Security Expert Interview Series: Aneta Podsiadla

We are excited to present the next episode of our Security Expert Interview Series where we had the opportunity to speak with Aneta Podsiadla. Aneta is an experienced Data Protection Officer with a demonstrated history of working across various industries, especially financial, IT, consumer goods, and multiple jurisdictions. We hope her inspiring story of entering the data protection field and her impact will encourage everyone, men and women, to go further in pursuing their careers in data protection and not settle for less. Now, enjoy the full interview below.

Security Expert Interview Series #17: Aneta Podsiadla

1. Everyone has their unique story to arriving at Data Protection Officer role. What is yours?

My fascination with data protection started when I was a law student, actively engaged in the works of the student association for human rights. I have spent hours doing research on the right to privacy as a human right. I have observed how over the years the right to privacy evolved and because of the technological developments have gained a new meaning and reshaped the right to data protection. Until now, academics and regulators have an endless discussion on the distinctions between the two rights.

At that time, it was obvious to me that I want to start an academic career and explore to greater extent field of privacy/ data protection. However, that has changed when I was offered a traineeship in the data protection unit at the European Commission, which was truly an eye-opening experience. I was stoked to be so close to regulators and supervisory authorities and working with them. I was very fortunate as at that time the revision process of the Directive 95/46 just started. I was given an opportunity to contribute to the process of making new law. This experience completely changed my perspective and made me want to move from theory to practice in data protection.

From then on everything happened very quickly, I took a data protection manager position at a high- tech association. I was working with one of the biggest tech players on the EU market. This experience gave me another perspective on data protection and how important it is to find a balance between strong protection of individuals and red tape hindering innovation.

In the past twelve years I have taken different roles in the data protection field. I gathered a lot of experience working for several sectors, across various jurisdictions and covering numerous roles within organizations. I believe I have made right decisions changing jobs and industries that broadened my perspective on how to look at data protection implementation and build an effective data protection program.

2. Was there a precise moment when you felt that you were a success in your field?

I am very proud of the fact that my knowledge and experience have been recognized by my peers when being invited as a speaker to conferences to share my expertise, joining expert groups at the European Commission, and serving as the board member for one of the largest privacy associations. In addition, I have been awarded one of the most prestigious scholarships in the academic world, namely the Fulbright U.S. Scholar Program for young researchers in the field of data protection.

However, what makes me successful in my daily life and when I feel fulfilled at my work is when I can find common solutions with the business and IT managers to data protection challenges. Solutions that don’t compromise data protection rights of individuals and at the same time achieve business goals. When working together as a team we can create win-win situation that is sometimes not easy, requires considerable effort and creativity on our side.

3. What TOP 3 soft skills do you think are most important for data protection experts?

Problem solving

The legal requirements are not always black and white and there are no fixed solutions on how they should be implemented. Therefore, the DPO should be open minded and creative to find suitable solutions together with the business.

Adaptability – We are facing constant change in the data protection field, new laws are multiplying across jurisdictions, courts decisions and guidelines from authorities shed new light on how legal requirements should be implemented. On the top of that technologies are evolving and pose new challenges. The DPO should be self- motivated and curious to learn about those developments. It is like a never-ending learning process.

Work ethic and integrity – The DPO may encounter difficult discussions with the management and the business, or even be under pressure to favour certain business decisions. In such situations, the DPO should in the first place ensure he/ she is able to fulfil the regulatory tasks. It will not be possible, if the DPO will not possess certain personal qualities such as integrity and high professional ethics. One of the key roles of the DPO is to foster a data protection culture within the organization and ensure compliance with data protection laws. The DPO should provide support to the business in understating the legal risks. Ultimately, it is the business who should take a decision based on the DPO proposals, not the DPO. The business should feel responsible for ensuring data protection in the organization.

4. What do you think, what are the most dangerous threats to the security of personal data on the Internet today, and how can we protect ourselves from them?

My answer is: internet users are equally one of the major threats to themselves. First of all, we are living in the world of oversharing. Even though the data protection awareness is rising, still people give away their data and details about their private life. They give up control over their data to get free access to online products and services. Moreover, they are short sighted and do not see the consequences of their online behaviour. On the other hand, companies should be more transparent and make it easier for individuals to obtain access to information about what data is being collected and how it is being used.

5. What are the greatest challenges that small businesses must overcome in relation to the EU GDPR?

I have observed that SMEs often experience challenges relating to gaining access to practical expertise. Even if SMEs decide to hire dedicated data protection resources, a significant shortage of trained and experienced DPOs remains an issue. On the other hand, those SMEs for which resources were not an issue, they still struggled to get a grasp on the legal requirements and translating them into new or revised processes and procedures.

6. One of the areas you are skilled in is Information Technology (IT) Law. In what way is technology itself impacting the practice of IT law?

One important aspect of the law making that industries are still fighting for is the tech neutrality of the new laws and regulations. Given the pace of technological developments, it is futile that law makers continue to regulate certain technologies. It is extremely difficult to predict what the future will bring. We cannot afford and ensure that laws will keep up the pace of those technological developments and still fulfil its objectives to ensure protection of individuals.

7. What are the things you have learned being a woman in information security?

First and foremost, there are still not enough women in this field and it is time to change it. My experience shows that working in mixed teams of both men and women gives you a better perspective on looking at issues, helps manage conflicts, enhances communication and problem solving.

8. What do you think we should be doing more of to encourage more women to consider a career in tech and information security?

I believe it is not about encouraging them but showing that information security is not only reserved for men. It all starts when you are a child, we need to show girls that they are equally capable of succeeding in this field and give them equal opportunities.

9. Anything additional you would like to add here which extends value to young information security enthusiasts?

Focus on gaining practical experience. Certificates and multiple academic degrees will not substitute having a hands-on experience. At the same time be kind to yourself, it is not possible to know everything. Data protection is a fast-growing field, and it is challenging to be on top of everything what is happening, especially if you work for multinational organization.

At some point in your career, you will notice that the more you know, the more you realise you do not know and that is fine. Do not be afraid of asking for help or a second opinion. Data protection is also a complex field, regulators do not make our lives easier and often pass legislation that is utterly confusing to many experts in the field.

In your daily work, you will be often challenged by management or co-workers etc., make sure to act with integrity. Propose solutions based on thorough risk assessments that is one of the foundations of effective data protection compliance. Refrain from taking decisions on behalf of the business.

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.