Client Overview
Tabby is a leading fintech company specializing in the Buy Now, Pay Later (BNPL) segment, with active operations across the Kingdom of Saudi Arabia and the United Arab Emirates.
Activities Performed
- Gap Assessment Report – Conducted a comprehensive assessment to identify compliance gaps against applicable data protection regulations.
- Data Discovery – Identified and documented key data assets, sources, and processing activities for 14 in scope departments.
- Data Flow Diagrams – Created end-to-end data flow diagrams to visualize how personal data is collected, stored, shared, and transferred.
- Risk Assessment – Carried out risk assessments to evaluate data protection risks and recommend mitigation measures.
- Data Protection Impact Assessment (DPIA) – Performed DPIA for high-risk processing activities to assess and address potential privacy risks.
- ROPA Creation – Prepared and documented the Record of Processing Activities (ROPA) in line with regulatory requirements.
- Policy and Procedure Creation – Developed data protection policies and data classification and data governance policies and procedures to strengthen governance and ensure compliance.
- Trainings – Conducted data privacy awareness trainings.
Challenges
A significant challenge was the need for tool alignment support, which resulted in substantial rework. This rework was particularly evident in:
- Creation of the ROPA (Record of Processing Activities), where multiple iterations were needed to ensure accuracy and completeness.
- Alignment of policies and procedures with the organizational framework and tool capabilities, requiring repeated updates and adjustments.
Solution
To overcome these challenges, the following approach was adopted:
- Conducted a thorough review of tool functionalities and mapped them against organizational processes.
- Engaged in collaborative sessions with the tool vendor and internal stakeholders to clarify requirements and resolve alignment issues.
- Developed customised ROPA templates to ensure consistency and reduce future alignment issues.
- Customised polices/ procedure as per client requirement incorporating both aspects of tool-based approach and manual approach.
ValueMentor Approach: Assess, Design, and Align
- Assess
- We begin by conducting a Data Privacy Gap Assessment. This step identifies gaps, forming the foundation for a tailored solution.
- Data discovery and mapping – The Data Discovery and Mapping exercise involved a thorough identification and documentation of key data assets across the organization. Multiple discussions were conducted with various departments to understand how personal and sensitive data is collected, processed, stored, and shared across different processes.
- Design
- Risk Assessment: Identification and evaluation of potential privacy and risks across data processing activities, with recommendations for mitigation measures.
- Data Protection Impact Assessment (DPIA): Conducted DPIA for high-risk processing activities to systematically assess privacy risks, determine their impact, and implement appropriate controls.
- Policies and Framework: Developed policies, procedures, and operational workflows aligned with risk findings and DPIA outcomes, ensuring the framework is practical.
- Align
- This step involves advisory on implementation of the designed framework, updating documentation, and training stakeholders to ensure seamless adoption and sustainable compliance.
Result
The approach helped the client comply with SAMA requirements, streamlined processes, and established a sound data protection framework aligned with regulatory expectations.
Key Takeaways
- Conduct a separate session with the tool vendor at the outset to clarify functionalities, integration points, and implementation requirements.
- Ensure the tool is onboarded first before finalizing policies and procedures, to minimize rework and misalignment.
- Implement tool modules in parallel with process and procedure design, so that system capabilities support workflows and reduce repeated adjustments.
