Security Expert Interview Series: Mathilde Canque

Our next feature is an interview with Mathilde Canque, Data Protection Officer based in Canada. Previously Mathilde worked as a Data Protection Consultant and in-house Counsel in Data Protection Compliance in France. Read the full interview below.

interview with data protection officer


1. Firstly, thank you very much for taking part in this campaign, Mathilde. Can you tell us about your professional background and areas of interest?

Thank you for reaching out to me, it is a pleasure to be part of your campaign and I hope sharing my experience and thoughts will help others to find their path!

It is during my master’s degree in business law that I discovered Data protection and the General data protection regulation (GDPR) in 2017. But my first experience in the domain was in 2018 when I have had the chance to help an in-house counsel implementing GDPR in her organization.

Since I loved this experience, I decided to study the subject with the Specialized master’s in management and protection of Personal data, delivered by the Institut Supérieur de l’Electronique de Paris (ISEP) (France), while working as a data protection consultant for a French consulting firm. It is during this same year that I wrote my professional thesis on the profession of DPO in an international context (Canadian-oriented).

I moved to Canada in 2019 and started working as a Data Protection Analyst for my employer’s clients before being nominated internal data protection officer. I am in charge of managing, improving and controlling internal Privacy and Data protection compliance with applicable legislation (i.e., GDPR as the Golden Rule, and particularities from Canadian or Switzerland legislation).  


2. You are currently holding the position of a Data Protection Officer. Is there a typical workday for a data protection officer and more specifically, what are some of your primary concerns on a daily basis?

Holding the position of a DPO is full of surprise and workdays are never the same. Also, it will depend on the maturity of the organization, and the risks that present its activities. B2B versus B2C businesses do not have the same challenges, neither do a manufacturing company versus a cybersecurity firm.

However, find below some daily activities:

  • Stay up to date with the applicable privacy legislations and review the Privacy and Data protection news to understand the new challenges, what happens in other companies and/or countries, etc.

  • Continuously improve the Privacy & cybersecurity culture within the organization. This is particularly important since I am working in a Privacy and Cybersecurity firm. An employee’s mistake, even if unintentional, could be fatal for the company.

  • Close work with internal teams – particularly IT, Legal and compliance, HR, Sales and Marketing – in order to stay involved in internal discussions that could involve the processing of personal data.

  • Regular risks assessment on new contractual relationships or processing activities and the adoption of the appropriate technical and organizational measures.

Moreover, as the DPO of a Canadian organization, the current discussion on the update of the Canadian Privacy legislation is a big concern, as well as the management of international data transfers. Indeed, after the EU GDPR entry into the application and the revelation of Desjardin’s personal data breach in 2019, legislators started to be particularly active on this subject. Big changes for Canadian organizations are to come! 


3. Would you say that you have had any barriers during your career and success as a female leader?

Gender, age, culture, personality… everything can become a barrier if let them decide for your career and success. So yes, I can say that, sometimes, I have been the subject to comments, words, or actions that I have had interpreted as such.

At first, I tried to manage these moments alone, by myself, because my problems are not those of others… “I am strong and independent, I work hard, I don’t need anybody to be successful in my career!” …

This only had contributed to growing my fears, until my emotional breakdown. This is how I learnt that I was not alone and the importance to share my feelings with the people I trust the most.

A member of your family, a friend, a colleague – you just need to open your eyes, and you’ll find the ones who will give you the advice, the confidence, the strength you need to do what is right for you. That way, you’ll see that you can become as successful as you wish, personally and professionally.

Well, at least, this is what happened to me and the way I chose to interpret it! It does not mean it is easy. Because I did not become a DPO in Canada without sacrifices. But this is what I wanted, and this is where I am now.


4. What are the most dangerous threats to the security of personal data on the Internet today, and how can we protect ourselves from them?

Let’s start with an easy definition of the “Internet”, found with a quick research on the Internet: “The Internet is a vast network that connects computers all over the world. Through the Internet, people can share information and communicate from anywhere with an Internet connection.” – Thank you, Google and Britannica.

In my opinion, the most dangerous threat is identified within this definition: you are the first threat for the security and protection of your personal data.

You may be feeling secure when you are at a coffee shop or a bar with friends, doing research on the internet to plan your next trip together. Or when you lie down on your bed, just before going to sleep, and you spend some time on your smartphone to go through your favourite social media, like the latest posts of your friends or share the article your colleague published yesterday on the importance of privacy and cybersecurity in this world.

Well, every time you spend on the Internet, you share your personal data!

Name, pseudo, photos, hobbies, job title, diploma, opinions, financial information, likes and comments, habits, localisation data… Whatever you do on the internet, someone will know! A family member, a friend, an acquittance, a stranger, a company, a hacker… Internet is public and the fact that you are behind a screen makes it even more dangerous!

So, it is important to keep in mind that the Internet is not secure and never will be. And it is our own responsibility to chose carefully what we do and what we share to limit the risks for our Privacy!


5. What key malware trends has dominated 2020 and what should we expect in 2021?

Even if I have a strong understanding of cybersecurity and its challenges, I am not an expert in this field. Therefore, I do not think my answer to this question will be interesting for you. However, this allows me to underline the importance, of a Privacy professional to work with other teams!

I often say that Privacy and data protection compliance can be parted into 3 equivalent expertise:

  • 1/3 is about Legal: Privacy and personal data protection requirements are defined in laws and regulations. The understanding of the laws is necessary to apply it correctly.

  • 1/3 is about Security: Security is one of the most important fundamental privacy principles and require the implementation of the appropriate physical, logical, and legal measures to protect personal data.

  • 1/3 is about Management: Implement privacy within an organization is an entire project that needs to be manage on a regular – if not day-to-day – basis.

Being a Privacy professional, such as a DPO, means you need to manage and control compliance, with an excellent understanding of Privacy laws and security best practices to protect personal data. In my opinion, management skills are mandatory, but you do not need to be a lawyer or cybersecurity expert and perfectly master all of this to do a great job. You only need to work closely with any related teams in your company. For me, one of them is the IT team!


6. Do all malware attacks need to be reported under the GDPR?

No, reporting malware attacks is not always mandatory.

First, GDPR applies only to Personal data breaches. In other words, the security incident – malware in this case – must impact personal data to fall under the EU regulation.

Second, GDPR distinguishes between two “reports”: the notification of the personal data breach to the supervisory authority and its communication to the data subject. For both, an assessment must be conducted in order to identify the risks that the personal data breach is likely to present to the rights and freedoms of natural persons.

In any case, every security incident should be assessed, and each personal data breach identify should be internally documented by the organization. The assessment will allow you to identify the necessity to report the breach to a supervisory authority or data subjects impacted by the breach.

In this subject, and if you are interested in this, I find that the European Data Protection Board (EDPB) did a great job with a list of examples regarding personal data breach notification (https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf).


7. What trends do you foresee happening in data protection landscape over the next 3 to 5 years?

Privacy and personal data protection landscape is constantly evolving, due to the apparition of new technologies and new malware, the disclosure of new personal data breaches, major events such as the Covid-19 Pandemic or federal elections, court decisions such as “Schrems II” which ended the US-EU adequacy decision in 2020.

So, I would love to have an answer to this question, but I barely am able to foresee what could happen in 1 year, even 6 months. But this is also the beauty of my job!


8. Where do you go for inspiration or resources that you use in your own development?

I am always looking for new opportunities to discuss with my peers.

In this regard, the IAPP (International Association of privacy professionals) offers lots of resources and network events! The association do an excellent job to help privacy professional to stay up to date and allow them to meet through the regional event, virtual roundtable, congress… And they did a really good job during the Covid-19 Pandemic!

I also recommend looking for the national Privacy and data protection association.


Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview SeriesReach out to us for more information.