Privacy Officer Advisory for Tech Companies
Senior privacy judgment on tap, without the overhead of a full-time hire. An annual retainer built around available time, not a running hour count you have to watch.
Senior privacy judgment on tap, without the overhead of a full-time hire. An annual retainer built around available time, not a running hour count you have to watch.
Privacy Officer Advisory is an annual retainer that gives your team ongoing access to senior privacy judgment, led by Ross Saunders, CIPP/E, without hiring a full-time privacy officer.
If you are looking for a fractional privacy officer, here is the honest version: in several jurisdictions, the designated privacy officer role has to sit inside your organization, not with an external contractor. What you want is senior privacy judgment available whenever you need it, and I work alongside whoever holds that role internally, even if that is someone doing it off the side of their desk.
It runs as an annual retainer built around available time, not a running hour count. There is nothing to track against an invoice. I scope and deliver work against the roadmap and priorities we agree each month, and if a month runs heavier than usual, the answer is never a surprise bill. Less urgent items simply move out, and if that becomes a pattern rather than the exception, that is a conversation about whether the other tier fits better, not a bigger invoice.
Same model, different scale. Here is the practical difference.
| Foundation | Embedded | |
|---|---|---|
| Built for | A single product and a single jurisdiction, building the privacy foundation. | Multiple products or jurisdictions, with privacy decisions happening constantly. |
| Availability | Steady, standing availability with a regular check-in. | Priority, beck-and-call availability, closer to being part of the team. |
| Assessment | A right-sized annual privacy risk review. | The full interview-led Privacy Impact Assessment or DPIA. |
| Engineering & product | Spec and feature review as things come up. | A standing presence in sprint planning and architecture reviews. |
| Best for | Earlier-stage teams putting their privacy foundation in place. | Teams where privacy touches something new most weeks, not most quarters. |
Both tiers share the same working baseline. The difference is scale, not substance.
Billed monthly under a 12-month term, or pay annually and save. Either way, 30 days notice before renewal if you want to change tier or step away.
per year, billed annually
A single product, single jurisdiction.
per year, billed annually
Multiple products or jurisdictions.
Need something in between?
Not sure which fits? A 15-minute discovery call is the fastest way to find out.
No other client work during your reserved time. This is advisory on your own terms, for when you want to call the shots without an annual commitment.
Subject to advance notice and planning.
$16,000 per month
Talk Through Scope →Embedded includes the full Privacy Impact Assessment or DPIA. If you only need the assessment itself, without an ongoing retainer, that is its own service.
See PIA & DPIA services →Fractional Privacy Engineering goes deeper into the day-to-day development workflow, at the code and architecture level, alongside a retainer or on its own.
See Fractional Privacy Engineering →It means ongoing access to senior privacy advisory without tracking hours against an invoice. I scope and deliver work against the priorities and roadmap we agree each month, not billed hour by hour.
Work queues and less urgent items move out, rather than triggering a surprise invoice. If that becomes the pattern rather than the exception, the right move is usually a conversation about the other tier, not a bigger bill.
Foundation is right-sized for a single product and jurisdiction, with a lighter annual risk review. Embedded is for multiple products or jurisdictions with a constant stream of privacy-relevant decisions, and includes the full Privacy Impact Assessment or DPIA plus a standing presence in product and engineering discussions.
No. Incident and breach response is unplanned, urgent work, and it is always scoped and priced separately so a bad week never derails the roadmap or eats into the retainer.
No, and that is deliberate. Several jurisdictions require the designated privacy officer role to sit inside the organization, not with an external contractor. This is senior privacy advisory on tap, and I work alongside whoever holds that role internally, even if that is someone doing it off the side of their desk.
Twelve months, billed monthly or upfront for a discount, with 30 days notice required before renewal to change tier or step away.
The discovery call is 15 minutes. No commitment, no pitch deck. We talk through your product, your jurisdictions, and which tier actually fits.
Advisory led by Ross Saunders, CIPP/E, with 15 years in privacy and cybersecurity and a background in software and SaaS leadership.
Last updated 1 July 2026