Snapshot of the founder's background
Over 15 years of professional experience, public and private, established and emerging markets (Norway, Nordics, Qatar, Dubai/MENA), for Ernst & Young, Nordic Innovation and in higher education, working mainly with project management, digitalization, business development and startups, has provided me with an invaluable understanding of how to work effectively and successfully in multi-national and cross-cultural teams, managing often conflicting agendas and personalities in projects with 50+ stakeholders.
My background and experience is key to my current success in helping people manage the complexities of privacy and data protection.
You're here because you acknowledge (and struggle with) the increasingly global and complex regulatory landscape. 🌍
You're pretty sure that the GDPR applies to you, but not how much and if you're required to appoint a Data Protection Officer or an EU representative.
You might be on your way out of the startup phase, looking to streamline internal processes (not least to prepare for a potential IPO or buy-out), a corporation unsure about the GDPR's territorial scope, in need of a privacy due diligence for M&As, or just wanting to know your current compliance status.
Or you might be another DPO looking for a discussion partner on complex issues (Schrems II, joint controllership etc.).
It's difficult to keep up with all the regulatory changes and you feel you lack overview (and control), want to get clear on what applies for your particular business and situation, and what is urgent and must-haves vs. nice-to-haves.
⏰ The one thing you do know, though, is that you cannot delay this any longer...
How can we work together?
It ultimately depends on your specific situation and needs. If your budget is ~$10,000, let's get on a call to discuss. But read on below to see how you avoid being over-charged by lawyers/consultants. 💸
Mainly, I help with actionable GDPR Audits where I give you clarity on your work, identify gaps and high risks, and give you practical and pragmatic advice to help you manage these risks.
Step 1: GDPR Audit (don't skip this)
You know you need to get things in order, but not where to start or what's good enough. ⚠️ And if you don't know this, how will you trust that your external lawyer or consultant will only recommend what you actually need (at this point in time) and avoid being over-charged?
Yes, there is such a thing as overdoing compliance. So before we discuss bigger projects or an outsourced role (like external DPO), I'll likely ask you to go through a GDPR audit/review first.
This will provide us both with a solid overview of your GDPR work, make it possible to prioritize your future efforts and plan accordingly (in line with your business ambitions and goals). And when we know the gaps, we'll be able to get an idea about further investments.
And, importantly - we get the chance to work together on a smaller budget to see if we're a right fit.
Most of the work in an audit is on my side. Your role is primarily to provide access to necessary documentation, respond to emails and attend a few meetings. It will, however, be an intensive effort over two weeks, where you still need to be available and provide information as needed.
Based on this, I will make an assessment and a gap analysis, measured against the legal requirements, and provide concrete recommendations on how to close/mitigate gaps (measured against your level of ambition).
Pricing typically starts at $5,000.
Step 2: Project work (all the fun stuff)
When you actually know the status of your GDPR work (after the audit, see step 1 👆), you can prioritize and plan further projects - according to your business ambitions and goals. Remember, compliance is important, but doesn't trump everything else in your business.
The audit will show you the gaps and highlight any 🚩 and (especially) ⏰ ones. (Yes I use such icons in the audit checklist(s) you get, too.)
You'll know after the audit. I might not be (avail)able to help with all of the above, but we'll discuss together what must vs. should be done, by whom (internal, external or a combination), and when.
Step 3: DPO/Privacy Officer as a Service
Finally, while I can act as your external Privacy Officer or Data Protection Officer (DPO), I have few available openings and this is contingent on us having worked together for a while (including done the GDPR Audit first 👆).
Speaking & Training
If there's one thing I enjoy more than digging through court rulings, DPA decisions and EDPB guidelines, it's helping people understand the GDPR, (e)privacy and data protection!
And if you've ever seen a lecture or attended a class/course on these topics and fell asleep after two minutes 😴, then reset your expectations. Especially as some think it's pretty dry stuff, it's crucial to communicate in an engaging way.
I can promise presentations and training free of legalese and "I'm the expert" vibes, tailored to your company, culture and people.
PS: I teach as a guest lecturer at BI Norwegian Business School (Executive Course on Data Protection and the GDPR) and Kristiania University College (GDPR and digital marketing), and have extensive experience in speaking and training in other settings (for incubators, small business hubs, schools, corporations and at various events and conferences).
Due diligence, M&A
In 2020, the UK's data protection authority (the ICO) fined the Marriott £18.4 million for failing to keep their customers’ personal data secure, stemming from a data breach in a hotel chain the Marriott had acquired.
⚠️ Importantly, the data breach existed before the Marriott aquired them. Key lesson: do your due diligence properly, including for personal data and everything else relating to the GDPR.
PS: Poor compliance is not only a 🚩, but is an opportunity to negotiate price.
And if you're the SaaS start/scale-up and hoping for a lucrative exit at some point, get this due diligence done before getting into M&A (to have the price negotiation card up your sleeve instead).
I work with other professionals in the security and data protection space to provide services related to due diligence (in general) and/or M&As. Get in touch to learn more.
Who do I typically help (with what)?
Although I've worked with very different companies and industries on a range of projects, I often find myself helping US-based, growing SaaS data processors who are too small to have in-house legal/compliance people, but too big not to take the GDPR seriously (not least because of the ever increasing sceptical inquiries from potential and existing customers).
I'm also a discussion partner for fellow professionals (like DPOs) who need relevant insights, a fresh perspective or hands-on help dealing with a complex issue (like role assessments, territorial scope, Schrems II).
For one-to-one work, I typically help those with a budget starting at $10,000. Any type of engagement, however, usually starts with a smaller project such as the GDPR Audit 👆, not least to see if we're a good fit.
My main goal when working with you is to make the GDPR understandable, manageable and tailored to your type of business/organization, size and context. I take a no-BS approach and offer practical, smart advice and possible solutions to complex issues.
I won't do the GDPR for you, but I will help you maneuver the regulatory landscape and not spend more money on this than you have to.
Over the past years I've been lucky to work on a wide variety of projects, in both the public, nonprofit and private sectors, with brick-and-mortar companies, micro to large organizations with 550+ employees, with app development, incubators, co-working spaces and SaaS, and with clients in the US (including on Hawaii, 12 hours ahead of me!), Canada, Singapore, Thailand, Germany, Bulgaria, Poland and Sweden.