A four-week structured privacy diagnostic against the regulator that matters to you — KSA PDPL, India DPDP Act 2023, UAE PDPL, GDPR or any combination. Fixed scope. Fixed fee. Senior practitioner-led, end-to-end. The output is a finding register your board can act on within thirty days.
4 working weeks
3 weeks (rush, +25%)
SAR 65,000 — 180,000+
By scope and entity count
Fixed scope · Fixed fee
50/50 milestone billing
The output of a Readiness Review is a finite, named deliverable set — not a slide deck. Every artefact is written in the format an external auditor or regulator would expect to see, so the work survives review long after the engagement closes.
Your current state mapped against the regulation in scope, scored on a five-level model. Same scoring methodology a regulator uses on inspection — not a vendor's branded "privacy score."
Every gap documented as a finding — clause-anchored, severity-rated, control-owner assigned. Written in the same format your DPO will recognise from any external audit, ISO certification or regulator inspection.
A sequenced 6 — 12 month roadmap. Material risk first, defensibility next, optimisation last — with costed bands, dependencies, and a critical-path view your CFO can sign off.
A two-page memo your board can read in five minutes — current state, top three risks, recommended next steps, and the specific decisions the board needs to take. No jargon, no padding.
The engagement runs to a documented timeline. You will know what is happening, who is doing it, and what the next deliverable is — every week.
Joint scoping call to confirm regulators in scope, entities covered and the timeline. Document request issued, NDA executed, named practice lead introduced.
Structured interviews with DPO, CISO, IT, marketing, HR and legal. Review of existing privacy notices, contracts, RoPA (if any), DPIAs and breach playbook.
Findings drafted to regulator-style format. Internal QC review against firm methodology. Draft shared with you for factual accuracy check before final.
Final report, finding register, roadmap and board memo delivered. Optional 90-minute board readout where we present findings and answer questions live.
We are deliberate about which engagements we accept. A Readiness Review is the right starting point for some organisations and the wrong one for others — and we'd rather tell you up front.
Groups operating across two or more of KSA, UAE, the wider GCC and India — where regulator surface is real and growing.
Organisations approaching ZATCA, SDAIA, DPDP Board or GCC regulator inspection — and the privacy program has to hold up to it.
Enterprises preparing for diligence where a defensible privacy posture is no longer optional. Diligence questions arrive faster than answers.
Organisations that have built privacy in-house but never had an external practitioner audit it. The blind-spot risk alone is worth the engagement.
If the question is technical security testing or vulnerability assessment, this isn't the engagement — that's a separate cybersecurity scope.
If you have a senior in-house DPO running a single-jurisdiction program, you may need a targeted second opinion — not a full review. Talk to us about a standing advisory retainer instead.
If a regulator letter has already arrived and the inspection is in seven days, this is the wrong shape of engagement. Speak to us about an interim DPO or breach response retainer.
If what's wanted is a polished report to wave at the board with no intent to act on it, we will not be the right firm. We don't do privacy theatre.
No retainer pressure, no time-and-materials creep. The fee is agreed in the engagement letter and held to milestone-billed delivery: 50% on engagement-letter signature, 50% on final report delivery.
Every Readiness Review is led personally by a senior member of the practice and signed off before delivery. There is no junior-staffed delivery model and no "we'll have someone get back to you" handoff.
Day-to-day regulatory liaison across KSA SDAIA, UAE Data Office and India DPDP Board. Personally signs off every Readiness Review report before delivery, and is named on the engagement letter as the responsible practitioner — not as an account manager.
For multi-jurisdictional engagements, additional senior practitioners are named for the specific regulators in scope. The lead remains constant for the full four weeks.
"The point of a readiness review is not to look good. It is to know — and to have a defensible roadmap before someone else writes one for you."
We are clear about scope boundaries before the engagement starts. The Readiness Review is a finite diagnostic — not a perpetual subscription, not a remediation engagement, not a regulatory submission.
We diagnose the gaps; you decide what to do next. If you want us to lead the remediation, that is a separate project engagement with its own scope.
Findings are not lodged with any regulator on your behalf. The deliverable is internal-use, written to regulator-quality standards but not filed externally.
We surface legal questions and frame regulatory exposure. We do not provide legal opinion as primary counsel — your in-house or external lawyers retain that role.
The deliverable set is finite. Engagement ends when the final report is delivered. Ongoing work — remediation, DPOaaS, advisory retainer — is contracted separately.
The questions below come up on most kickoff calls. If yours is not here, the contact form below is the right place to ask — a senior member of the practice will respond within one working day.
A senior member of the practice will respond within one working day with a proposed scoping call. Submissions are reviewed by a practitioner — never a sales desk.
Not sure if a Readiness Review is the right starting point? A 30-minute call costs nothing. We will tell you honestly whether it is the right shape of engagement for what you are trying to do — and what is, if it isn't.
Schedule a call