Frequently Asked Questions

8 min read

Frequently Asked Questions

About FTRCRP

What does FTRCRP do?

We help organizations implement technology ethically. We protect privacy, building trust, and putting humans at the center of digital systems.

Specifically:

  • GDPR compliance for small organizations
  • AI policy development for schools and businesses
  • Security assessments for SMBs without internal IT security
  • Digital literacy training for educational institutions

Why “FTRCRP”?

“Future Corp.” A deliberate question about what kind of corporate future we’re building. The choices organizations make today about privacy, AI, and security shape the society of tomorrow. We help them choose well.

Are you a law firm?

No. We provide advisory services on privacy, security, and technology ethics, but we are not licensed attorneys. For legal questions requiring licensed counsel (court matters, contracts, regulatory proceedings), we work alongside your existing legal team or can refer you to qualified attorneys.

Where are you located?

Based in Norway. We work primarily with Norwegian organizations but can serve clients throughout Scandinavia. Remote work is standard; on-site visits available for engagements requiring them.

How long have you been in business?

FTRCRP is a new consultancy, but our principal brings current academic credentials (NIS security studies) and demonstrated investigative work. We’re building a practice based on quality and ethics, not years of billing.

Working with Us

How do engagements typically start?

  1. Initial call (30 minutes, free). We discuss your situation and whether we’re a good fit
  2. Scoping proposal (within 48 hours). Written summary of what we’d do, how long, and cost
  3. Agreement. Simple engagement letter or statement of work
  4. Kickoff. We begin work

Do you work remotely or on-site?

Both, depending on the work:

  • Remote-first for most advisory work, document review, policy development
  • On-site for workshops, training sessions, security assessments requiring physical access
  • Hybrid for longer engagements

What’s your availability?

Currently building the practice alongside completing NIS studies. We’re selective about engagements to ensure quality delivery. Lead time for larger projects is typically 2-4 weeks; urgent smaller work can often be accommodated faster.

How do you charge?

Three models:

  • Fixed price packages. Defined scope, defined price, no surprises
  • Hourly consulting. For advisory work and flexible scoping
  • Monthly retainers. For ongoing relationships and predictable access

Most clients prefer fixed-price packages for defined deliverables.

What are your rates?

Hourly work ranges from NOK 1,000-1,500 depending on complexity. Workshop and package pricing is designed for SMB budgets, typically NOK 8,000-50,000 depending on scope. We’re significantly more affordable than large consultancies while delivering principal-level attention.

Do you offer discounts for non-profits or schools?

Yes. Public schools and verified non-profits receive 15-20% discount on standard rates. We believe everyone deserves access to ethical technology guidance.

GDPR Compliance

We’re a small business. Do we really need GDPR compliance help?

If you process personal data of EU/EEA residents (customer names, emails, employee records, etc.), GDPR applies to you. Size doesn’t exempt you from the regulation.

However, compliance looks different for a 10-person company than for a multinational. We help you understand what’s proportionate for your situation, not enterprise overkill.

What does a GDPR assessment include?

Typically:

  • Data mapping. What personal data you collect, where it’s stored, who accesses it
  • Policy review. Are your privacy notices accurate and compliant?
  • Gap analysis. Where are you falling short of requirements?
  • Prioritized recommendations. What to fix first based on risk
  • Documentation. Record of Processing Activities (ROPA), other required docs

Do we need a Data Protection Officer (DPO)?

Under GDPR, you need a DPO if you:

  • Are a public authority/body
  • Core activities involve large-scale systematic monitoring of individuals
  • Core activities involve large-scale processing of special category data

Most small businesses don’t require a DPO. If you do, we offer outsourced/virtual DPO services as a more affordable alternative to hiring internally.

What happens if we’re not compliant?

Maximum fines under GDPR are EUR 20M or 4% of global turnover. But Datatilsynet (Norwegian DPA) applies proportionate enforcement. For small businesses, an honest effort at compliance goes a long way. The risk is not just fines. It is customer trust, reputational damage, and the actual harm from data breaches.

How long does compliance take?

A basic compliance assessment: 1-2 weeks. Full implementation (policies, training, documentation): 4-8 weeks. This is not a one-time project. Compliance is ongoing. Annual reviews keep you current.

AI Policy & Academic Integrity

Why do schools need AI policies?

Students are already using AI tools. Without clear policies, schools face:

  • Teachers uncertain how to assess AI-assisted work
  • Inconsistent enforcement across classrooms
  • Potential academic integrity incidents without clear precedent
  • Parent concerns about fairness and standards
  • Pressure from Udir and oversight bodies

Getting ahead of this with clear, thoughtful policy prevents problems before they start.

Isn’t banning AI the simplest solution?

Banning is unenforceable and counterproductive. AI tools are becoming integral to how knowledge work happens. The question isn’t whether students will use AI, but whether they’ll use it responsibly with critical thinking.

Good policy teaches students to use AI as a tool while maintaining the learning outcomes education is meant to deliver.

Can you detect AI-generated content?

Detection tools exist but are imperfect. They produce false positives and can be circumvented. More importantly, detection is not the goal. Learning is. We help schools design assessments and approaches that make AI cheating less effective and AI assistance more productive.

Do you work with universities too?

Yes, though Norwegian universities often have internal resources for policy development. We’re particularly suited for smaller institutions, folkehogskole, and schools in the gap between primary education and major universities.

Security Services

We’re small. Are we really a target?

Yes. SMBs are increasingly targeted precisely because they often lack dedicated security resources. Attackers know you probably have weak spots. Ransomware operators don’t care about your size. They care about whether you’ll pay.

What does a security posture review include?

  • External vulnerability scanning. What does your organization look like from the outside?
  • Policy review. Do you have basic security policies? Are they followed?
  • Access control audit. Who has access to what? Is MFA enabled?
  • Prioritized recommendations. What fixes matter most for your risk profile?
  • Staff awareness. Training on phishing, password hygiene, physical security

Do you do penetration testing?

We conduct authorized vulnerability assessments and external scanning. Full-scope penetration testing (including exploitation) is something we’re developing capability in. For complex pentesting needs, we can refer you to established specialists and help you interpret their findings.

How often should we do security reviews?

At minimum: annually, plus whenever significant changes occur (new systems, acquisitions, major incidents, leadership changes). Quarterly review is better for organizations with changing environments.

Ethical AI Implementation

Our team is already using ChatGPT. Is that a problem?

Possibly. Questions to consider:

  • What data are they putting into the tool?
  • What are the vendor’s terms about data usage?
  • Are outputs being verified before use?
  • Is there any governance over which tools are approved?

We help organizations answer these questions and establish frameworks for responsible AI use.

Aren’t you biased against AI since you see problems with it?

We’re not anti-AI. We use AI tools daily in our own work. We’re pro-thoughtful-AI-implementation. The goal is to capture benefits while managing risks. Organizations rushing to deploy AI without governance create real problems; organizations that thoughtfully integrate AI tools gain competitive advantage.

Industry-Specific Questions

For Schools: How do you work with Udir guidelines?

We stay current with Utdanningsdirektoratet guidance on digital competence, privacy, and emerging technology. Our AI policy work aligns with Kunnskapsloftet requirements while preparing schools for evolving Norwegian regulations.

For Law Firms: How do you handle client confidentiality requirements?

We understand that legal practices operate under strict confidentiality obligations. We design our assessments to work within these constraints, reviewing data flows and policies without accessing actual client matter content. Our engagement letters include confidentiality provisions, and we can sign NDAs if required.

For Healthcare: Is HIPAA relevant in Norway?

GDPR is the governing framework for patient data in Norway, not HIPAA (which is US-specific). However, many principles overlap: minimization, security, access controls, breach notification. We apply GDPR requirements specifically to healthcare contexts, including Normen (norm for informasjonssikkerhet i helse- og omsorgssektoren).

Practical Matters

How do you handle confidentiality?

All client information is treated as confidential by default. We can sign NDAs for sensitive engagements. We don’t discuss client specifics without explicit permission, and we never use client data for our own purposes beyond delivering agreed services.

What happens if we disagree with your recommendations?

We provide expert advice; you make decisions. We’ll explain our reasoning, discuss concerns, and adjust if we’ve misunderstood your situation. Ultimately, you know your organization better than we do. What we won’t do is rubber-stamp recommendations we believe are harmful.

What if we need something you don’t offer?

If it’s adjacent to our expertise, we might expand scope. If it’s outside our competence, we’ll say so honestly and help you find the right provider. We’d rather refer you to someone good than deliver something mediocre.

Getting Started

What do you need from us to get started?

For initial scoping:

  • Brief description of your situation and what you’re trying to accomplish
  • Organization size and sector
  • Timeline and budget constraints if known
  • Any specific concerns or incidents prompting the engagement

How do we schedule an initial call?

Email HAL0zum@proton.me with a brief description of your needs. We’ll respond within 48 hours (usually faster) with availability.

What if we’re not sure what we need?

That’s normal. The initial call is designed to help us understand your situation together. We’ll ask questions, explore your concerns, and suggest what might actually help, including if the answer is “you don’t need a consultant for this.”

Contact

FTRCRP Thomas A. Kleppesto HAL0zum@proton.me

Ethics-first technology consulting