From Web Development to Privacy-Compliance An Interview with Yuliana Chelonenko on Implementing GDPR from Scratch and Why Management Skills Matter

Time and again, GDPR proves it’s in a league of its own. It’s also the regulation that helped today’s interviewee reinvent herself, from a web developer into a “fairy” who can translate intimidating requirements into a clear project plan and still find common ground with a marketing team in full panic mode.

Yuliana Chelonenko, a graduate of our courses and now one of our trainers, stepped into the privacy world back in 2015, when “data protection” was still a niche topic and GDPR was barely on anyone’s radar. Over the past decade, she has gone from her first compliance project to implementing information security standards, AI standards, and teaching.

This piece is about why, in data protection, caring about people often matters more than knowing the legal text by heart, and why a management background can be the difference between a compliance programme that sits on a shelf and one that genuinely pays off.

A learning through experience in project management

Yuliana began her career as a web developer. For years she led a small team, and that experience became the backbone of everything she would do later in privacy. As she puts it:

“Over time, I realised I’m really good at building processes and organising a team’s work. In a couple of years, I streamlined the web department so well that we were even downsized, because efficiency went up.”

That success made it clear that project management came naturally to her, and working alongside an Agile evangelist only reinforced that instinct.

Her move into personal data protection was, in many ways, accidental. In 2016 she was handed a GDPR implementation project, one that nobody knew who should own or how to execute. At the time, there was almost no shared understanding of what “GDPR implementation” even looked like in practice. So she had to build the plane while flying it.

“It was a very cool learning through experience, because we were among the first doing this in 2016. There was no practice and no understanding in the world of how to implement something like this. We thought a lot about how to do it correctly and tried to interpret new concepts.”

The learning curve was steep. Once she got the assignment, she did the most straightforward thing: she opened the Regulation and started reading.

“I literally opened GDPR and started reading. I read it for about three days, and at the same time I wrote down what was clear and what wasn’t. A kind of plan started to emerge as I read. Then I reread the Regulation several times. I went through it line by line and underlined the parts that were open to interpretation.”

Even with “very cool experts” on hand, there were no off-the-shelf answers. Consultants often couldn’t give a definitive interpretation either. Instead, they helped her map options and trade-offs, and the risk that comes with each decision.

“They would say, ‘If you do it this way, you’ll have these risks. If you do it another way, you’ll have other risks. The final choice is still yours.’”

That’s where Yuliana’s technical background and management experience became a real advantage. She could translate legal language into engineering tasks and pick the option that made the most sense for the business, often the simplest one that could be implemented quickly without compromising the outcome.

The project was delivered successfully and on time, and the company could respond confidently to requests and position itself alongside organisations meeting international standards.

That win naturally led to the next step: the company created a security function, and Yuliana became its first compliance specialist. Right after that came a new challenge, ISO 27001. It was another baptism of fire: once again, everything had to be built from scratch. This time, at least, there was global practice to learn from.

The company obtained ISO 27001 certification, and the security function grew along with it. Over the following years, Yuliana led end-to-end compliance work, building deep hands-on experience.

Article: Applicability of Personal Data Laws: How to Understand What You Need to Comply With?

In this article, we will examine what difficulties companies face when determining applicable privacy laws and what steps will help ensure important requirements are not overlooked.

Impostor feelings and discovering DPO Europe

Despite years of strong results, Yuliana still felt uneasy when she looked at other professionals on LinkedIn.

“For some reason, it really got to me that compliance specialists have a huge list of certificates and diplomas. It’s half a page long. And I had nothing. It felt like until I validate my knowledge with a piece of paper, I’m not at the level I’m actually at,” she admits.

It wasn’t about proving anything to others. It was about proving it to herself.

While searching for high-quality training, she came across videos by Siarhei Varankevich, and it clicked.

“Siarhei explained everything so clearly, structured it so neatly, and impressed me with how deeply he understood it all that I knew I wanted to learn from him.”

That led her to DPO Europe courses.

In 2023, she completed the Global Data Privacy Manager course. Even with a solid foundation, the programe gave her a real boost. It helped her not only absorb global frameworks and best practices, but also articulate and share her own expertise with peers.

She also gained access to practical tools for assessing an organization’s maturity and proposing clear, measurable steps for improvement.

Some tools weren’t immediately applicable. She introduced them as the company reached the right level of maturity, and they worked every time.

“You can’t always use these tools right away. Companies can be at very different maturity levels. But when you show a clear path from one level to the next, measure maturity, and then measure again, companies light up. For them it’s a ‘wow’ moment that motivates them to invest.”

The next step was earning the international CIPP/E (Certified Information Privacy Professional/Europe) certification. After passing the exam, Yuliana finally felt a long-awaited sense of calm and confidence.

“I got something important for myself, the certificate. And finally, I relaxed. I realised: I’m doing everything right; I feel I’m in the right place.”

For her, it was an official confirmation of what she had built over years of practice.

Today, Yuliana keeps pushing forward, especially into AI. When ISO 42001 (an AI management system standard) was released, she couldn’t ignore it. With her ISO experience, she took on the project and helped the company achieve certification.

Now she combines security and AI governance in her work, continuing to deepen her expertise. For her, it’s more than a job. It’s a chance to build programmes that “make history”, strengthen the business, and increase organizational maturity (and, ultimately, profit). Looking back on her path from developer to AI compliance specialist, Yuliana is convinced: if you genuinely like the field and aren’t afraid to take on hard problems, there’s no ceiling.

An architect of processes: why management is 80% of privacy success

For Yuliana, privacy is as much about people and processes as it is about law. It was her management experience that enabled her to deliver large-scale projects like GDPR and ISO 27001.

“I had to negotiate with a huge number of people, explain why it’s needed, understand how to do it, and then implement the legal requirements in practice.”

One of the hardest parts of the job is resistance from colleagues. Nobody enjoys extra work that looks like pointless paperwork, especially in technical teams. Yuliana remembers that engineers could get frustrated, and she couldn’t show up with a vague idea.

“Translating it into the language of development wasn’t always easy. The technical team wanted to know, very specifically, what needed to be done. It had to land as a concrete task, not an idea or a blurry requirement.”

Her technical background helped her do exactly that: turn legal obligations into clear, actionable engineering work, and choose practical solutions that were both effective and efficient.

The toughest pushback, however, came from marketing.

“Of course, the marketing team would say: ‘What do you mean we can’t collect leads? How is that? Why should I turn off this checkbox? Are you serious? That’s my whole job. We won’t be able to sell anything; everything will go wrong.’ We worked through that resistance, looked for compromises, and ran step-by-step experiments, carefully, over time.”

Still, she managed to become the person who can take scary-looking terms and rules and make them understandable and doable.

“That’s when you feel like a fairy magician, turning gold dust into a clear, tiny task for every employee.”

AI and privacy: a new world, new challenges

We couldn’t skip the topic of AI. As Yuliana notes, it’s now hard to find a privacy article that doesn’t mention AI-related risk.

Yuliana not only implements AI governance standards, she also uses AI actively in her daily work: generating content and images, analysing and structuring data, and experimenting with many tools.

But AI also brings new risks. In many cases, the way these technologies work makes it difficult to guarantee compliance.

“A lot of unintended effects come up. AI can work in unpredictable ways, and that makes it hard to be sure privacy is protected. It adds risks, and it adds fear.”

She also notes a big contrast between learning GDPR and learning the AI Act. She studied GDPR on her own. It was hard, but not scary. With the AI Act, she had a different baseline: she understood why it mattered, but the practical “how” was far less obvious.

That’s why she joined our Artificial Intelligence Compliance Professional for Europe course to discuss implementation with experts and get clarity on what compliance looks like in real life.

“It’s a completely different world. I don’t know if it’s harder or easier. It’s just different. Regulations are never easy to learn because they don’t have the concreteness that needs to land on the table immediately as a task. That’s the main challenge for a compliance manager.”

Dive into AI compliance management

Join our Artificiali Intelligence Compliance Professional for Europe training to understand the EU AI Act and to start implementing it into your company’s processes and product.

Teaching: returning to a childhood dream and the ‘echo effect’

Yuliana’s unique blend of technical experience and hands-on ISO implementation drew the attention of our training team. She is a great fit as a trainer.

For Yuliana, teaching isn’t just about transferring knowledge. It’s about fulfilling a childhood dream.

“Teaching was my childhood dream. In fifth or sixth grade, I played school with my friends. I sat them at a desk, gave them paper and a pen, and played teacher. I got enormous pleasure from it. What’s funny is they enjoyed it too, and those were kids who didn’t like going to school.”

Today, as a trainer on the Global Data Privacy Manager course, she feels that same energy. She loves the unpredictability: students bring real cases, ask unexpected questions, and interpret material in ways that can surprise even an experienced trainer.

“It’s amazing when it comes back like an echo. A student arrives with a new idea, and a live exchange happens. You come with your material, you think the session will go one way, and it goes another way. It’s fascinating to watch.”

Sometimes, students’ questions keep her thinking for days and lead to new insights.

She also enjoys co-teaching. She’s noticed that students respond differently to different teaching styles: pace, tone, and perspective. When the same topic is explained from two angles, it often clicks more deeply.

“I think it’s great for students to hear the same idea from two sides, with different depth and delivery. It definitely helps them understand better and remember it for a long time.”

Conclusion and Yuliana’s parting words

Yuliana’s story is a reminder that saying “yes” to new challenges can take a career in unexpected and rewarding directions. And to send you into your next project with a bit more energy, here’s a short message from Yuliana:

“Your past experience is the first step. It doesn’t matter what your background is, technical or legal. Any experience is useful, and most importantly, it moves you forward. I think the common denominator is caring about people. If you like this field, there are no barriers. Everything can be learned; everything can be figured out. You just need patience and a genuine love for your work.
If you’re ready to take risks, pick up new tasks, and untangle complex things, that’s where the joy, pleasure, and love for the profession live. Loving your work sincerely will take you as far as you want to go.”

Materials on the topic

“My path into privacy started because a job forced me into it and because DPO Europe invited me to teach”: Tatsiana Sivukha on career growth, teaching on courses, and day-to-day work

AI for Data Privacy and Compliance: Prompt Engineering for DPOs

AI for DPO: Record of Processing Activities Fill Case Study

AI Tools in Data Protection: Short Guide for Data Protection Officers

Reach Data Privacy & AI Compliance

Fill in the form and get a free consultation.

Name*

Last Name*

Email*

Phone*

Location*

Company*

Preferable language

Message

I confirm that I have read and accept Privacy Policy.

Data Privacy Services

Data Privacy Training Programs

Training Program

Can be used already

Coming soon

R&D Team Newsletter