Security Expert Interview Series: Theodora Dragan

In this interview, we spoke with Theodora Dragan who is a Data Protection Officer, working for a Switzerland-based NGO dedicated to enhancing peace and stability in cyberspace. Theodora is very passionate about privacy and her main objective is to define strategies that reduce data risk and increase data value. To learn more about her thoughts continue reading the full interview below.

Security Expert Interview Series

1. Can you give us an introduction about yourself, Theodora? How did you venture into the data protection world?

I stepped into the privacy world as a fresh university graduate, back when the GDPR was only a proposed draft law. I was lucky to join a boutique law firm, one of the first in Italy that was specialised exclusively in privacy consulting. Back then, it was mostly big corporations that had the budget and the long-term view that warranted building a privacy compliance program before it was strictly necessary by law. Those big companies were running complex marketing and data analytics operations, so I was exposed very early on to a lot of the intricacies of implementing privacy requirements in a commercial context.

There was a clear tension between the companies’ desire to collect as much data about their customers as possible, and the GDPR principle of “data minimisation”, which forbids collecting more data than “necessary to achieve a purpose”. I saw the practical aspects of that tension unfold as I moved from the boutique experience to an international law firm and then to a multinational company in 2018, as one of the first people in the world to formally cover the newly created role of Data Protection Officer.

With every step of the way, I explored privacy from different angles. In my current role as DPO at the CyberPeace Institute, I am contributing to the global efforts of enforcing a cyberspace at peace for everyone, everywhere. 

2. Was there a precise moment when you felt that you were a success in your field?

In hindsight, there were many small moments when I certainly felt that I was being recognised in my field, for example when I started to receive invitations to international privacy conferences, or when recruiters were contacting me, offering me exciting job opportunities. However, I would not be able to single out any individual moment when I felt I was a success, and I think this has to do both with the incredible pace at which the privacy world is moving, as well as my own ambition that determines me to move the goalposts of success a little bit further each time I get too close to reaching them. It’s tempting to measure success in job titles, seniority, salary or awards, but there’s so much more to it.

There’s a lot of noise now in the privacy sector, as many people who had no idea of privacy pre-GDPR tried to jump on the bandwagon calling themselves privacy experts or thought leaders. Personally, I think true success is what happens when you put in a lot of focused, sustained work over an extended period of time. I’m excited to be on this path and I’m enjoying every step of the way so far.

3. What is your favorite part of working in the legal space, specifically covering data privacy practices?

I am very excited to see how data privacy is becoming increasingly relevant and is no longer relegated to the “afterthought” territory that it used to be in. Because I am passionate about lifelong learning, I find working in the privacy sector to be extremely interesting and rewarding. The privacy sector is one of the fastest-growing legal areas, and the speed with which new laws and guidelines are published keeps me on my toes all the time.

4. How have you seen the data privacy landscape change from a legal perspective over the past 2 years?

The biggest change was brought about by new privacy laws based on the GDPR model that came into force across the globe: from the California Consumer Privacy Act in 2018, to Brazil’s Lei Geral de Proteção de Dados in 2020, to Switzerland’s announcement of its long-awaited review of the Federal Act on Data Protection in 2020 as well. Even China joined the privacy arena, with its first draft of the Personal Information Protection Law, which was published for consultation last year. There is definitely a rapid legal development at global level, as states realise they need to update their privacy frameworks or risk being less competitive.

Last year, the COVID-19 pandemic pushed data privacy even further into the spotlight, with data protection authorities providing input on topics like remote working, contact tracing apps and digital vaccination passports. As work, school and social interactions moved to the online world, people used the internet to create closeness in times of social distancing.

There were numerous debates around whether employers should monitor employees, how universities would supervise remote exams, and whether national contact tracing apps were in line with the legal requirements. As remote working seems to be here to stay even in a post-pandemic world, privacy will remain a relevant topic for the foreseeable future.

5. We know that you previously worked in the tourism and travel industry and held the position of Data Protection Officer for 3 years. Please tell us what were some of the biggest challenges for a DPO, such as yourself, in the travel industry

I am incredibly grateful to have had the chance to start my DPO career in the travel industry, which is incredibly rich from a data privacy perspective.

First of all, the travel industry’s international dimension means that a DPO must be aware of privacy laws in many different jurisdictions, which poses an interesting challenge. As I was working in the cruise industry, I had to deal with issues regarding people of different nationalities, who had booked their holidays in different parts of the world and were boarding a European ship that was traveling to non-European destinations, crossing international waters. The internal privacy rules and guidelines had to be watertight in order to address all the potential issues related to personal data transfers, data sharing with local authorities, and compliance with local laws.

In addition to the challenges posed by its international dimension, the travel industry also requires companies and their DPOs to deal with a wide range of customer expectations and attitudes. Whereas EU residents are more aware of their privacy rights and welcome the increased transparency around the processing of their personal data, people located in other parts of the world may find such information annoying, unnecessary and disruptive of their holiday experience. Striking the right balance with every guest was quite a challenge!

6. What are the things you have learned being a woman in information security?

Working in information security you learn very quickly, whether you are a man or a woman, that communication is key. The biggest lesson I’ve learned is how to communicate about privacy in a way that is business-friendly. In the past, a lot of information security professionals would sell their services aggressively, by focusing on what could go wrong and how expensive the sanctions could be.

I’ve learned that it’s more effective to focus on the improvements that a strong privacy compliance program can bring, for example by keeping track of key metrics related to privacy compliance and collaborating with different teams to show how a good privacy policy can improve customers’ user experience on a website.

7. What do you think we should be doing more of to encourage more women to consider a career in tech and information security?

From my point of view, more should be done to ensure that qualified women do not self-select out of a job role. If I was in the position of recruiting and I wanted to encourage more women to apply, here are three things I would do:

  1. Better define the “need to have” vs. the “nice to have” criteria for a role, in order to avoid that applicants self-select themselves out if they miss one “nice to have” requirement.

  2. Publish information about a company’s commitment to equal pay for equal work should really be the norm but sadly isn’t. Studies have shown women are more likely to submit an application if they believe the company will treat them fairly (attention here, women do not want to be treated better… just fairly!).

  3. Avoid using biased words in the job description and stick to listing skills rather than personality traits. According to research conducted by LinkedIn, using terms in job ads that focus on competition over collaboration or requiring traditionally masculine traits such as “assertiveness” can subconsciously make female applicants feel excluded, and dissuade them from wanting to apply.

8. What advice would you give to women who may think information security is a more masculine profession and hence, not a suitable career path?

I actually used to believe that information security was a more masculine environment and I doubted whether I would succeed at first, but I was lucky enough to find mentors who taught me to focus on my objectives, rather than on the perceived obstacles. In fact, I was pleasantly surprised to discover that the privacy sector is actually more gender balanced than many other industries. According to a report published by the International Association of Privacy Professionals, there was an even 50-50 split between male and female professionals in 2019!

So, my advice simply is: don’t let anything stand in the way of your goals. Any career path is suitable and within reach, as long as you are passionate about it and willing to put in the work. Don’t let social constructs like gender or race get in your way.

9. Lastly, what trend(s) do you expect to see in data protection in 2021?

I think we will see more enforcement action being taken by data protection authorities, who took a small break last year during the first wave of the pandemic but are now back to issuing sanctions for non-compliance with the GDPR. For example, the Irish Data Protection Commissioner recently declared for the Wall Street Journal that it is on track to make draft decisions in roughly half a dozen privacy cases involving big technology companies this year, compared with just two last year. Considering that tech giants like Facebook, Google and Apple have their European offices in Ireland, it’s likely that those decisions will have a major impact.

In addition, I think we will also see more being done on the transparency front, with the goal of making privacy more accessible to individuals. For example, the Italian Data Protection Authority recently launched a call for submission of privacy icons that would help render privacy policies easily readable and understandable. Apple already debuted a “privacy nutrition label” concept aimed at informing the user quickly about the main privacy characteristics of an app at the point of download, and I think we will see more similar developments soon.

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.