About the Role

A European institutional client is looking for a Governance Risk and Compliance Expert to join their IT operations team on a contract basis. You'll ensure the organisation's IT systems and processing activities comply with data protection law and privacy standards - combining legal and regulatory expertise with hands-on technical engagement across real systems, data flows, and processing activities.

This role sits at the intersection of law, technology, and governance. You'll work directly with system owners, architects, cybersecurity teams, and third-party vendors to translate compliance requirements into practical outcomes.

A personal security clearance is required.

What You'll Do

Compliance & Governance

Ensure IT operations comply with data privacy and data protection standards, laws, and regulations
Assist in designing, implementing, auditing, and compliance testing activities
Identify, document, and propose countermeasures to compliance gaps
Enforce and advocate for the organisation's data privacy and protection programme
Contribute to the development of organisational strategy, policy, and procedures

Documentation & Assessment

Prepare, update, and review Records of Processing Activities (RoPAs), Data Protection Impact Assessments (DPIAs), Data Processing Agreements (DPAs), Transfer Impact Assessments (TIAs), and related documentation
Conduct privacy impact assessments for new and existing systems
Analyse and document technical arrangements relevant to data protection: access rights, privileged access, logs, SIEM/log exports, retention, hosting, data flows, support access, transfers, processors, and subprocessors
Write and review privacy statements for data controllers

Advisory & Training

Advise on data protection matters, particularly in the context of personal data processing
Provide legal guidance on data privacy and data protection standards, laws, and regulations
Develop, maintain, and communicate data privacy policies and procedures
Develop and deliver staff awareness training to foster a culture of data protection
Ensure data owners, controllers, processors, and other stakeholders are informed of their rights, obligations, and responsibilities

Stakeholder & Authority Management

Act as a contact point for queries and complaints regarding data processing
Monitor audits and data protection training activities
Cooperate and share information with supervisory authorities and professional groups
Manage legal aspects of information security responsibilities and third-party relations

What We're Looking For

At least 5 years of personal data protection compliance experience in an ICT, EU institutional, public-sector, or similarly technology-heavy environment - with hands-on work on real systems and processing activities
At least 3 years of hands-on experience preparing, updating, or reviewing RoPAs, DPIAs, DPAs, TIAs, or related data protection documentation - including data mapping and obtaining input from technical owners, architects, operations, cybersecurity/SOC teams, and vendors
At least 2 years of experience analysing and documenting technical arrangements relevant to data protection: access rights, privileged access, logs, SIEM/log exports, retention, hosting, data flows, support access, transfers, processors, and subprocessors
Ability to work with incomplete or inconsistent ICT information - distinguishing confirmed facts from assumptions, identifying gaps or contradictions between declared system behaviour and likely technical reality, and structuring clear next steps for management review
Strong written and verbal communication skills in English (minimum C1)
Comfortable operating in a structured, institutional environment with multiple stakeholders

Contract Details

Contract-based engagement (B2B)
On-site / hybrid service delivery
Personal security clearance required