Security Expert Interview Series: Susanne Hofmann

We recently interviewed Susanne Hofmann as part of our ongoing Security Expert Interview Series. Susanne is an Information and Data Protection Officer at PwC Switzerland. She has almost 20 years’ experience as a Management Consultant, specializing in Ethics, Culture, Compliance, Criminal Law and Privacy, with a legal and business administration background and recent professional educations in data protection compliance management, and digital strategy. Now, enjoy the full interview below!


1. Firstly, thank you for taking part in this campaign. Can you give us an introduction about yourself, Susanne? How did you venture into data protection world?

Thank you for the invitation, it is a pleasure to share the experience I gained in the data protection world.

I have been working in the legal and compliance area for more than 18 years, including over 14 years as a management consultant at PwC Switzerland. As the leader of the PwC’ Privacy & ICT Law Practice in Switzerland, I have specialized in information and data protection (Switzerland and EU) over the past six years, and supported numerous companies, from banks and insurance companies to logistics and industry organizations to smaller SMEs and start-ups etc. to adapt their organization, documentation and processes to the new, sometimes complex legal requirements.

In addition, I am very enthusiastic about solving legal challenges while implementing innovative ideas, new technologies and digitization.

Since the beginning of 2021, I took over the function of Information and Data Protection Officer at PwC for Switzerland and Liechtenstein, new, exciting challenges every day …

2. Can you discuss the evolution of people’s concerns about privacy and what do you think has changed in terms of these concerns?

Privacy affects all of us, whether as a private individual, as an employee or of course as an organization processing personal data. Data protection is often still seen as a blocker of digital innovation, but it is important to understand that applicable laws only show the limitations. When the main principles are known and followed, the risk is almost under control.

I remember not many years ago, privacy was a subject that was mostly neglected and was not on the top of the compliance agenda of organizations. That has changed, awareness of the public has increased significantly. Organizations are confronted with high expectations regarding a trusted and respectful handling of information, e.g. how, where and for what purpose personal data is processed.

Funnily enough, there is the privacy paradox, that describes the – at first glance – contradicting fact that private individuals are on the one hand worried about their privacy on the internet, social media etc., but on the other hand, are not at all concerned and disclose personal data such as phone numbers, email addresses, photos in the net. The privacy paradox includes this drifting apart of attitudes and concrete action in the digital world.

3. What can we integrate into our daily tech habits to better protect our privacy?

… think before you click.

4. In your opinion, what must small and medium enterprises do now to protect themselves from GDPR warnings and build a strong long-term data strategy?

Small and medium enterprises (SME) should do their homework regarding data protection, and not perceive privacy requirements as a necessary evil or tick the box exercise, but as an opportunity to turn regulation into a benefit. A key side effect of the implementation of data protection requirements is that structuring data effectively will open new opportunities for further industrialization and digitization efforts.

Consequently, SMEs will be able to structure their processes more efficiently and effectively and avoid duplicated processes. It is recommended to include data protection, the ongoing developments and their implications in the organisation’ strategic planning.

To be specific, it all starts with the implementation of records of processing activities, which gives an overview of all data that is processed in the company and the associated risks. Following a risk-based approach, the necessary actions, such as processes regarding the data subjects’ rights or data breaches should be addressed and implemented appropriately. The stipulated data processing principles (e.g. accountability, data minimization, purpose limitation etc.) have to be observed when data is processed; it is recommended to document them in an easily understandable data protection policy so that all different divisions act in compliance.

All employees shall be trained regularly because all sophisticated privacy and IT security measures can be destroyed by a careless human mistake.

5. What are the biggest issues that organisations should address from a privacy perspective when they suffer a data security incident?

Based on my experience, it always starts chaotically when a data security incident is discovered. Nevertheless, a pre-defined protocol may help that all relevant stakeholders are involved in the investigation at the right time. Privacy professionals should be involved right from the beginning so that not only security-relevant questions but also privacy issues can be addressed and included. With the proper information, necessary legal steps can be quickly taken.

6. How do you stay up to date with industry news and updates regarding data protection and cyber security?

I have subscribed to several newsletters of various organizations, read articles, publications, blog posts of my network and join conferences. In addition, the regular internal and external exchange with privacy and cyber professionals, as well as e.g. our CISO or CIO always give me new input.

7. Last question: what is the most important piece of career advice you would like to give to people who are just getting out of university and are interested in a career in data protection?

At first glance, data protection appears to be slightly boring and not fancy. As a cross-sectional subject, however, it is anything but monotonous. The Key is, to gain a sorrow understanding of your company’s business model and processes. To be a “privacy nerd” is not enough to get the buy-in from business, the added value creates the impact.

It all comes with experience, so never stop listening, learning, and educating yourself.

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview SeriesReach out to us for more information.