Working together

Over 15 years of professional experience, public and private, established and emerging markets (Norway, Nordics, Qatar, Dubai/MENA), for Ernst & Young, Nordic Innovation and in higher education, working mainly with project management, digitalization, business development and startups, has provided me with an invaluable understanding of how to work effectively and successfully in multi-national and cross-cultural teams, managing often conflicting agendas and personalities in projects with 50+ stakeholders.

My background and experience is key to my current success in helping people manage the complexities of privacy and data protection.

Read more on this page and if you're extra curious you can snoop through my LinkedIn profile here.

You're here because you acknowledge (and struggle with) the increasingly global and complex regulatory landscape. 🌍

You're pretty sure that the GDPR applies to you, but not how much and if you're required to appoint a Data Protection Officer or an EU representative.

You might be on your way out of the startup phase, looking to streamline internal processes (not least to prepare for a potential IPO or buy-out), a corporation unsure about the GDPR's territorial scope, in need of a privacy due diligence for M&As, or just wanting to know your current compliance status. 

Or you might be another DPO looking for a discussion partner on complex issues (Schrems II, joint controllership etc.).

It's difficult to keep up with all the regulatory changes and you feel you lack overview (and control), want to get clear on what applies for your particular business and situation, and what is urgent and must-haves vs. nice-to-haves. 

⏰ The one thing you do know, though, is that you cannot delay this any longer...

Your GDPR work is likely in chaos. You have put down ad-hoc efforts for some time, documents are stored in various folders, you know sort-of what systems you use for personal data and you did update that privacy policy in ... was it (25 May) 2018?

You know you need to get things in order, but not where to start or what's good enough. ⚠️ And if you don't know this, how will you trust that your external lawyer or consultant will only recommend what you actually need (at this point in time) and avoid being over-charged?

Yes, there is such a thing as overdoing compliance. So before we discuss bigger projects or an outsourced role (like external DPO), I'll likely ask you to go through a GDPR audit/review first.

This will provide us both with a solid overview of your GDPR work, make it possible to prioritize your future efforts and plan accordingly (in line with your business ambitions and goals). And when we know the gaps, we'll be able to get an idea about further investments.

And, importantly - we get the chance to work together on a smaller budget to see if we're a right fit.

Most of the work in an audit is on my side. Your role is primarily to provide access to necessary documentation, respond to emails and attend a few meetings. It will, however, be an intensive effort over two weeks, where you still need to be available and provide information as needed.

Based on this, I will make an assessment and a gap analysis, measured against the legal requirements, and provide concrete recommendations on how to close/mitigate gaps (measured against your level of ambition).

Pricing typically starts at $5,000.

When you actually know the status of your GDPR work (after the audit, see step 1 👆), you can prioritize and plan further projects - according to your business ambitions and goals. Remember, compliance is important, but doesn't trump everything else in your business.

The audit will show you the gaps and highlight any 🚩 and (especially) ⏰ ones. (Yes I use such icons in the audit checklist(s) you get, too.)

Is your privacy policy insufficient and outdated? Still don't have that overview of personal data ("records of processing activities") in place? Are you a processor and your data processing agreement lacks required information and you haven't gotten the new 2021 SCCs in place? Are you struggling with Schrems II, TIAs, or need to conduct a DPIA?

You'll know after the audit. I might not be (avail)able to help with all of the above, but we'll discuss together what must vs. should be done, by whom (internal, external or a combination), and when.

Finally, while I can act as your external Privacy Officer or Data Protection Officer (DPO), I have few available openings and this is contingent on us having worked together for a while (including done the GDPR Audit first 👆).

If there's one thing I enjoy more than digging through court rulings, DPA decisions and EDPB guidelines, it's helping people understand the GDPR, (e)privacy and data protection!

And if you've ever seen a lecture or attended a class/course on these topics and fell asleep after two minutes 😴, then reset your expectations. Especially as some think it's pretty dry stuff, it's crucial to communicate in an engaging way.

I can promise presentations and training free of legalese and "I'm the expert" vibes, tailored to your company, culture and people.

PS: I teach as a guest lecturer at BI Norwegian Business School (Executive Course on Data Protection and the GDPR) and Kristiania University College (GDPR and digital marketing), and have extensive experience in speaking and training in other settings (for incubators, small business hubs, schools, corporations and at various events and conferences).

In 2020, the UK's data protection authority (the ICO) fined the Marriott £18.4 million for failing to keep their customers’ personal data secure, stemming from a data breach in a hotel chain the Marriott had acquired.

⚠️ Importantly, the data breach existed before the Marriott aquired them. Key lesson: do your due diligence properly, including for personal data and everything else relating to the GDPR. 

PS: Poor compliance is not only a 🚩, but is an opportunity to negotiate price.

And if you're the SaaS start/scale-up and hoping for a lucrative exit at some point, get this due diligence done before getting into M&A (to have the price negotiation card up your sleeve instead).

I work with other professionals in the security and data protection space to provide services related to due diligence (in general) and/or M&As. Get in touch to learn more.

Although I've worked with very different companies and industries on a range of projects, I often find myself helping US-based, growing SaaS data processors who are too small to have in-house legal/compliance people, but too big not to take the GDPR seriously (not least because of the ever increasing sceptical inquiries from potential and existing customers).

I'm also a discussion partner for fellow professionals (like DPOs) who need relevant insights, a fresh perspective or hands-on help dealing with a complex issue (like role assessments, territorial scope, Schrems II).

For one-to-one work, I typically help those with a budget starting at $10,000. Any type of engagement, however, usually starts with a smaller project such as the GDPR Audit 👆, not least to see if we're a good fit.

My main goal when working with you is to make the GDPR understandable, manageable and tailored to your type of business/organization, size and context. I take a no-BS approach and offer practical, smart advice and possible solutions to complex issues.

I won't do the GDPR for you, but I will help you maneuver the regulatory landscape and not spend more money on this than you have to.

Over the past years I've been lucky to work on a wide variety of projects, in both the public, nonprofit and private sectors, with brick-and-mortar companies, micro to large organizations with 550+ employees, with app development, incubators, co-working spaces and SaaS, and with clients in the US (including on Hawaii, which is 12 hours ahead of me!), Canada, Singapore, Thailand, Germany, Bulgaria, Poland and Sweden.