15 years of privacy and cybersecurity experience, building programs that prevent problems and fit the size and reality of actual businesses. The advice comes from being in the room, not from a framework.
Not sure where you stand? Get an instant risk score →
That is not a criticism. Privacy, AI, and cybersecurity are genuinely complex, and most organizations are managing them without dedicated expertise. The three services below cover the questions Ross gets asked most often: who handles privacy, what are the actual exposures, and what does AI adoption change.
Most organizations need senior privacy expertise years before they can justify a full-time hire.
This service gives executives and privacy officers ongoing access to an experienced advisor: someone who attends meetings, reviews contracts, and builds the privacy program alongside the team. The goal is to have the right practices in place before they are needed, not to react when they are not.
Start the conversation →Most organizations have privacy obligations they cannot fully account for. This service maps them.
A structured assessment of what data is being collected, where it lives, who has access, and where the actual exposures are. Delivered as a prioritized roadmap rather than a compliance checklist. The output is designed to be acted on, not filed.
Start the conversation →Building with AI introduces privacy obligations that most legal and compliance teams have not mapped yet.
Most organizations are using AI now, whether or not that decision was made deliberately. This service builds the privacy program for organizations where AI is already part of the picture: governance structures, data classification, risk frameworks, and program development built around how AI is actually being used in the business. The work starts from the actual situation, not a theoretical framework.
Start the conversation →A privacy officer working in a tech company, whether the role is called a fractional privacy officer or a vCPO, needs to be present when the decisions happen. In an agile development environment, that means daily standups, sprint planning, architecture reviews, and the kind of corridor conversations that determine product direction before anyone writes it down. A fractional external officer misses most of those moments. When they do show up, they are catching up, not contributing.
Coming in as an advisor to the person carrying privacy internally, even if that is someone doing it off the side of their desk, changes the equation entirely. The person who is in the room every day absorbs the business context in real time. An external advisor who supports that person can respond faster and with more depth, because the information arrives filtered and framed by someone who was actually present. The work gets done better. The organization moves faster.
There is also a practical reality: several jurisdictions and regulatory frameworks require that the designated privacy officer be employed by the organization, not contracted externally. An advisory relationship is compliant everywhere. A fractional officer arrangement may not be. This is not a minor detail.
This applies specifically to the designated privacy officer role. For technical and engineering work, a fractional arrangement works exactly as intended, which is why Fractional Privacy Engineering exists.
For product and engineering teams that need privacy expertise in the development process, not just in the advisory layer. Ross works directly alongside developers and product teams to make privacy-by-design practical at the product, code, and architecture level.
A structured evaluation of how privacy and security are integrated across the software development lifecycle: Governance, Design, Implementation, Verification, and Operations. Identifies gaps and delivers a realistic roadmap to close them.
Structured threat modelling using LINDDUN (a framework for privacy-specific threats across data flows and system components) and PLOT4AI (a complementary framework for AI-specific privacy risks) to identify and prioritize threats specific to the organization's systems. Prioritized by actual risk rather than theoretical worst cases.
Privacy Officer Advisory is ongoing advisory provided to executives and privacy officers who need senior privacy expertise without a full-time hire. Ross attends meetings, reviews contracts, and builds the privacy program alongside the team, with the goal of having the right practices in place before they are needed.
Ross uses LINDDUN and PLOT4AI for privacy and AI threat modelling. LINDDUN maps threats across seven categories including linkability, identifiability, disclosure of information, and non-compliance. PLOT4AI addresses AI-specific privacy threats. Both are applied to the organization's actual systems and data flows, and prioritized by actual risk rather than theoretical worst cases.
A privacy risk assessment covers what data is being collected, where it lives, who has access, and where the actual exposures are. It is delivered as a prioritized roadmap rather than a compliance checklist, designed to be acted on rather than filed.
The discovery call is 15 minutes. No commitment, no pitch deck. If you'd like to know where your organization stands before we talk, the Tech Privacy Risk Score gives you an instant picture in 15 questions.