data flows can extend to 8 – 10 weeks. Individual gaps (e.g., just a privacy notice refresh) can be scoped as half-engagements.

Do I need a Data Protection Officer?

A DPO is required if you process sensitive personal data at scale or your core business is systematic monitoring. Many UAE mid-market organisations do need one. We help you assess the DPO requirement and, if needed, recommend fractional DPO-as-a-Service arrangements (formalised offering launches in 2027).

Can you handle breach-notification incident response?

We establish the breach-notification process, playbook, and decision tree. Actual incident response is out of scope of this advisory engagement — see our Tabletop IR Exercise service for response-readiness testing, and our Year-2 Incident Response Retainer for on-call IR support.

How does PDPL relate to ISO 27001?

They overlap significantly (~60% of controls) but PDPL is a law (compliance is mandatory if applicable) and ISO 27001 is a voluntary certification (demonstrates good practice). Many clients align both programs — we design the PDPL engagement so deliverables feed directly into an ISO 27001 Annex A.18 / A.5.34 evidence set.

What about cross-border data transfers?

PDPL restricts transfers to jurisdictions without adequate protection. We map your current transfers, identify where Standard Contractual Clauses, explicit consent, or other safeguards are needed, and draft the necessary instruments or contractual clauses.

Is this only for UAE-based entities?

PDPL has extraterritorial reach — it also applies to non-UAE entities processing UAE residents' data. Foreign subsidiaries, e-commerce platforms selling to UAE customers, and SaaS vendors with UAE users all have obligations. We assess extraterritorial applicability as part of scoping.

You might also need

PDPL enforcement is ramping. Reactive compliance costs more than proactive.

Book a 30-minute scoping call. We'll assess your exposure, scope the program, and send a written quote within 48 hours. Engagement starts inside 1 – 2 weeks.

Book a Scoping Call →