Security Expert Interview Series: Anna Maria Tonikidou

We are happy to have had the opportunity to interview Anna Maria Tonikidou who is the Head of Data Privacy and Legal Counsel based in Switzerland. She shared her thoughts on the must-have skills a Data Privacy Officer should have and key trends likely to emerge in data privacy over the next 5 years. Continue reading the full interview below.

data privacy interview

1. Firstly, thank you for taking part in this campaign. Can you give us an introduction about yourself, Anna? How did you venture into the data privacy world?

Thank you for having me. It is a pleasure to share my experience.

I am the Head of Data Privacy at LEXR, focused on advising tech, fintech, and digital companies on their privacy compliance. I hold a Bachelor of Law from the University of Athens, and I gained Master’s degrees at the Universities of Heidelberg, Leuven, Chicago-Kent, and Zurich.

As a young professional, I was unsure which legal direction to choose. I worked in different legal areas until I realized that my true passion lies in data privacy, thanks to my collaboration with an ambitious Swiss startup. I am fascinated by the interplay between data privacy and new technologies. It is a rewarding challenge to find compliant solutions for complex high-tech projects which do not directly fall into the letter of the law.

2. What are the 2 must-have skills a Data Privacy Officer should have?

A Data Privacy Officer (DPO) often plays the part of the mediator between different departments. As in any compliance position, the DPO usually has to halt innovative marketing or tech projects due to compliance considerations. The DPO must work with a positive attitude and try to mitigate compliance risks without obstructing the work of their colleagues. The DPO must listen to their colleagues’ goals and strive to meet them by proposing clever and creative solutions.

Diligence is also essential. There are a plethora of sources and various local requirements. Therefore, the DPO must do diligent research and cover:

  • The European legislation (the GDPR, the ePrivacy Directive, etc.)
  • The jurisprudence of the European Court of Justice
  • The European Data Protection Supervisor’s Guidelines
  • The Art. 29 WP Guidelines
  • National supervisory authorities’ guidelines and opinions
  • Local laws and court decisions
  • Scholars’ opinions

As always, the devil is in the detail. The DPO must reconcile the differences between the above.

3. Considering the massive increase in cyberattacks, what do you believe will be the key trends likely to emerge in data privacy over the next 5 years?

The GDPR is vague when it comes to IT security measures. There is guidance, but it is often inadequate in light of the rapid developments in the technology field.

Self-regulation will be a crucial factor in the next five years. A single regulator cannot consider all the complexities of different industries and propose a uniform solution that we can apply to banks, insurance companies, and high-tech firms alike. Various industry players are proposing certification solutions, such as:

  • the Transparency and Consent Framework (TCF) in the adtech industry, or
  • the European Code of Conduct for cloud infrastructure service providers by CISPE, the Cloud Infrastructure Services Providers in Europe), as approved by the French data protection authority.

This trend is, in my opinion, a very positive development. Democratizing the regulatory process is an excellent way to ensure that the legislation keeps up with the current technological developments.

4. In today’s increasingly connected world, data theft made SMEs to feel overwhelmed at the danger posed. What is the advice you would like to share that will help small businesses protect their data?

There are small but meaningful steps that SMEs can take to minimize the risk of data theft, without setting up expensive compliance programs:

  • First, collect as little data as possible in the first place. Take a closer look at your processing operations and ensure that you do not collect any excess data.
  • Delete data as soon as you no longer need it. For example, there is no reason to keep copies of unsuccessful job candidates’ resumes for five years. Data storage for longer than required is against data privacy law and can expose you to risk.
  • Third, where possible, replace personal data with anonymous or at least pseudonymous data. If you run analytics or train your algorithm with anonymous data, you minimize attack vectors.

5. What can we integrate into our daily tech habits in order to better protect our privacy?

You can take some small but crucial tech steps to improve your privacy:

  • Train your employees to avoid public networks
  • Invest in a good antivirus
  • Ensure that you backup your data safely and regularly
  • Implement a best-practice password policy
  • Remarkably, the most significant cause of data breaches is not malicious attacks but human error. Therefore, train your employees to identify and report phishing attempts, report suspected incidents etc.

6. What foreseeable changes should Chief Executive Officers (CEOs) make to ensure they adhere to different customer data privacy regulations that are presently in place?

First, have an adequate privacy policy in place. Make sure that your privacy policy is in line with the GDPR, the current FADP, as well as the upcoming revision of the FADP.

Implement a cookie solution. This is a big pain point for marketing departments, as the information provided by cookies is invaluable. It would be best to implement a solution that reflects your cookie practices, boosts customer trust, and allows you to source data about your website users.

In addition, close any gaps in your IT security compliance. Invest in the latest technical measures.

Finally, train your employees. As mentioned previously, they are the most frequent source of data breaches.

7. How do you stay up to date with industry news and updates regarding data privacy? Feel free to share the sources/websites with us.

First of all, the most reliable sources of information are the authorities themselves. The most vocal ones are the following:

  • Swiss Federal Protection and Information Commissioner
  • French data protection authority
  • Bavarian data protection authority
  • UK Information Commissioner’s Office
  • European Data Protection Supervisor

The International Association of Privacy Professionals (IAPP) is also a reliable source of high-quality privacy resources – from webinars to blog posts, they are

8. Last question: what is the most important piece of career advice you would like to give to people who are just getting out of university and are interested in a career in data privacy?

Experience in the field is invaluable. Try to work alongside experienced professionals who are eager to mentor you. Strive to be involved in as many data protection projects as possible.

Apart from your exposure to data protection at work, invest time in your personal development. Attend webinars, read books, follow blogs, and don’t hesitate to ask questions.

Moreover, focus on understanding the business model of your customers of choice. Suppose you wish to collaborate with, among others, adtech, gaming, or blockchain customers. In that case, you should invest time to grasp the details of their potentially complex setups and the nuances of their industry.

Finally, the IAPP certifications can equip you for a career in privacy. If you wish to work in the field, you should consider taking their exams.

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview SeriesReach out to us for more information.