The essential skills for a DPO, AI Regulation, and business resistance: an interview with Tatiana Zaplatina on what’s important for privacy professional nowadays
- 28.04.2026
- Career
An interview with Tatiana Zaplatina,
CIPP/E, CIPP/A, AIGP, DPT, AICP-E.
We often say that personal data protection does not begin and end with the legal side of things. Here is yet another proof. We spoke with Tatiana Zaplatina, a graduate of our programs and the DPO at Astra Linux. Tatiana is convinced that technical skills are not optional for a privacy professional. In this interview, we discuss what compliance becomes without an understanding of the technical details, and why companies are reluctant to bring their AI systems into compliance.
Table of Contents
From academia to privacy: another way to start a career in the field
Tatiana Zaplatina’s story shows how a strong academic background can open doors beyond teaching at a university or speaking at conferences. It can also help build a career in some of the most cutting-edge technology niches.
“I used to be a lecturer and researcher, and I hold a PhD in law. That experience taught me to think systematically and to keep learning.”
Tatiana entered the privacy field at one of the industry’s defining moments: the adoption and entry into force of the GDPR in the European Union.
“Even before the Regulation took effect, I took part in the 20th Anniversary of the Central and Eastern Europe Moot Court Competition. We analyzed cross-border data transfers under Directive 95/46/EC. That is what first sparked my interest. Soon after the GDPR came into force, I joined an IT company with an EU presence and started working on real-life compliance issues under the new law.”
Moving into data privacy was not a sudden pivot. It was a natural continuation of Tatiana’s legal career.
“The real turning point was the GDPR coming into force and my participation in that competition. That is when I realized how this field brings together legal reasoning and technology, and how promising it is in the context of digital transformation. Working with personal data always felt like my path: dynamic, intellectually demanding, and constantly pushing you to grow.”
The less obvious skills every privacy professional needs: the technical side of privacy
Despite having hands-on experience, Tatiana decided to enroll in DPO Europe courses. The main motivation was to return to the international regulatory context and exchange experience with peers from around the world. But the Data Privacy Technology (a training session on the technical aspects of privacy, previously conducted by our team) and Artificial Intelligence Compliance Professional for Europe programs delivered more than a legal refresh. They gave her a deeper technical understanding of how things work in practice.
“It is extremely useful when you are implementing systems. Companies often face borderline cases. When you discuss them with IT or information security, their perspective can remain purely technical, while someone who focuses on legal requirements tends to see things differently.”
In Tatiana’s view, without a complete technical picture, it is hard to fully understand what is actually happening in a legal relationship. She gives a simple example: a website form submission. On the surface, it is just a click. Behind the scenes, an entire system makes requests to multiple servers across the internet. A data-transfer chain is built, and the system collects far more than name, email, and phone number. It often includes an IP address and many other data points that may qualify as personal data. In other words, the real dataset can be very different from what the input form suggests.
“This matters when you are drafting a document. One thing is to tell the user, ‘You use the website.’ Another is to say, ‘You use the site under these terms, and as a result we transfer your data to five more companies.’ The second approach is the right one because we know the system is branching. Ideally, we must tell the user their data is being transferred. That lowers the risk of a complaint.
And then someone comes to us and says, ‘You transferred my data unlawfully.’ We respond, ‘We did not transfer anything unlawfully. We provided this information upfront about how our service works. Look: the terms are spelled out here, we have a guarantee, we have a contract.’Then we verify the whole chain end to end. We look at where the system is located, how it operates, we check vendors, we pull up contracts, and so on.”
That kind of technical depth makes it possible not merely to draft documents and publish them because “the law requires it”, but to make those documents actually map to real processes. They address what truly happens, including what happens after a user clicks a button.
Article: Five common misconceptions about GDPR
The Data Privacy Technology training helped Tatiana look at familiar legal scenarios differently and see what is “under the hood” in real-world data processing. It is no longer an abstract “a user visits a website” or “an employee uses a phone”, but a concrete mechanism: how services are launched, how access is granted, what data is collected at each step, and whether anything unnecessary is being swept in.
This is also why things that once looked like mere bureaucracy become understandable and practical. For example, why a BYOD policy matters, why companies should issue corporate phones, and how device controls and usage rules should be designed. Tatiana emphasizes that key decisions are made not “on paper”, but at the level of system settings and access architecture.
Without technical understanding, those cause-and-effect links are not always obvious. With it, the big picture becomes straightforward: you need to see the process as a whole, understand it, and only then design requirements and controls.
Tatiana believes technical skills are essential for every privacy professional. Without them, it is impossible to build a sound compliance system or to get through a regulator’s inspection with confidence.
“Because if a regulator comes in with a serious request, the kind you see in Europe, with a detailed audit and a request to export data flows, you cannot respond correctly without technical understanding and real process knowledge. Formal ‘template replies’ will not cut it. You need to show the regulator that the company’s processes are designed and managed, not just existing on paper.”
Today, Tatiana’s professional focus is shifting toward AI governance. The Artificial Intelligence Compliance Professional for Europe course helped her see her new role more clearly: not just a classic DPO, but a specialist who connects law, ethics, and high technology.
“I have big plans around AI. Your courses changed my worldview. Before, I was focused only on personal data issues. Now I am focused on AI itself. It is difficult to train AI without a high-quality dataset. If we are talking about AI in hospitals, where a correct diagnosis is critical, we cannot train it only on synthetic data. The model will be irrelevant and simply useless. We have to balance the right to privacy with the right to human life, which is possible even under the GDPR. I want AI to be implemented properly and comprehensively. I would like to work in international markets where most of the technology is being built. I am also watching EU reforms with great interest, including the Digital Omnibus and the rollout of the AI Act. A lot of interesting case law is ahead of us.”
Ready to master EU AI Act compliance in just 4 weeks?
Join the Artificial Intelligence Compliance Professional for Europe course to build practical skills in AI risk management, governance, and personal data protection. Learn from certified trainers, work through real-world cases, and earn a shareable certificate.
“A company has to be genuinely shaken by the consequences before there is real motivation”: AI regulation challenges
Since Tatiana’s career focus is increasingly tied to AI governance, we went deeper into the topic and discussed several issues that are particularly painful for specialists right now.
AI regulation today is where personal data protection was about ten years ago. The world recognizes the scale of the technology, but not everyone is ready for strict rules. Tatiana notes that the gap between the European approach and practice in other regions is becoming more visible. While Europe is adopting a risk-based model, many companies elsewhere still treat AI as a “black box” that does not require much oversight.
The key difference in the European approach is that it is systematic and predictable. The adoption of the AI Act was a landmark event. It established a clear hierarchy of AI systems based on the risks they pose to fundamental rights. In regions where dedicated legislation has not yet emerged, a legal vacuum exists, and companies are not always eager to fill it on their own.
“European countries have a clear understanding of what kinds of rights violations AI can cause and at what scale. They also have a clear system for classifying AI. In countries where that does not exist, whether China or the CIS, regulation remains largely at the state’s discretion. But I believe companies should implement internal policies even if direct legal regulation is not there yet. There should be governance standards that allow technologies to be deployed and configured correctly. This is a major advantage of EU law: they were first to adopt the AI Act, and they see the problem.”
Why does business ignore AI compliance?
Tatiana says one of the biggest issues is how casually businesses treat risk. Leadership teams often view AI adoption as a way to cut costs or reduce headcount, while overlooking the security of the data used to train models.
“Right now, companies see AI simply as a way to make work easier or reduce staff, focusing only on their own interests. But you should not start with optimization. You should start with proper configuration and bringing in the people who can secure the infrastructure.”
When there is no clear regulation, businesses simply do not take risks seriously.
“Business needs to feel the threat. If they do not see it, they will not deal with it. With AI it is the same as with personal data: until a company is publicly fined, until it takes a major financial hit, or until people stop buying its products, it will not truly internalize the problem. Many think, ‘Fine, we paid the penalty, but the profit is still higher, so we move on.’ A company has to be genuinely shaken by the consequences before there is real motivation.”
With this kind of complacency, companies also fall into a dangerous trap: losses can be much greater than the fine itself, and they may creep up unnoticed. Data leaks through AI agents or misconfigured algorithms might not show immediate impact. Instead, they can trigger a delayed wave of harm. And until the organization sees it, it lives under an illusion of safety.
“There is a huge gap between the leak itself and the consequences. If an AI system had access to insider information or client databases and sent that data to an uncontrolled cloud environment, the company might not notice right away. When the first warning signs appear, they are ignored. And when the damage becomes serious, it may already be too late. The company may no longer have the time, people, or money to fix it.”
“It is hard to talk about ethical AI when the company does not even have an access matrix”: on professional challenges and the drive to grow
For an AI compliance specialist, one of the main challenges is internal resistance. Initiatives around data protection and ethical AI are often seen as a brake on product development. Tatiana emphasizes that the specialist is working not only with laws, but also with business psychology, and sometimes with a complete lack of basic digital hygiene.
“I have seen organizations literally throw copies of passports out onto the street without even bothering to shred them. It is outrageous negligence.”
Low process maturity slows everything down. Specialists still have to take reality into account and build compliance not “by the book”, but in a way that is feasible in a given business environment.
“It is hard to talk about ethical AI when a company does not even have an access matrix for employees. Maybe at some point they will get there themselves. So you need an approach that fits companies at different levels of maturity.”
Some businesses lag behind due to their stage of development. Others, in pursuit of maximum profit, ignore user rights and neglect security measures.
“I constantly run into situations where business treats compliance as a limitation on efficiency. In those cases, I always work through risk calculations: possible fines, the cost of a project, and the likelihood of consequences. Unfortunately, sometimes companies ignore advice, and then consequences follow. But there is a silver lining: once the problem ‘blows up,’ people become more engaged. They start training employees and adopting policies. As long as sales are strong and nothing happens, everyone is happy.”
Tatiana considers this constant search for compromise between business interests and user interests the hardest part of the job.
“The hardest part of being a DPO is finding the balance between risks and regulatory requirements. It is crucial to understand business processes and build guardrails that ensure legality without getting in the way of growth.”
To handle compliance challenges and find those compromises, Tatiana highlights three key soft skills for privacy professionals: communication, analytical thinking, and empathy toward the business. Empathy helps you understand processes from the inside and build boundaries that keep things lawful while still allowing the business to grow and stay profitable.
No matter how difficult compliance work can be, the most important thing is to remember why it matters.
For Tatiana, the real value of working in personal data protection is the ability to bring order to processes and turn information chaos into a stable, transparent system. When processes improve, it delivers not only real results for the company, but also deep personal satisfaction for the specialist who helps lay the foundation for a more ethical technological future.
Conclusion
Tatiana Zaplatina is another specialist who, to our delight, shares the same privacy ideals as the DPO Europe team. Instead of formal replies to regulators, she advocates understanding the real mechanics of personal data use. Instead of a careless attitude toward complex technologies, she emphasizes protecting user interests even in places where someone might still “throw passport copies out onto the street”. You, too, can become that kind of specialist, contribute to society, and gain real satisfaction from meaningful work.
Personal Data Protection Help and Support under GDPR and National Laws
We help establish systematic personal data protection practices through training and consulting services.
Consulting services on data privacy according to GDPR, ISO 27701 and other international standards.
EU Representative Services under GDPR is a pay-as-you-go service where representation is free during periods without data subject requests or communication with supervisory authorities. The service remains free if the company has not significantly altered its data processing practices since its onboarding process.
A fundamental course that covers all aspects of GDPR and teaches how to apply them in practice.
Privacy training programs for teams both in live online and e-learning formats with diverse level of depth. Customizable and interactive solution for fair price.
Materials on the topic
Reach Data Privacy & AI Compliance
Fill in the form and get a free consultation.
- Implementation of 7+ legal frameworks.
- Individual and corporate training on the GDPR, and international standards.
- Development of personal data protection systems within organizations.
- Custom services upon request.
