Governance Risk and Compliance Expert

A European institutional client is seeking a Governance Risk and Compliance Expert to join their IT operations team on a contract basis. The role involves ensuring IT systems and processing activities comply with data protection law and privacy standards, combining legal and regulatory expertise with technical engagement. The expert will work with system owners, architects, cybersecurity teams, and third-party vendors to translate compliance requirements into practical outcomes.

• At least 5 years of personal data protection compliance experience in an ICT, EU institutional, public-sector, or similarly technology-heavy environment with hands-on work on real systems and processing activities
• At least 3 years of hands-on experience preparing, updating, or reviewing RoPAs, DPIAs, DPAs, TIAs, or related data protection documentation, including data mapping and obtaining input from technical owners, architects, operations, cybersecurity/SOC teams, and vendors
• At least 2 years of experience analysing and documenting technical arrangements relevant to data protection: access rights, privileged access, logs, SIEM/log exports, retention, hosting, data flows, support access, transfers, processors, and subprocessors
• Ability to work with incomplete or inconsistent ICT information, distinguishing confirmed facts from assumptions, identifying gaps or contradictions, and structuring clear next steps for management review
• Strong written and verbal communication skills in English (minimum C1)
• Comfortable operating in a structured, institutional environment with multiple stakeholders

Compliance & Governance:

• Ensure IT operations comply with data privacy and data protection standards, laws, and regulations
• Assist in designing, implementing, auditing, and compliance testing activities
• Identify, document, and propose countermeasures to compliance gaps
• Enforce and advocate for the organisation's data privacy and protection programme
• Contribute to the development of organisational strategy, policy, and procedures

Documentation & Assessment:

• Prepare, update, and review Records of Processing Activities (RoPAs), Data Protection Impact Assessments (DPIAs), Data Processing Agreements (DPAs), Transfer Impact Assessments (TIAs), and related documentation
• Conduct privacy impact assessments for new and existing systems
• Analyse and document technical arrangements relevant to data protection: access rights, privileged access, logs, SIEM/log exports, retention, hosting, data flows, support access, transfers, processors, and subprocessors
• Write and review privacy statements for data controllers

Advisory & Training:

• Advise on data protection matters, particularly in the context of personal data processing
• Provide legal guidance on data privacy and data protection standards, laws, and regulations
• Develop, maintain, and communicate data privacy policies and procedures
• Develop and deliver staff awareness training to foster a culture of data protection
• Ensure data owners, controllers, processors, and other stakeholders are informed of their rights, obligations, and responsibilities

Stakeholder & Authority Management:

• Act as a contact point for queries and complaints regarding data processing
• Monitor audits and data protection training activities
• Cooperate and share information with supervisory authorities and professional groups
• Manage legal aspects of information security responsibilities and third-party relations

A personal security clearance is required.