Context

As part of a strategic project of the Brussels-Capital Region, managed by Paradigm.brussels, we are looking for a Data Protection Officer (DPO) consultant to support the DPO of Paradigm/IRISteam. The mission aims to strengthen GDPR compliance and secure data processing throughout the entire project lifecycle.

Reporting line: hierarchically to the Project Management; functionally to the DPO of Paradigm/IRISteam (compliance control)

Working arrangement: minimum 3 days per week

Mission

Provide operational and regulatory expertise to co-steer project compliance (privacy by design/by default), ensure accountability documentation, and advise the teams (business, IT, security, legal, procurement) in close coordination with the responsible DPO.

Key Responsibilities

Governance and Advisory

• Support the responsible DPO in advising teams on the application of the GDPR, the Belgian law of 30/07/2018, and the guidelines of the DPA.
• Integrate data protection into project governance (committees, decisions, milestones, change management).
• Ensure absence of conflicts of interest and independence of the function.

Mapping and Registers

• Update the register of processing activities and information notices.
• Identify legal bases, retention periods, categories of data, and recipients.

AIPD/DPIA (risk analyses)

• Co-lead impact assessments (AIPD/DPIA), define mitigation measures, and monitor their implementation with the public bodies responsible for processing.
• Support the responsible DPO in validating the AIPD trigger checklists and “privacy by design” documentation.

Contracts and Subcontracting

• Review/adapt Article 28 GDPR clauses with subcontractors, including Standard Contractual Clauses (SCC) and, where applicable, duly documented Transfer Impact Assessments (TIA).
• Verify security commitments and assistance with data subject rights requests.

Data Subject Rights and Data Protection Incident Management

• Optimize procedures for exercising rights (access, rectification, erasure, objection, portability).
• Establish service level agreements (SLA) tailored to processing activities.
• Contribute to data breach management: triage, possible notification to the DPA, and communication to data subjects.

Security and Retention

• Work in conjunction with the CISO: technical and organizational measures (art. 32), logging, encryption, testing.
• Define and monitor the implementation of retention, anonymization, and pseudonymization policies.

Awareness and Audit

• Conduct targeted awareness sessions for project teams and participate in meetings with the public bodies responsible for processing and their DPOs.
• Prepare for and assist with internal/external audits and requests from the Data Protection Authority.

Expected Deliverables

• Legal bases matrix (including, where applicable, documented balancing tests for legitimate interests).
• Support in conducting AIPD and development of risk treatment plans.
• Review of contract templates (art. 28 GDPR, SCC) and documented TIA.
• Procedures relating to data subject rights (proposal and formalization) accompanied by SLA and KPI (e.g., response times, rate of complete requests).
• Retention plan and deletion tables.
• Awareness plan and related materials.
• Accountability dashboard for the Project Management.
• Updated register of processing activities and validated processing records.

Additional information:

The mission may be renewed for a maximum duration (including the initial period) of: 880 working days