Governance Practice

Data Governance.

PDPL, NDMO and ISO 27001 aligned governance for KSA and GCC enterprises — from automated catalog and lineage to policy-as-code enforcement in the query engine.

Practice
Governance Practice
Delivery
Riyadh · London · Lahore
Model
Fixed-scope · Retainer
Timeline
6–16 weeks / phase
01 — What we do

Three pillars that carry the practice.

01

PDPL & NDMO by design

KSA-native compliance mapping, evidence packs, and DPO enablement — not a Western framework retrofitted after the fact.

02

Catalog & lineage

Automated discovery, PII classification and column-level lineage across warehouses, lakes and operational systems.

03

Policy-as-code

Row, column and purpose-based access enforced in the query engine — never in application code where it silently drifts.

We ship this practice as a small, opinionated system — running infrastructure, evaluation harnesses, and the rituals that make leadership trust the numbers.
02 — Capabilities

What we build inside this practice.

Every engagement is scoped as a small system, not a slide deck. You get running infrastructure, documentation, and the metric-store hooks to measure it.

Scope an engagement
01PDPL / NDMO / ISO 27001 mapping
02Catalog (Collibra · Unity · Purview)
03Automated classification & PII scans
04Column-level lineage
05Policy-as-code enforcement
06Data quality frameworks
07DPO enablement & evidence packs
08Access review workflows
Reference architecture

How the pieces move.

Discoverscan · classifyCatalogdomains · ownersLineagecolumn-levelPolicyas-code · enforceEvidenceaudit-ready packs
03 — In production

Numbers from the field.

100%
Regulated tables classified

Before Go-Live on a Tier-1 KSA bank data lake.

14d
Audit request to evidence

With automated evidence packs — down from 90 days.

0
PDPL findings on external audit

Post-implementation across two regulated engagements.

04 — The problem we solve

Compliance in a spreadsheet is compliance theatre.

Regulators don't want a PDF of your data map — they want to see who accessed a specific customer record last Tuesday, and whether the query respected purpose. That's only possible when the catalog, lineage and access policy live inside the platform. We stand that up.

PDPL
KSA Personal Data Protection Law — enforced Sept 2024
NDMO
National Data Management Office standards, all 15 domains
0-day
PII detection on new tables via automated scans
100%
Access decisions logged with purpose and lawful basis
05 — How we deliver

A methodology we've run — not a slide.

Every engagement follows the same phased spine so leadership always knows what ships in the next two weeks.

  1. 01
    Phase 1

    Estate scan

    Automated discovery, PII classification and initial risk scoring across every source.

    Estate mapPII registerRisk heatmap
  2. 02
    Phase 2

    Catalog & domains

    Stand up the catalog, assign data owners and stewards, publish glossary.

    Catalog liveOwner RACIBusiness glossary
  3. 03
    Phase 3

    Lineage & policy

    Column-level lineage plus row / column / purpose-based access policies as code.

    Lineage graphPolicy repoEnforcement tests
  4. 04
    Phase 4

    Evidence & audit

    Automated evidence packs, access reviews, DPO enablement and audit dry-run.

    Evidence packAccess-review workflowAudit dry-run report
06 — Reference stack

Vendor-neutral. Battle-tested.

Catalog
CollibraUnity CatalogMicrosoft PurviewDataHubAtlan
Classification & PII
Microsoft PresidioImmutaBigIDAWS Macie
Policy-as-code
Open Policy AgentImmutaUnity Catalog policiesSnowflake row-access policies
Standards
PDPLNDMOSDAIA AI EthicsISO/IEC 27001ISO/IEC 27701GDPR
07 — What you get

Concrete deliverables.

  1. 01Estate map with PII and sensitivity scoring
  2. 02Live data catalog with owners and stewards
  3. 03Business glossary and domain model
  4. 04Column-level lineage across the estate
  5. 05Row / column / purpose-based policies as code
  6. 06Automated evidence packs for regulators
  7. 07Access-review workflow and cadence
  8. 08DPO runbook and audit dry-run report
08 — Buyer questions

What leadership actually asks.

Do you cover PDPL specifically, not just GDPR?

Yes. PDPL differs from GDPR on cross-border transfer, consent and data-subject rights. Our mapping is PDPL-native and cross-references NDMO domains — GDPR alignment is a by-product, not the starting point.

Which catalog do you recommend?

It depends on your warehouse. Databricks estates default to Unity Catalog; Microsoft-heavy estates to Purview; multi-warehouse enterprises to Collibra or DataHub. We benchmark for your context.

How do you enforce policy without breaking existing apps?

Enforcement lands in the query engine (Unity, Snowflake, Immuta) so applications keep issuing the same SQL — filtered rows and masked columns are transparent. No app rewrites required.

Can you support a live audit?

Yes. We've supported SAMA, NCA and external Big-4 audits with automated evidence packs and lineage exports on demand.

Ready to scope this into your stack?

Book a working session with a lead architect.