Read about my background here and do peek through my LinkedIn profile and feedback from some of my awesome clients.
Why are you here (on this website)?
You're here because you acknowledge (and struggle with) the increasingly global and complex regulatory landscape.
You're pretty sure that the GDPR applies to you, but not how much and if you're required to appoint a Data Protection Officer or an EU representative.
You might be a SaaS processor based outside of Europe, who spend (waste) time on laborious vendor GDPR due diligence processes - ultimately losing deals because you're unable to reassure your prospects. 💸
Or a scale-up on your way out of the startup phase, struggling to streamline internal processes (not least to prepare for a potential IPO or buy-out), a corporation unsure about the GDPR's territorial scope, in need of a privacy-related due diligence for M&As or an Emergency DPO, or you just want to know your current compliance status.
⏰ One thing you do know, though, is that you cannot delay this any longer...
How can we work together?
It ultimately depends on your specific situation and needs. If your budget is ~$10,000 for an initial project, let's get on a call to discuss.
💸 But read on below to see how you avoid being over-charged by lawyers or consultants (on non-burning issues...).
We often start our journey together with an actionable GDPR Audit to get clarity on your work, identify gaps and high risks, and practical and pragmatic advice to help you manage these risks.
Step 1: Conduct a GDPR Audit
Your GDPR work is likely in chaos. You've put down ad-hoc efforts for some time, documents are stored in various folders, you sort-of know which systems you use for personal data and you did update that privacy policy in ... was it (25 May) 2018?
You know you need to get things in order, but not where to start or what's good enough. ⚠️ And if you don't know this, how will you trust that your external lawyer or consultant will only recommend what you actually need (at this point in time) and avoid being over-charged?
Yes, there is such a thing as overdoing compliance. So before we discuss bigger projects, future compliance strategy or an outsourced role (like external DPO), I'll ask you to go through a GDPR audit first.
This will provide us both with a solid overview of your GDPR work, make it possible to prioritize your future efforts and plan accordingly (in line with your business ambitions and goals). And when we know the gaps, we'll be able to get an idea about further investments.
And, importantly - we get the chance to work together on a smaller budget to see if we're a right fit.
Most of the work in an audit is on my side. Your role is primarily to provide access to necessary documentation, respond to emails and attend a few meetings. It will, however, be an intensive effort over 2-4 weeks, where you still need to be available and provide information as needed.
Based on this, I will make an assessment and a gap analysis, measured against the legal requirements, and provide concrete recommendations on how to close or mitigate gaps (measured against your level of ambition).
Pricing can be $5,000 for small companies to $250,000 for larger ones. It depends on scope and type of audit, geographic presence, years in operation, Board presentations and more. First, however, we always get on a call to see if it's a fit.
Step 2: Formulate your GDPR Strategy + plan & present
When you actually know the status of your GDPR work (after the Audit, step 1), you can prioritize and plan further projects - according to your business strategy and ambitions.
Yes, compliance is important, but it doesn't trump everything else in your business.
The Audit will show you the gaps and highlight red flags - especially urgent ones. And although I won't do the practical work for you, we'll discuss together what must vs. should be done, by whom (internal, external or a combination), and when - and I can help you find the right people to work with (see step 4).
For selected clients I act as Project Director for a limited time period to help your internal teams plan and implement key tasks.
⚠️ Whatever you do, the experience and knowledge must be retained in your organization. If you're too small to have in-house compliance people, ensure your external partner implements with this in mind. If you have a privacy team, they should be hands-on involved through the whole process.
We'll also discuss how and when to involve your Board, Audit & Risk Committee and/or other key stakeholders - not least to reassure them that you got overview and control of your privacy and data protection work.
Step 3: DPO/Privacy Officer as a Service
Finally, while I can act as your external Privacy Officer or Data Protection Officer (DPO), or even an interim Transitional (Emergency!) DPO or Fractional CPO, I have few available openings and this is contingent on us having worked together for a while (including done the GDPR Audit first 👆).
As per January 2024 I have no available openings, contact for waitlist.
Step 4: Build your (pragmatic) privacy and data protection team
Hiring great people for privacy and data protection can be challenging. Even just finding someone with solid professional experience in security and privacy/compliance can be a tall order!
If you have gone through the process, you're perhaps painfully aware that a CIPP/E certification is no silver bullet for qualified help... But incorrect advice should perhaps not be your biggest worry.
❌ Worst case, you end up with someone who interprets the law in the strictest way possible, with no pragmatism in their approach or recommendations. You risk ending up with compliance work stifling your business - completely unnecessary.
The GDPR is not the law of everything. Even the legal text itself is explicit here: The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights ... in particular ... freedom to conduct a business ... (Recital 4).
Since the GDPR is still fairly new in many respects, finding great people is challenging. Unsure how to approach recruitment and what to look for (and avoid)?
Get in touch to discuss or start by reading more about DPO Mentor or Sparring Partner services at the end of this page.
Who do I typically help (with what)?
Although I've worked with very different companies and industries on a range of projects, I often help scaling SaaS processors based outside of Europe who struggle to convince EEA-based prospects in RfP processes that they comply with the GDPR.
Your compliance might be stellar, but if you cannot convince your potential customers about this - 💸 you lose anway.
I'm also a discussion partner for fellow practitioners (typically DPOs) who need relevant insights, a fresh perspective or hands-on help dealing with a complex issue. Read more here or join the DPO Hub here.
For one-to-one work, I typically help those with a budget starting at $10,000. Any type of engagement, however, usually starts with a smaller project such as the GDPR Audit, not least to see if we're a good fit.
My main goal when working with you is to make the GDPR understandable, manageable and tailored to your type of business/organization, size and context. I take a no-BS approach and offer practical, smart advice and possible solutions to complex issues.
I won't do the GDPR for you, but I will help you maneuver the regulatory landscape and not spend more money on this than you have to.
Over the past years I've been lucky to work on a wide variety of projects, in both the public, nonprofit and private sectors, with brick-and-mortar companies, micro to large organizations with 550+ employees, with app development, incubators, co-working spaces and SaaS, and with clients in the US (including on Hawaii, 12 hours ahead of me!), Canada, Singapore, Thailand, Germany, Bulgaria, Poland and Sweden.