Governance Risk and Compliance Expert (Full remote - Europe)

Governance Risk and Compliance Expert (GRCE)

About the mission

Frontex's Digital Services Unit (DIG) is reinforcing its capacity to handle personal data protection and privacy compliance across its ICT environment. As GRCE, you'll support Frontex in applying Regulation in practice — turning legal and governance requirements into concrete documentation, processes and follow-up actions across multiple ICT systems, projects and procurements.

What you'll be doing

• Preparing, updating and improving Records of Processing Activities (RoPAs) and Data Protection Impact Assessments (DPIAs) across ICT systems

• Drafting and maintaining privacy notices and related data protection documentation

• Validating personal data protection documentation against technical reality, working closely with system and technical owners

• Analysing and documenting technical arrangements relevant to data protection: access rights, logs/SIEM exports, retention, hosting, data flows, transfers and processor chains

• Supporting technical fact-finding for personal data breach incidents (without taking over breach qualification or notification decisions)

• Working with incomplete or inconsistent information — distinguishing confirmed facts from assumptions and structuring clear next steps for management follow-up

• Tracking actions, gaps and remediation items, and coordinating with system owners, project teams and the Frontex DPO

• Providing privacy-by-design input into ICT projects, system changes and procurement files

What we're looking for

• 5+ years of IT-relevant professional experience, including 4+ years in a similar role

• At least 5 years of personal data protection compliance experience in an ICT, EU institutional, public-sector or similarly technology-heavy environment

• At least 3 years of hands-on experience preparing, updating or reviewing RoPAs, DPIAs, DPAs or TIAs for real systems, including data mapping and validating input from system/technical owners

• At least 2 years of experience analysing technical arrangements relevant to data protection (access rights, logs, retention, hosting, transfers, processors)

• Excellent understanding of EU data protection legislation, standards and compliance frameworks

• Strong stakeholder management and communication skills across technical and non-technical audiences

Education & certifications

• Minimum education: Master's degree or equivalent

• At least 3 certifications among: CISA, CISM, GSNA, GCCC, ISO 27001 Lead Implementer/Auditor, ISO 27005 Risk Manager, CAP, CRISC, CISSP-ISSMP, GIAC ISO-27000 Specialist (or internationally recognized equivalents)

Languages

• Fluent English (C1)

Work Model

• Full remote

Location

• Europe