Why choose us?

Green DPO is an expert data protection consultancy launched in December 2020. We focus on providing data protection officer (DPO) services, either on an outsourced basis or supporting DPOs internally. We are perfectly placed to deliver all DPO services virtually.

Whilst only recently launched, Heike Norris, a qualified solicitor, has over 20 years data protection experience – long before the General Data Protection Regulation (GDPR) came into force. We understand what it’s like to work across borders, with competing priorities, challenging scenarios and individuals!

We are passionate about privacy and combine our legal backgrounds with a pragmatic, flexible and risk based approach.

About us

Heike has over 20 years’ experience in privacy and data protection. Before moving to Germany at the end of 2019, Heike was the Privacy & Data Protection Director for the Bupa Group, a global health, care and financial services company.
Before Bupa, she spent five years leading Live Nation Entertainment Inc.’s international privacy team, working across the Ticketmaster and Live Nation businesses within the UK and internationally. She designed and implemented their whole privacy programme, reporting to Executives in the UK and USA. She was also the appointed DPO for their two German subsidiaries. Previous to that she lead the Data Protection teams at BSkyB (an international communications company) and at British Gas (part of the Centrica Group). Prior to becoming an in-house lawyer and privacy specialist Heike was a solicitor at Field Fisher Waterhouse Partnership in London.

Heike has worked in diverse operating and governance models, in a range of industries, from start-ups to regulated entities. She is experienced in advising on and successfully implementing national and global privacy compliance and accountability programmes operating at all levels from Board, Executive to operational support functions. Her involvement in UK privacy regulator audits in the past, including under the General Data Protection Regulation, adds a notable and interesting element to her wide-ranging privacy expertise.

Our Services

For example, we can help you…

  • set and monitor your privacy KPIs

  • review your DPIA results

  • in data breach management (including liaison with regulators)

  • as a point of contact for individuals and regulators

  • with data protection compliance and risk assessments

  • GDPR / Privacy training programmes

  • design privacy policies and other policies or processes
  • by being your appointed DPO or supporting your DPO and privacy teams

  • to manage individual rights requests

  • define requirements for third party engagements

  • with data mapping

  • with your direct marketing and cookies compliance

Sapling Starter Suite – if you are just starting your business and don’t know how or if data protection applies, we have a Sapling Starter Suite of documents we could send you (it includes a free chat too!).

Sound good?

Get in touch


Every client is different and so is our pricing! All our pricing is bespoke to your requirements. We offer fixed amounts, hourly rates and anything in between. Get in touch to find out more.

Steps 1-3 below show our suggested approach to your holistic privacy compliance.

Step 1

We start with a GDPR compliance risk assessment of your company. Any non-compliance gaps will be risk ranked with recommended remediation actions. The risk assessment is important for your accountability obligations and also enables us to get to know your company better.

Step 2

We will support you in completing any remedial actions. This could include writing policy and process documents, assist in implementation, training, contract clause drafting, liaison with information security experts.

Step 3

This is all about ongoing maintenance. Below are two service options where charges would be monthly.

Ongoing Maintenance


  • Named DPO and contact point for ICO (including advice on ICO fee payment)
  • Advice and guidance (up to 2 hrs per month)
  • Advising on DPIAs
  • Training (1 x 1hr session per year)
  • Compliance monitoring report (one per year)
  • Annual Board Report

Oak Tree

  • Named DPO and contact point for ICO (including advice on ICO fee payment)
  • Advice and guidance (up to 5 hrs per month)
  • Advising on DPIAs
  • Training (3 x 1hr sessions per year) including executive and board training
  • Compliance monitoring report (two per year)
  • Bi-annual Board Report
  • Assistance with individual rights requests
  • Data breach reporting advice and liaison with regulator
  • Maintaining Art 30 (Records of Processing Activities) Register

Did you know?

You shouldn’t appoint your CTO or CISO or other executive role as your DPO.

DPOs must be independent, experts in data protection, adequately resourced, and report to the highest management level. DPOs can perform other roles, but it is critical that these roles don’t result in a conflict of interest for them.  In other words, they should not be “marking their own homework.”

You can be fined for not appointing a DPO.

Either up to EUR 10 million (approx. GBP 9 million), or for companies, up to 2 % of total worldwide turnover of the preceding financial year, whichever is higher  

You can appoint the same DPO for more than one company in a Group.

A group of companies can appoint one DPO for all their subsidiaries provided that he/she is easily accessible.

A DPO can be an employee or you can appoint one externally.

DPOs must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the DPO tasks. Whether internal or external, DPOs must be properly informed of the data processing issues and in a timely manner.  They must not be given any instructions on how to perform their activities, hence why external DPOs provide the ideal solution .

DPOs have specific tasks they must perform in their role

These tasks are: to inform and advise the company of their data protection obligations; to monitor the company’s compliance with data protection requirements and train its staff; to advise on data protection impact assessments; and to be the contact point for data protection regulators.

Contact us

Curious? Need more information? Send us an email:


We look forward to hearing from you.