GDPR, (e)Privacy & Data Protection
The regulatory landscape is constantly changing and it feels impossible to keep up with it all... Schrems II, DPIAs, DPAs, SCCs... 🤯
You can keep spending time, money and resources on trying to solve all the headaches yourself... Or you can save yourself time, money (true story), resources and all those headaches (and sleepless nights) by getting qualified help.
Read on to see if we're a good fit. 👇
How can we work together?
It ultimately depends on your specific situation and needs. If your budget is ~$10,000, let's get on a call to discuss.
We often recommend starting with a review/audit of your current privacy and data protection efforts. You'll get a solid overview of the status of your work and can see clearly what to prioritize going forward.
This is typically how a review works:
- I establish a project (including project plan), written up as an external GDPR review (to demonstrates ongoing compliance and also serves as documentation in itself).
- You provide access to and I will review relevant information from your privacy and data protection work (primarily related to the GDPR). We have as many meetings as necessary for me to get a clear overview of your situation.
- Based on this, I will make an assessment and a gap analysis, measured against the legal requirements. In addition, I will provide concrete recommendations on how to close/mitigate gaps (also measured against your level of ambition).
- There are two checklists; one for your role as a Controller and, if relevant, one for your role as a Processor. You receive the checklists and we go through these together in a final meeting, as well as discuss next steps.
Most of the work will be on my side. Your role is primarily to provide access to necessary documentation, respond to emails and attend a few meetings. Pricing typically starts at $5,000.
Projects (DPIA, Schrems II, SCCs etc.)
You probably fall into one of four phases of a typical GDPR project:
We can work together on a full-blown implementation project, that would cover all four phases, or separate initiatives, like conducting a DPIA for your new app or processing activity, managing the (still ongoing) Schrems II ruling, implement the 2021 SCCs or similar.
If you're located outside of the EU/EEA, you might also be looking for an EU Representative. Although I don't offer that service myself, I know a few good companies to recommend.
And although I'm no lawyer, either, I know when you should get help from one, and I know just the right people to connect you with (both inside the EEA, and in the US).
GDPR/Privacy Officer/DPO as a Service
I often help other privacy professionals with GDPR issues, especially the more tricky ones (like conducting a GDPR role assessment and dealing with Schrems II). As with any type of engagement or collaboration, all discussions are treated confidential.
Finally, while I can act as your external Privacy Officer or Data Protection Officer (DPO), I have no available openings at the moment. Such an engagement is anyway contingent on us having worked together for a while, so if this is something you're seriously considering, get in touch to discuss next steps.
You might not be too enthusiastic about GDPR stuff! Then it's a good idea to get someone onboard who are. I teach as a guest lecturer at BI Norwegian Business School (the Executive Course on Data Protection and the GDPR) and Kristiania University College (project management, GDPR and digital marketing), and have delivered several lectures and presentations in other settings (for incubators, small business hubs, schools, corporations, at various events/conferences).
I have a true passion for teaching all things privacy for various audiences from high schoolers to CEOs. Lectures/presentations can also be custom-made for your specific organization/company and context.
Further to a lecture/presentation as described above, I can arrange for online courses, digital workshops and/or physical learning - tailored to your specific organization/company and context.
Due diligence, M&A
In 2020, the UK's data protection authority (the ICO) fined the Marriott £18.4 million for failing to keep their customers’ personal data secure, stemming from a data breach in a hotel chain the Marriott had acquired. Importantly, the data breach existed before the Marriott aquired them. Key lesson: do your due diligence properly, including for personal data and everything else relating to the GDPR.
I work with other professionals in the security and data protection space to provide services related to due diligence (in general) and/or M&As. Get in touch to learn more.
Who do I typically help (with what)?
For one-to-one work, I typically help those with a budget starting at $10,000. Any type of engagement, however, usually starts with a smaller project such as GDPR reviews/audits ($5,000+), not least to see if we're a good fit. Occasionally, and if/when time allows, I help smaller organizations with one-off projects (read more 👇).
My main goal when working with you is to make the GDPR understandable, manageable and tailored to your type of business/organization, size and context. I take a no-BS approach and offer practical (and sometimes creative) advice and possible solutions to complex issues.
I won't do the GDPR for you, but I will help you maneuver the regulatory landscape and not spend more money on this than you have to.
Rest assured that your type of industry or company isn't a barrier. I've been lucky to work on a wide variety of projects, in both the public, nonprofit and private sectors, with brick-and-mortar companies, micro to large organizations with 550+ employees, with app development, incubators, co-working spaces and SaaS, with clients in Norway, Canada, the US, Singapore, Sweden, Germany - and in the following industries:
- Oil and gas
- Higher Education
- Technology (including edtech and medtech)
- Water technology
- Trade unions/associations
- Design (web, graphic, animations etc.)
- GDPR/privacy (!)
- Fitness and personal health
- Health care
- Medical equipment
- Real estate appraisal
For the small business owner and organization
My ambition when starting out, was to create a "one-stop-shop" for everything related to the GDPR - especially for the smallest businesses and others who cannot affort one-to-one help (your local sports team, a hobby-based club, foundations, non-profits). The idea is that you get "bite-sized", visual GDPR learning, easy-to-follow templates and step-by-step video instructions on how to fill them out. Stay tuned for more on this.