Get an offer
Newspaper
Understand data privacy and ai without the noise
“My path into privacy started because a job forced me into it and because DPO Europe invited me to teach”: Tatsiana Sivukha on career growth, teaching on courses, and day-to-day work

“My path into privacy started because a job forced me into it and because DPO Europe invited me to teach”: Tatsiana Sivukha on career growth, teaching on courses, and day-to-day work

Tatsiana Sivukha

Interview with Tatsiana Sivukha,

CIPP/E, CIPM, CIPP/C, CIPP/US, AIGP, Privacy by Design.

Perseverance, the faith of loved ones, and the motto “Fake it till you make it” — these are the ingredients of the success story of this article’s guest, Tatsiana Sivukha. Tatsiana made a journey from a law graduate to a Senior Privacy Counsel position at the international company Bolt. And more than that: from someone who did not like the privacy field at all to someone who is ready to grow in it every day.

Where listening to people who believe in you can lead — and what the real tasks of a modern privacy specialist look like — in this interview.

Table of Contents

“Fresh blood”: from a student with no practice to working with Gucci

After graduating, Tatsiana started as a lawyer at an IT company where the legal team handled all issues without narrow specialization. While working on a project with Gucci, the team faced the need to understand personal data protection.

At first, this area did not inspire enthusiasm — simply because it was unclear. Gradually, there was no way out: they had to figure it out. After four months on the job, Tatsiana enrolled in the GDPR Data Privacy Professional course by DPO Europe. That became the starting point.

“The course was very systematic. And I’m a systematic person. I aligned with Sergey Voronkevich’s approach to learning, and that’s why I liked the act a lot. I understood it — and then I started to develop further and read on my own.”

The structured explanation and work with the instructor, Sergey Voronkevich, helped not only to understand the GDPR but also to fall in love with the field.

“At that moment I realized that I really liked it. It’s a very structured and clear area. There is one act, not a billion. I liked that there are clear rules. It was more understandable than the legal profession in its pure form,” Tatsiana recalls.

The diagrams from the course were especially useful — in particular, the controller/processor scheme. When right after training it was necessary to revisit roles in company contracts, Tatsiana returned to those diagrams again and again.

“Those diagrams later helped me read the controller and processor guidelines. I would return to them either mentally or on the board. Because the materials were systematic, it was much easier to look at it again and refresh it in my memory,” she notes.

Tatsiana’s first work tasks were about bringing everything into privacy compliance: developing a Privacy Policy and Privacy Notice, defining whether the company was a controller or processor, conducting a DPIA, and updating contracts with counterparties. The client app they worked with had a complex setup, which made the tasks even harder.

Can you master all of this on your own — from zero to serious practical tasks? Tatsiana believes you can, but with caveats. For a recent graduate with no experience, used to local laws, reading European acts is not easy.

“If people are beginners in the legal profession, or don’t think systematically, or don’t really understand how European laws work, it’s worth turning to a specialist who can help do it much faster and start your path. It’s better than sitting and regretting spending money on training — it always returns a billionfold, she is convinced.

That’s how the career began — taking Tatsiana from her first IT company to Flo and then to Bolt, where she continues working in privacy as a Senior Privacy Counsel.

“I most enjoy working on features that matter for the business — when you need to be creative and find the balance”: on career development and current responsibilities

A senior position is not a reason to stop. Work in an international company means constantly expanding your horizons as a specialist.

Right now the theory bounces off my teeth: I teach and constantly repeat the material. Teaching makes you reread materials 300 times, and you see them from a new perspective. Second is practice: you face GDPR situations in real time, apply articles, and understand their imperfections — where they don’t work and where they’re too security-invented and prevent many businesses (and sometimes users) from moving faster. Third — you can’t limit yourself to theory. To be a good practical specialist, you need to watch what’s happening in the world: what companies get fined for, what competitors do, how they approach the same issues. That doesn’t mean you’re a bad specialist if you look or borrow — on the contrary, it shows whether you think the same way. One specialist is good, two is better. It helps you understand how to do better or the same, because their approach may already have been tested by regulators. And lastly — continuous learning. I always have learning slots blocked in my personal time during the week where I read guidelines, news, and colleagues’ approaches on LinkedIn. It helps me stay on top of everything”, Tatsiana shares.

Preparation and constant learning from practice (other specialists and regulators) help solve difficult but common business problems: when you want to add functionality, but GDPR rules does not fully support it. In Tatsiana’s view, those tasks are the most interesting.

“The coolest thing for me is working on features that are important for the business, where you need to be creative and find a balance. A good specialist is not someone who says ‘we can’t’ — it’s someone who says ‘great idea, but let’s adjust it a bit so it’s working better’.”

In those moments, not only knowledge of the law matters but also understanding the technical side and the ability to work with product.

This is the most interesting part: you need to study technical details, use AI, understand architecture. I look at things not only from a compliance point of view, but also from Privacy by Design and User Experience. You have to be constantly updated on the product, sometimes acting as a product manager. I know every vertical of our products inside out. That makes the work interesting: you’re not just reading the law — like an engineer or product manager, you help create something.”

It’s important that, at the business level, privacy specialists are seen not as obstacles to commercial success but as allies who reduce risk.

At Bolt there is a good culture of treating privacy specialists as equals. When the design or architecture of the app is discussed, privacy always has a seat at the table alongside engineers and product managers.”

Resolving privacy-sensitive situations is rooted in risk management. Privacy needs to work with other specialists to assess project costs, expected value, compliance expenses, and the potential risks of non-compliance.

“It starts with a situation where you understand why the business needs a particular product, what improvements it makes to the user experience, what value it brings to the company, and how important it is. If the business assesses risks for a project while considering legal requirements — product managers calculate potential losses and profit, and the privacy specialist evaluates the risks of non-compliance.”

Tatsiana believes that a good privacy specialist — and a true business ally — needs more than knowing that the GDPR penalty can be up to 20 million euros. It’s important to understand how a specific regulator is likely to approach the issue and whether the potential non-compliance creates real risks for users and stakeholders. The assessment considers whether regulators have asked about similar functions, the likelihood of the risk materializing, and market context — whether competitors have faced similar questions and how “hot” the topic is at the moment. A fine is rarely the first argument in a conversation with the business: the process more often begins with explaining potential impacts on user experience and reputation, a reprimand, or a request to remediate. The privacy specialist’s role is to work with regulators and keep the balance of risks.

Article: GDPR sanctions: how fines are calculated and what other consequences do violations bring?

This article explains how regulators determine the price of business mistakes and what steps will help a company avoid appearing on the list of the loudest and most expensive breaches of the decade.
Learn more

But the job is not only creativity, product work, and risk calculations. The dreaded “paper” compliance — documented assessments — is exactly what Tatsiana enjoys least. Routine tasks are the least favorite.

“This is what I personally find frustrating, but it must exist — privacy assessments documented according to the rules. I would like all that documentation to give way to a normal legal evaluation mechanism, not five assessments for one feature the business wants to deploy. ‘Paper’ compliance should be practice-oriented, but in today’s legal realities it often looks like a checkbox — to prove compliance to regulators or during an audit. Inside companies, everyone usually looks at Jira tasks, design documents, short memos (so-called RFCs) written in human language — while business stakeholders find privacy assessments hard to read. That leads to assessments being made for privacy specialists and registered in a registry to meet the accountability principle. The goal for privacy specialists and regulators now is to combine assessments with business practice so that they are practical, useful for business stakeholders, and friendly to regulators who don’t know internal processes. I think sometimes assessment requirements are excessive: for example, for every small feature you have to answer what security measures are in place, even though they are the same across the whole company.”

Still, such tasks exist everywhere and do not reduce the desire to grow. Tatsiana continues to expand expertise not only in data privacy but also into AI — even though the entry into that area was also “forced”.

“My manager suggested I take on building AI compliance. I was happy because it’s exciting, but I was anxious because my bar was high and I didn’t understand much about the AI Act. But I felt that they believed in me and supported me. My team also works on InfoSec, NIS2, DORA — acts I knew even less than privacy — but we always believed in each other and supported each other in learning. I noted for myself that a privacy specialist shouldn’t limit themselves to privacy only. I started studying the AI Act with the same system as the GDPR: blocking time slots every day and learning. I passed the AIGP exam. When I was invited to teach the [AICP-E] course, at first (as usual) I didn’t believe in myself, but I prepared a lot. It ended up with me getting the gist of the act so deeply that everything went great both at work and on the course. My path began with a job and interest that forced me into it — and with DPO Europe inviting me to teach AICP-E. It’s important to remember: ‘fake it till you make it’ — then you won’t have a choice. People’s faith and your persistence lead to results.”

Even without fully established AI regulation, knowledge in this area already has to be applied in practice.

“Building compliance with the AI Act is easier than it was with the GDPR, because the AI Act is similar in its requirements — for example, FRIA or conformity assessments. I like that this act doesn’t yet restrict innovation. For most businesses there are no strict requirements there: transparency, ethics, and legality are already clear from the GDPR, and most of the act’s requirements are beneficial for product quality, ethics, and safety. If a business was acting ethically, nothing changes dramatically — it just adds work for the compliance team”.

At this stage, Tatsiana plans to stay in the same industry — ride-hailing, car sharing, and delivery — or adjacent sectors.

I want to keep developing my knowledge in privacy, AI, and information security. In addition, my goal for 2026 is to broaden my technical knowledge and understanding of User Experience. Despite a different opinion in the privacy community, I believe privacy is especially important in big businesses or businesses processing huge amounts of data. In startups, strict compliance in the form it exists today can unfortunately slow innovation — and that’s what regulators are trying to solve with the Digital Omnibus Act. In large companies, every piece of advice a privacy specialist gives carries huge weight, and it’s important to control the narrative, validate your advice and actions”.

“One of my students was an amazing trainer who now teaches courses”: on teaching

Tatsiana is not only a practicing specialist, but also a talented educator. Tatsiana previously coached people preparing for international certifications and now teaches the Artificial Intelligence Compliance Professional for Europe course. Tatsiana first tried working with adult students at DPO Europe. The head of learning in the team noticed Tatsiana’s ability to explain clearly and invited Tatsiana to become a coach.

I was inspired — I really wanted it inside. It was a bit scary, because I had just received the certification and had two years of experience, and people on the course sometimes come with much more experience. My loved ones supported me, saying that people come to me because I can explain well”.
Dive into AI compliance management

Join our Artificiali Intelligence Compliance Professional for Europe training to understand the EU AI Act and to start implementing it into your company’s processes and product.

aicp-e ticket

A deep understanding of theory and practice in international companies did not let Tatsiana down. Tatsiana’s success as an educator was noticed by Kseniya Laputko — a coach on the certification preparation programs.

She was an authority for me, and I was afraid to teach because she was there. Later we became friends, and she complimented me that I can ‘chew things up’ well. That’s when I realized I liked it. Thank you, Kseniya.”

Teaching skills were also useful at work.

Recently we created a privacy compliance team in Customer Support. They need constant training and support. I ran trainings for specialists without legal education. I needed to explain privacy aspects in a way that they could work without us. Although I prefer giving advice to the business rather than training colleagues at work, it was a great challenge — to teach people who don’t know privacy to work well in this field”.

That positive experience became motivation to aim higher in this direction. Tatsiana now plans to get a Master’s degree, defend a PhD, and teach at a Dutch university in top privacy programs.

Conclusion

This inspiring path from university graduate to Senior Privacy Counsel is a story of how continuous self-development and a willingness to teach others help not only to follow the law, but to build innovation alongside engineers. And the team is proud to have been part of that journey.

A few key takeaways from this interview:

🔹 Don’t be afraid of “forced” challenges. Persistence and the “Fake it till you make it” motto really work — and can turn unclear tasks into a favorite area.

🔹 Invest in development. High-quality training pays back many times over and helps you find the “right” job faster.

🔹 Stay curious. Going beyond once-defined tasks is what makes you an irreplaceable specialist.

Personal Data Protection Help and Support under GDPR and National Laws

We help establish systematic personal data protection practices through training and consulting services.

Personal Data Protection Consulting Services

Consulting services on data privacy according to GDPR, ISO 27701 and other international standards.

Learn more

EU Representative Service

EU Representative Services under GDPR is a pay-as-you-go service where representation is free during periods without data subject requests or communication with supervisory authorities. The service remains free if the company has not significantly altered its data processing practices since its onboarding process.

Learn more

Training — GDPR Data Privacy Professional

A fundamental course that covers all aspects of GDPR and teaches how to apply them in practice.

Learn more

Corporate Programs for Team – Wide Awareness and Privacy Department Operations

Privacy training programs for teams both in live online and e-learning formats with diverse level of depth. Customizable and interactive solution for fair price.

Learn more

Materials on the topic

AI for Data Privacy and Compliance Prompt Engineering for DPOs

AI for Data Privacy and Compliance: Prompt Engineering for DPOs

Read more
AI for DPO Record of Processing Activities Fill Case Study

AI for DPO: Record of Processing Activities Fill Case Study

Read more
AI Tools in Data Protection

AI Tools in Data Protection: Short Guide for Data Protection Officers

Read more

Reach Data Privacy & AI Compliance

Fill in the form and get a free consultation.

  • Implementation of 7+ legal frameworks.
  • Individual and corporate training on the GDPR, and international standards.
  • Development of personal data protection systems within organizations.
  • Custom services upon request.
Mail
What is GDPR — General Data Protection Regulation?
What is GDPR?

A full guide on General Data Protection Regulation or GDPR for short. Here you’ll learn what is personal data, what are the rights of subjects, how to comply with the regulation.

Learn more
Understand data privacy and ai without the noise

Contact Sales

Learn what Data Privacy Office Europe can do for you.

Fill out the form and we will contact you as soon as possible!