A pre-positioned breach response retainer. Named senior practitioner on call 24/7, regulator-clock playbook tailored to your environment, communications and notification templates pre-drafted, forensics partner pre-vetted. The point is not to write the runbook during the breach — the point is to have it written six months earlier.
The 24/7 hotline is on your engagement letter. Use it. Read this page before you need to.
Senior practitioner on call within 60 minutes
24/7, including weekends & public holidays
Three tiers, SAR 36k — 180k
Activation hours included or hourly
KSA PDPL · India DPDP · UAE PDPL · GDPR
Multi-jurisdiction notification choreography
The 72-hour regulatory clock is now mainstream across the privacy regulators that matter to you. The first hour is the most expensive: triage, scope, severity rating. By hour 24 the notification draft has to be in motion. By hour 72 — depending on jurisdiction — it has to be filed, often through a regulator-specific portal that nobody has logged into in two years.
Notification to the regulator within 72 hours of becoming aware. Affected individuals notified where the breach is likely to cause harm.
Section 8(6) requires notification to the Board and to affected Data Principals "in such form and manner as may be prescribed" — without undue delay.
Article 9 requires controller notification to the regulator within 72 hours where the breach is likely to result in risk to the rights of data subjects.
Notification to the supervisory authority within 72 hours of becoming aware. Where notification not made within 72 hours, accompanied by reasons for the delay.
Multi-jurisdiction matters most when the clocks don't agree. A KSA-headquartered group with India operations and EU data subjects faces three different clocks running concurrently — sometimes with materially different thresholds for what triggers notification at all. The retainer's job is to choreograph the notifications so the timing is right and the wording is consistent.
The retainer has two distinct phases. The first happens in the calm — the work that is impossible to do during a breach: tailoring playbooks to your environment, pre-vetting forensics partners, mapping internal contact trees. The second is the activation itself, where the pre-positioned work pays out.
Setup work completed within the first 4 — 6 weeks of engagement, before any incident has occurred. Refreshed annually or on material change.
Senior practitioner assigned, briefed on your data architecture, in-scope jurisdictions, internal contact tree, board reporting expectations.
Generic playbooks fail in real incidents. Yours is written to your systems, your jurisdictions, your sector, your board governance — not a template.
Pre-drafted regulator notification skeletons, individual notification language, internal-leadership briefings, board-statement frameworks. Ready to populate when needed.
Forensics provider commercial terms pre-agreed (with one of three pre-vetted partners or your nominated firm). MSA executed; rate card known.
SDAIA, UAE Data Office, India DPDP Board, ICO contact registries confirmed. Submission portal access verified. Sector-specific regulator overlays mapped.
One tabletop drill per year (Tier 02 / 03). Runs through realistic scenario, identifies decision-tree gaps, rebuilds muscle memory in your team.
When the hotline triggers. Senior practitioner on call within 60 minutes, lead activation within 4 hours, structured response from the first call onwards.
Structured intake call. Initial severity rating, scope estimation, regulator-clock activation across affected jurisdictions, internal stakeholder cascade triggered.
Pre-vetted forensics partner brought in within 4 hours. Scope, evidence preservation, chain of custody choreographed alongside investigation.
Notification populated against pre-drafted skeleton. Multi-jurisdiction divergence handled; submission timing aligned to clock requirements.
Affected-individual scoping based on harm-likelihood threshold per jurisdiction. Notification language drafted; channel selected (email, SMS, post, public).
Internal leadership briefings, board statements, customer-facing messaging, media holding statements. Coordinated with your comms or external PR firm.
Within 30 days of incident closure: written lessons-learned, playbook updates, regulator-relationship handover notes, re-positioning recommendations.
What the response actually looks like, on the clock. The timing is indicative — every incident shifts depending on facts, scope and jurisdiction — but the choreography below is the standard template the response lead works from. Numbered milestones are the gates that have to clear before the next phase begins.
Named lead reached within 60 minutes. Initial intake call scheduled. Internal activation cascade triggered.
Structured intake. What is known vs assumed. In-scope jurisdictions. Affected data categories.
Severity tier set. Forensics partner activated. Regulator-clock countdown formally tracked from this point.
First-pass affected-individual count. Data categories confirmed. Notification draft begun.
Board, exec, legal, comms briefed against draft regulator notification. Customer comms held; preparing.
Forensics findings integrated. Multi-jurisdiction divergence resolved. Individual notification scoping locked.
Submitted to all in-scope regulators, on or before clock expiry. Individual notifications go out per the agreed channel.
The 72-hour window is the maximum, not the target. Where facts permit and jurisdictions align, we file earlier — there is no benefit to running the clock down. Where the facts genuinely cannot be established within 72 hours, we file an initial notification with the available information and a documented timeline for follow-up filings. Both approaches are explicitly contemplated under GDPR Art. 33 and equivalent provisions in PDPL and DPDP guidance.
The right tier depends on your risk surface, the maturity of your in-house security and privacy operations, and how willing you are to face an incident with a runbook written in real time. Pre-positioning costs less than activation; activation costs less than improvisation; improvisation costs more than the regulator's fine.
Pre-positioning only. Hotline access, named lead, basic playbook tailored to your environment. Activation hours billed in addition at the time of incident.
The most common tier. Full pre-positioning plus 20 hours of activation time included annually — typically enough to absorb one incident response or two minor incidents without hourly billing kicking in.
For multi-jurisdictional groups with a high-risk surface, regulated sector exposure, or recent breach history. Embedded readiness — full drill cycle, regulator-relationship pre-introduction, deep playbook integration with internal SOC and legal.
Activation hours during a live incident are billed in 30-minute increments. Tier-included hours roll over up to 25% if unused. Tier 01 has no included activation hours; the retainer fee covers readiness only. Forensics provider time is billed by the forensics provider directly — not absorbed in our retainer hours.
Not every security event is a privacy breach. Not every privacy event triggers regulator notification. The retainer covers the events where the privacy clock starts running — and the answer to "is this notifiable?" is itself part of the activation work, not something you have to figure out before calling.
Unauthorised access, disclosure, alteration or loss of personal data — confirmed or strongly suspected.
Activate immediatelyRansomware event where personal data is in scope of the encrypted or exfiltrated systems.
Activate within 4 hoursInternal actor — current or former — has exfiltrated personal data outside the controller perimeter.
Activate immediatelyLaptop, phone, hard drive lost or stolen with personal data in scope. Encryption-state assessment is the first question.
Activate within 12 hoursUpstream vendor reports a breach. Your controller obligations to your data subjects are still triggered.
Activate within 4 hoursInquiry, complaint or formal proceedings letter from a privacy regulator. Response timing is regulator-set.
Activate immediatelySudden surge in Data Subject Requests (often following bad press, breach disclosure, or activist campaign). SLA risk.
Activate within 24 hoursIf you are not sure whether something is notifiable, that itself is the trigger. The first 30 minutes of analysis is what the retainer is for.
No thresholdHonest scope boundaries agreed in the engagement letter. The retainer is privacy-incident response, not full-spectrum security operations or primary legal counsel. Here is what sits outside the line.
We do not run your Security Operations Centre. Detection, monitoring, alert triage and threat hunting are your SOC's job (or your MSSP's). The retainer activates from a confirmed or suspected privacy event, not from a generic security alert.
We coordinate forensics; we do not perform digital forensics. A pre-vetted forensics partner is engaged at activation (or your nominated firm). Their fees are billed by them directly — never absorbed into our retainer hours.
We provide privacy-domain advisory and regulator-facing drafting. Legal opinion as primary counsel — including litigation strategy, regulatory defence positioning and insurance-coverage advice — sits with your in-house or external lawyers.
We draft and review communications. Execution — media outreach, statement distribution, social-media response — sits with your PR firm or in-house comms function. We coordinate with them; we do not replace them.
Each tier has a defined activation-hour bucket. Beyond the bucket, hours are billed at the tier's hourly rate. There is no scenario in which we walk away mid-incident over hours; there is also no scenario in which "unlimited" is the actual deal.
Where you carry cyber / privacy insurance, we work with your broker and panel counsel under their direction — but we do not manage the claim, certify damages, or substitute for the insurer's appointed advisors.
Common questions about how the retainer activates, what counts as a trigger, and what happens if it never gets used. If yours is not here, the intake form below is the right place — a senior member of the practice will respond within one working day.
A senior member of the practice will respond within one working day with a proposed scoping call. Submissions go to a practitioner — never a sales desk. If you are in an active incident now, do not use this form — call your existing breach response contacts. If you do not have any, contact us directly.
A 30-minute scoping call costs nothing. We will tell you honestly which tier is the right fit, whether your existing arrangements have material gaps, and what an annual exercise would look like — pre-positioning is a disciplined exercise, and we'd rather you have it done well than have it done quickly.
Schedule a call