About This Service
UAE PDPL Readiness — Personal Data Protection Compliance for SMEs
The UAE's federal Personal Data Protection Law (PDPL) establishes a framework for how organizations collect, use, store and share personal data, with concepts familiar from international privacy regimes: lawful bases such as consent, transparency obligations, data-subject rights, and expectations around breach handling. Most Dubai, Abu Dhabi and Sharjah SMEs hold far more personal data than they realise — customer records in a CRM, CVs in a shared drive, WhatsApp leads, delivery addresses in an e-commerce backend — and few can show where it all lives. This gig builds that picture and the operational layer on top of it.
The deliverables are deliberately practical. I run a data-mapping exercise across your systems and produce records of processing that show what personal data you hold, why, where, and who it is shared with. I draft your privacy notice and redesign consent flows on your website and forms so they reflect what you actually do with data. You get a data-subject request procedure your team can follow when someone asks for access or deletion, reviewed vendor and processor agreements with appropriate data-protection clauses, and a breach-response plan that names roles, steps and communication paths before an incident — not during one.
Two honest caveats. First, this is compliance consulting, not legal advice — I work alongside your legal counsel, and where a question needs a formal legal opinion I will say so plainly. Second, mainland and free-zone businesses can sit under different data-protection regimes (DIFC and ADGM have their own frameworks), and the engagement starts by confirming which applies to you. Pricing starts at AED 4,000 with core deliverables in 14 days — deliberately scoped so a 10–50 person SME can afford to do this properly.
What's included
- Data mapping and records of processing — A system-by-system inventory of the personal data you hold, documented as records of processing you can maintain yourself.
- Privacy notice and consent flows — A plain-language privacy notice plus redesigned consent capture on your website, forms and sign-up journeys.
- Data-subject request procedure — A step-by-step internal procedure and response templates for access, correction and deletion requests.
- Vendor and processor agreement review — Review of your key supplier contracts with recommended data-protection clauses for your counsel to finalise.
- Breach-response plan — A named-roles incident plan covering detection, containment, assessment and communication — tested in a tabletop walkthrough.
- Staff awareness briefing — A short practical session for your team on handling personal data day to day, in English with Arabic materials on request.
How it works
- 1Regime check and data discovery
We confirm which data-protection framework applies to your entity, then inventory the systems and processes that touch personal data.
- 2Mapping and gap review
I build the records of processing and flag gaps — missing notices, weak consent, risky vendor terms, no breach plan.
- 3Deliverables and fixes
You receive the privacy notice, consent flow changes, DSR procedure, contract clause recommendations and breach plan.
- 4Handover and team briefing
I walk your team and your legal counsel through everything so the program keeps running after I leave.
Why work with me
| With me | Typical agency | |
|---|---|---|
| Scoped and priced for SMEs | From AED 4,000 | Enterprise retainers |
| Operational documents your team can run | Dense legal memos | |
| Coordinates with your legal counsel | Works in isolation | |
| Covers mainland vs free-zone regime differences | Single-framework template |