Privacy Praxis is specialized leading provider of end to end Data Privacy and Information Security solutions.
Our core focus is offering Data Protection Officer (DPO) support in a flexible “as-a-service” model.
We help our customers fulfill their EU GDPR requirements in terms of appointing a DPO, without having to engage one or more internal resources. Then we customize the services to fit the particular needs of each organization, based on their business sector, their geographical exposure, the type and amount of personal data they access and their specific maturity level.

Our experience with Data Privacy goes back already more than 10 years before the new EU General Data Protection Regulation was published. Since the GDPR was published, in May 2016, we have been one of the first firms to invest in understanding the requirements and the impact the Regulation would have on medium and large organizations.
Today we serve a diverse portfolio of organizations from many different sectors and geographies.
Our clientele includes several financial institutions, telecommunications, healthcare, marketing, manufacturing and other organizations


  1. Data Protection Officer As a service

Under Article 37 of the GDPR, many organisations are obliged to appoint a DPO.

The appointment of a DPO is mandatory for all public authorities, and for organisations whose data controller or data processor carries out core activities such as “regular and systematic monitoring of data subjects on a large scale”. An entity that processes “special categories of personal data” on a large scale must also appoint a DPO.

Article 37 also requires the DPO to have “expert knowledge of data protection law and practices”. Many organisations required under the GDPR to appoint a DPO are unable to assign the role to an internal member of staff, due to resource constraints and/or lack of knowledge and technical skills. Finding and recruiting a full-time data protection expert is also beyond the budgets of many organisations. Addressing these challenges, the GDPR makes provisions to fill this post on an outsourced basis.


  1. What is our approach to the GDPR compliance program

Compliance to the GDPR is a multi-step process that requires complete collaboration and commitment from the customer’s side to achieve success.

Our approach, in a nutshell, can be described by the following steps :

  • Identify gaps analysis between the as is (current situation) and the requirements of the GDPR.

For the completion of this step we employ different practices, namely interviewing key stakeholders (I.e HR, marketing, IT, etc) , reviewing existing pocedures and documentation, reviewing third party contracts as necessary etc. The deliverable from this step will be a documentedgap analysis, identifying areas of risk and quantifying the risk, as well as mapping the gaps against specific articles of the GDPR.

This step may be facilitated by potentially existing documentation, i.e results of previous audits or data privacy assesments that may have previously conducted, if applicable.

  • Define the action plan

Based on the findings of the gap analysis and in full collaboration with the customer, Heymans Consulting will propose an action plan.

The action plan will need to be then validated by the steering committee that will have been assigned by the our client  for that purpose.

The action plan will include list of priorities as well as an estimation of resources needed from our client in order to achieve completion.

  • Monitoring the execution of the action plan

As described above, the commitment and participation of the customer is critical in order to achieve compliance.

We propose that Our client should assign a steering committee, or project sponsor with defined escalation path. Regular meetings should be planned with the steering committee (I.e proposed frequency is quarterly, but based on the availability of Our client they could also be bi-annual). The progress will be reviewed against the agreed timeline , and in case of gaps potential solutions will be reviewed at that point in collaboration with the customer.

  • Support Our client in the context of specific projects

Apart from the definition of a specifc GDPR action framework, as described above, in the scope of the present RFP we also offer support in the context of ad hoc projects. We propose that the Data Privacy responsible – or the designated resources of Heymans Consulting (depending on what the customer will select) are involved in the various projects as early as possible in the process. That will enable us to assess the data protection requirements effectively, provide adequate guidance to the stakeholders of the STIB and also efficiently assess potential contractual or other documentation requirements.

  • Support Our client  in the selection and coaching of a new Data Privacy Resource.

In this respect Heymans Consulting can support Our client  either throughout the entire process, or with selected individual steps, depending on the customer’s choice. Just for reference purposes, we provide herewith a list of the potential activities where Heymans Consulting can add value

  1. Drafting the job description and submitting it for validation / publishing to the client.
  2. Reviewing applicant profiles and submitting a shortlist to the designated client responsibles.
  3. Participating with the designated resources from the client in the interview process, supporting the client with the technical or overall assessment of the interviewees.
  4. Supporting the client in explaining to the candidates the expectations from the new role.
  5. After the selection of the successful candidate, engaging with them in coaching sessions. Explain in detail the GDPR requirements, assist them in contacting key stakeholders (i.e Commission de la vie privee, etc) working side by side with them on specific projects and guiding them as to the considerations that need to be made.


  1. Data Protection As A Service :

The scope of Data Protection as a service  is typically defined in collaboration with the customer. Our services vary from holistic management of Data Protection requirements to taking ownership of specific activities, depending on our Customer’s needs.

Below we provide a non exhaustive list of activities under the DPO as a service scheme.

  • Onoing compliance monitoring to the GDPR, i.e
  • Collect information to identify processing activities
  • Analyse and check the compliance of processing activities
  • Inform, advise and issue recommendations to our client.
  • Data protection impact assessment (DPIA)
  • whether or not to carry out a DPIA
  • what methodology to follow when carrying out a DPIA
  • whether to carry out the DPIA in-house or whether to outsource it
  • what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
  • whether or not the data protection impact assessment has been correctly carried out and
  • whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with the GDPR
  1. Other services
  • Selecting and coaching DPOs
  • Data Protection Audit Services
  • Cyber Security Advice
  • Data Protection and GDPR consultancy


  1. Why choose us
  • Multiyear experience in Data Protection
  • Experience with different sectors – banking, healthcare, retail, manufacturing, etc.
  • Networking with Data Protection Authorities (DPA) in several European countries.
  • Experience with multinational organizations and with overseas operations.
  • Result oriented, customer centric mindset
  • Flexibility to adapt to our customers’ needs

For information or quotation please contact us via mail info@dpo-as-a-service.com