When the scope is defined, the deliverable is finite, and the timeline has an end-date — a project engagement is the right shape. SOW-driven, milestone-billed, senior practitioner-led from kickoff to closeout. Six common project archetypes; bespoke scope welcome.
4 — 16 weeks
Larger programs phase-gated
Fixed-fee against signed SOW
Milestone-billed (25/25/25/25)
Documented handoff to your team
30-day warranty period included
Most project engagements fall into one of six shapes. Each has a documented methodology, a defined deliverable set, and a known cadence. We will tell you up front which archetype fits — and where your specific situation deviates from the standard.
Personal data inventory, processing register and data-flow mapping — built to regulator standard, then handed to your DPO with a maintenance playbook so it stays current.
A complete DPIA library covering all high-risk processing, plus the methodology and templates so your team can run new DPIAs without us in the room.
From governance framework to operating model to policies, controls and training — the full program built and embedded, with documented evidence trail throughout.
Consent capture, preference centre, DSR intake and fulfilment workflow — wired into your existing tools and run through a vendor-neutral platform decision if needed.
SCCs, BCRs, transfer impact assessments and contractual addenda — built for the specific corridors that matter to your business: KSA → India, UAE → EU, India → US, GCC intra-group.
A standing third-party risk program — onboarding diligence, contractual control, ongoing monitoring — with a vendor risk register your DPO and procurement team share.
Every project follows the same lifecycle. The shape is consistent; the duration of each phase scales to the size of the engagement. You will know which phase you are in, what the next milestone is, and what the gate criteria are to move forward.
Initial scoping conversation. We understand the problem, the regulator surface, the stakeholders and the constraints. NDA executed before any artefacts are exchanged.
Typical: 1 weekDetailed scope-of-work document — deliverable list, timeline, milestone billing schedule, named practice lead, success criteria. You sign it before we start.
Typical: 1 weekFormal engagement letter executed. Kickoff call scheduled. Working calendar published. First-milestone deliverable date communicated to all stakeholders.
Typical: 3 — 5 daysThe work itself. Weekly status meetings against milestone schedule. Quality-gate review before each deliverable handoff. Documented evidence trail throughout.
Typical: 4 — 14 weeksFinal deliverable acceptance, handoff session with your team, lessons-learned summary, 30-day warranty period for clarification questions and minor adjustments.
Typical: 1 — 2 weeksA handful of project shapes from recent engagements — sectors and entity counts altered for confidentiality, but durations and fee bands are accurate. Use them as a calibration reference for how your project might be sized.
Personal data inventory and Record of Processing across six properties and three legal entities in KSA and UAE, including loyalty program and biometric access systems. Maintenance handoff to in-house DPO.
DPIA library covering 24 clinical and operational systems including EHR, telehealth platform, lab interfaces and patient-facing apps. Methodology rollout and training for in-house owners.
End-to-end DPDP Act 2023 program: governance framework, policies, RoPA, DPIAs, consent & DSR workflow, training rollout. UAE Child Digital Safety overlay for the international segment.
Consent capture across web, mobile and in-store, preference centre, DSR intake and fulfilment workflow. Vendor-neutral platform selection ahead of deployment, integration with existing CRM.
Transfer impact assessments for KSA-UAE-Bahrain corridor, SCCs and intra-group data transfer agreements, telematics-data governance framework. Onward-transfer controls for OEM partners.
Vendor onboarding diligence pack, standard contractual clauses library, ongoing vendor risk register with classification across 180+ third parties, integration with procurement workflow.
Three rough size bands. The exact fee is fixed in the SOW before kickoff — no time-and-materials creep, no scope-driven billing increases without a formal change order. Milestone billing tied to phase completion, with a 30-day warranty period after closeout.
Single workstream, single jurisdiction, defined deliverable set. 4 — 6 weeks typical.
Multi-workstream, two-to-three jurisdictions, multi-entity scope. 8 — 12 weeks typical.
Full program, multi-jurisdiction, group-wide. 12 — 16+ weeks, phase-gated billing.
Always included: senior practitioner time, all interviews and document review, draft and final deliverables, weekly status meetings, quality-gate review before each handoff, 30-day post-closeout warranty period.
Never bundled in: third-party platform licences, travel beyond Riyadh / Bengaluru / Mumbai (billed at cost), legal opinion as primary counsel, ongoing operational running costs after closeout.
Six operating principles applied to every project engagement. They are not aspirational — they are how we structure the work so the deliverable arrives on schedule and survives external review.
One named senior practice lead on the SOW. Same person on the kickoff call, the weekly status, the quality gate, and the closeout — for the entire project.
Weekly written status update mapped to milestone schedule. Red / amber / green per workstream. Issues flagged the week they appear, not the week they bite.
Every deliverable goes through internal QC against firm methodology before it reaches you. Findings register reviewed for clause-anchoring; methodology checked for regulatory currency.
Every interview, document reviewed, decision taken — logged. The audit trail is itself a deliverable, handed to your DPO at closeout for use in future regulator reviews.
Scope changes get written change orders, not informal email creep. Cost and timeline impact agreed before the change is executed. No surprise invoices at the end.
Formal closeout meeting, lessons-learned summary, named handoff to your team. 30-day warranty for clarification questions and minor adjustments at no additional cost.
A project engagement is not the right shape for every privacy problem. The two columns below are the honest test we apply at scoping — and what we will tell you, candidly, on the first call.
You know what the deliverable looks like — RoPA, DPIA library, consent platform, transfer mechanism. The shape of "done" is clear.
The work has a finite arc. There's a board date, a regulator deadline, a diligence window — and the project is sized to land before it.
You can commit DPO, IT, legal and business stakeholder time during the delivery window. Privacy projects fail when the inputs aren't available.
There's an in-house DPO or compliance team who will own the deliverable after closeout. Without that, you may need a DPOaaS retainer instead.
If the requirement is ongoing senior privacy oversight rather than a finite deliverable, you need a DPOaaS retainer, not a project.
If you can't yet articulate the deliverable, start with a Readiness Review. The output will tell you what projects you actually need.
If you have an in-house DPO and just need senior backup or escalation cover, that's a standing advisory retainer — much smaller commitment.
If a regulator letter has already arrived and the inspection is in seven days, this is the wrong shape. Speak to us about an interim DPO or breach response retainer.
The questions below come up at scoping. If yours is not here, the intake form below is the right place — a senior member of the practice will respond within one working day.
A senior member of the practice will respond within one working day with proposed scoping. Submissions go to a practitioner — never a sales desk.
A 30-minute scoping call costs nothing. We will tell you honestly whether a project engagement is the right answer for what you are trying to do — or whether a Readiness Review, a DPOaaS retainer or an embedded interim DPO would land better. Sometimes the answer is none of the above, and we will tell you that too.
Schedule a call