Snapshot of the founder's background
Over 16 years of professional experience, public and private, in established and emerging markets (Norway, Nordics, Qatar, Dubai/MENA), for Ernst & Young, Nordic Innovation and in higher education, working mainly with strategy, digital transformation, business development and startups, has provided me with an invaluable understanding of how to manage cross-cultural teams effectively and successfully, often with conflicting agendas and personalities (covering several countries) in projects with 50+ stakeholders and multi-million customer accounts.
My background and experience is key to my current success in helping people manage the complexities of privacy and data protection.
Read more on this page and peek through my LinkedIn profile here.
You
You're here because you acknowledge (and struggle with) the increasingly global and complex regulatory landscape. π
You're pretty sure that the GDPR applies to you, but not how much and if you're required to appoint a Data Protection Officer or an EU representative.
β οΈ You might be a SaaS processor based outside of Europe, who spend (waste) time on pesky vendor GDPR due diligence processes - ultimately losing deals because you're unable to provide sufficient comfort to your prospects.
Or a scale-up on your way out of the startup phase, struggling to streamline internal processes (not least to prepare for a potential IPO or buy-out), a corporation unsure about the GDPR's territorial scope, in need of a privacy due diligence for M&As, or just wanting to know your current compliance status.
You might be a fellow DPO or GDPR practitioner looking for a discussion partner on complex issues (Schrems II, joint controllership etc.) or specific data for your client's case as they're being audited by a supervisory authority.
You might even be that supervisory authority, searching for information on similar cases from your peers in the EEA or an overview and analysis of such cases.
π© In any case - you're finding it difficult to keep up with all the regulatory changes and lack overview (and control), want to get clear on what applies for your particular situation, and what is urgent and must-haves vs. nice-to-haves.
One thing you do know, though, is that you cannot delay this any longer... β°
How can we work together?
It ultimately depends on your specific situation and needs. If your budget is ~$10,000, let's get on a call to discuss. But read on below to see how you avoid being over-charged by lawyers/consultants. πΈ
We often start our journey together with an actionable GDPR Audit where I give you clarity on your work, identify gaps and high risks, and give you practical and pragmatic advice to help you manage these risks.
Step 1: GDPR Audit (don't skip this)
Your GDPR work is likely in chaos. You have put down ad-hoc efforts for some time, documents are stored in various folders, you know sort-of what systems you use for personal data and you did update that privacy policy in ... was it (25 May) 2018?
You know you need to get things in order, but not where to start or what's good enough. β οΈ And if you don't know this, how will you trust that your external lawyer or consultant will only recommend what you actually need (at this point in time) and avoid being over-charged?
Yes, there is such a thing as overdoing compliance. So before we discuss bigger projects or an outsourced role (like external DPO), I'll likely ask you to go through a GDPR audit/review first.
This will provide us both with a solid overview of your GDPR work, make it possible to prioritize your future efforts and plan accordingly (in line with your business ambitions and goals). And when we know the gaps, we'll be able to get an idea about further investments.
And, importantly - we get the chance to work together on a smaller budget to see if we're a right fit.
Most of the work in an audit is on my side. Your role is primarily to provide access to necessary documentation, respond to emails and attend a few meetings. It will, however, be an intensive effort over two weeks, where you still need to be available and provide information as needed.
Based on this, I will make an assessment and a gap analysis, measured against the legal requirements, and provide concrete recommendations on how to close/mitigate gaps (measured against your level of ambition).
Pricing typically starts at $5,000 for small companies and $15,000 for larger ones - depending on scope and type of audit.
Step 2: Project work (all the fun stuff)
When you actually know the status of your GDPR work (after the audit, see step 1 π), you can prioritize and plan further projects - according to your business ambitions and goals. Remember, compliance is important, but doesn't trump everything else in your business.
The audit will show you the gaps and highlight any π© and (especially) β° ones. (Yes I use such icons in the audit checklist(s) you get, too.)
Is your privacy policy insufficient and outdated? Still don't have that overview of personal data ("records of processing activities") in place? Are you a processor and your data processing agreement lacks required information and you haven't gotten the new 2021 SCCs in place? Are you struggling with Schrems II, TIAs, or need to conduct a DPIA?
You'll know after the audit. I might not be (avail)able to help with the above, but we'll discuss together what must vs. should be done, by whom (internal, external or a combination), and when - and I can help you find the right people to work with.
β οΈ Whatever you do, the experience and knowledge must be retained in your organization. If you're too small to have in-house compliance people, ensure your external partner implements with this in mind. If you have a privacy team, they should be hands-on involved.
Step 3: DPO/Privacy Officer as a Service
Finally, while I can act as your external Privacy Officer or Data Protection Officer (DPO), or even an interim Transitional DPO or Fractional CPO, I have few available openings and this is contingent on us having worked together for a while (including done the GDPR Audit first π).
Speaking & Training
If there's one thing I enjoy more than digging through court rulings, DPA decisions and EDPB guidelines, it's helping people understand the GDPR, (e)privacy and data protection!
And if you've ever seen a lecture or attended a class/course on these topics and fell asleep after two minutes π΄, then reset your expectations. Especially as some think it's pretty dry stuff, it's crucial to communicate in an engaging way.
Presentations and training are guaranteed free of legalese and "I'm the expert" vibes, tailored to your company, culture and people.
I teach as a guest lecturer at BI Norwegian Business School (Executive Course on Data Protection and the GDPR), at Kristiania University College (GDPR and digital marketing), and also develop online GDPR courses with the latter.
I and have extensive experience in speaking and training in other settings, including for incubators, small business hubs, schools, corporations and at various events and conferences.
Due diligence and M&As
In 2020, the UK's data protection authority (the ICO) fined the Marriott Β£18.4 million for failing to keep their customersβ personal data secure, stemming from a data breach in a hotel chain the Marriott had acquired.
β οΈ Importantly, the data breach existed before the Marriott aquired them. Key lesson: do your due diligence properly, including for personal data and everything else relating to the GDPR.
PS: Poor compliance is not only a π©, but is an opportunity to negotiate price.
And if you're the SaaS start/scale-up and hoping for a lucrative exit at some point, get this due diligence done before getting into M&A (to have the price negotiation card up your sleeve instead).
I work with other professionals in the security and data protection space to provide services related to due diligence (in general) and/or M&As. Get in touch to learn more.
Who do I typically help (with what)?
Although I've worked with very different companies and industries on a range of projects, I often help growing SaaS processors based outside of Europe who struggle to convince EEA-based prospects in RfP processes that they comply with the GDPR. Your compliance might be stellar, but if you cannot convince your potential customers about this - you lose anway. πΈ
I'm also a discussion partner for fellow practitioners (typically DPOs) who need relevant insights, a fresh perspective or hands-on help dealing with a complex issue (like role assessments, territorial scope, Schrems II).
For one-to-one work, I typically help those with a budget starting at $10,000. Any type of engagement, however, usually starts with a smaller project such as the GDPR Audit π, not least to see if we're a good fit.
My main goal when working with you is to make the GDPR understandable, manageable and tailored to your type of business/organization, size and context. I take a no-BS approach and offer practical, smart advice and possible solutions to complex issues.
I won't do the GDPR for you, but I will help you maneuver the regulatory landscape and not spend more money on this than you have to.
Over the past years I've been lucky to work on a wide variety of projects, in both the public, nonprofit and private sectors, with brick-and-mortar companies, micro to large organizations with 550+ employees, with app development, incubators, co-working spaces and SaaS, and with clients in the US (including on Hawaii, 12 hours ahead of me!), Canada, Singapore, Thailand, Germany, Bulgaria, Poland and Sweden.