Spotlight on Women in GRC: DPO on GDPR, privacy culture and ESG 

In this episode of CoreStream GRC’s Spotlight on Women in GRC podcast, Lucy Montague sits down with the series’ first DPO, Lorraine Pinter, to discuss her journey from law into privacy, the evolution of GDPR, building confidence as a leader, and why data protection remains one of the most impactful and personally relevant areas of GRC.  The DPO’s podcast episode explores:  Starting your…

Esme Dyos Avatar

In this episode of CoreStream GRC’s Spotlight on Women in GRC podcast, Lucy Montague sits down with the series’ first DPO, Lorraine Pinter, to discuss her journey from law into privacy, the evolution of GDPR, building confidence as a leader, and why data protection remains one of the most impactful and personally relevant areas of GRC. 

The DPO’s podcast episode explores: 

  • How Lorraine transitioned from legal studies into data protection 
  • How confidence, public speaking and continuous learning helped her become a Data Protection Officer 
  • What it was like helping organizations prepare for GDPR back in 2017 
  • Why privacy is one of the most relatable and rewarding careers in GRC 
  • How privacy requirements vary across industries and global markets 
  • What the future of privacy looks like as AI and regulation continue to evolve 
  • How privacy professionals can make a difference beyond the workplace by supporting charities, schools and communities  

Starting your career in privacy and staying 

Learning privacy from scratch 

Like many privacy professionals, Lorraine originally planned to pursue a career in law. She entered data protection as GDPR was approaching implementation and quickly found herself helping her organization prepare for one of the biggest regulatory changes in recent history. With no formal background in data protection, she immersed herself in the discipline and helped design key privacy frameworks: 

“The company paid for me to go on to some training courses, get me up to scratch with data protection and the GDPR, which I loved. I really enjoyed. And when I came back to the organization, I essentially just, you know, went running with it. I helped them design their asset register. I helped them design their policies. I helped them design their training and deliver that training.” 

Lorraine Pinter, Data Protection Officer

Unlike today’s predominantly e-learning-based approach, Lorraine delivered training to large groups in person: “100 or so staff members”, allowing employees to ask questions and engage directly with emerging privacy requirements. 

This communication opportunity came early in Lorraine’s career. As Lucy notes:

“That’s really diving in at the deep end at the start of your career to be like, okay, I’m presenting in front of hundreds of people and teaching them something brand new. That’s really impressive.” 

Lucy Montague, Head of Marketing, CoreStream GRC

It demonstrates how exciting and challenging privacy work can be from day one of entering the field.

Why privacy is one of the most rewarding careers in GRC 

Privacy affects everyone 

What keeps Lorraine passionate about privacy a decade on is its direct connection to everyday life. Unlike many compliance disciplines, privacy affects everyone as both professionals and consumers. It helps privacy professionals understand how their own data is used while enabling organizations to build trust and accountability. According to Pew Research Center, 67% of Americans say they understand little or nothing about what companies do with their data. Lorraine, however, feels confident and empowered because of her role: 

“I understand how I want my data protected, as well as how the law requires us to protect people’s data.” 

Lorraine Pinter, Data Protection Officer

Privacy professionals sit at the intersection of business, technology and consumer rights, making it a career with both commercial relevance and social impact. Privacy offers opportunities across: 

  • Law 
  • Governance 
  • Compliance 
  • Technology 
  • Data governance 
  • AI governance 
  • Information security 

“You’re not only going to make an impact in the company, but it also feels like it has an impact in your life.” 

Lorraine Pinter, Data Protection Officer

How to step up into the DPO role as a privacy professional 

Lorraine’s career progression demonstrates that leadership often comes from embracing opportunities before you feel completely ready and remaining open to continuous learning. It also depends on having an encouraging, supportive network that creates the psychological safety to challenge yourself and take incremental steps forward. 

Lorraine built confidence through experience 

  • Leading training initiatives early in her career 
  • Delivering presentations to large audiences 
  • Running privacy clinics and training sessions 
  • Taking on increasingly visible responsibilities 

Lorraine credits public speaking with accelerating her career development. That’s consistent with wider leadership trends: a 2025 professional development survey found that 77% of top executives consider presentation skills crucial for career success. Public speaking not only builds confidence but also increases visibility, credibility and influence within an organization. 

She highlights the importance of taking speaking opportunities as they arise. Not only do they help refine communication skills, they also expand knowledge by requiring research and preparation:

“And so as I built that confidence, I realized that I feel confident now to take on a DPO role, [a data protection officer role], and I should just go for it and see what it’s like.” 

Lorraine Pinter, Data Protection Officer

Lucy notes when she saw Lorraine present during that time period, she saw a DPO in the making:

“I remember seeing you speak at #Risk London when you were doing a privacy talk and I just thought, God, she really knows her stuff. She’s really, really great. And it’s incredible to think that maybe you were thinking I’m out of my comfort zone here because you didn’t see me at all.” 

Lucy Montague, Head of Marketing, CoreStream GRC

Privacy across industries: different sectors, same principles 

A decade into her career, Lorraine has built a successful journey in privacy leadership across a variety of sectors, including telecommunications, retail, adtech, sport and technology. 

“If you’re happy to learn and ready to grow, you’re going to achieve.”  

Lorraine Pinter, Data Protection Officer

What privacy pieces stays consistent across every organization? 

Regardless of industry, organizations still require: 

  • Records of processing activities 
  • Privacy notices 
  • Privacy policies 
  • Cookie compliance 
  • Governance and accountability frameworks  

However, while privacy regulations remain consistent, each sector introduces unique challenges depending on products, customer data and regulatory expectations:

“There’s a lot of things that are similar because it is all from the same laws and they all cross over, but you apply different parts of it and you apply it differently depending on what you’re dealing with.” 

Lorraine Pinter, Data Protection Officer

According to the World Economic Forum’s Future of Jobs Report, employers increasingly value adaptability, resilience, curiosity and lifelong learning among their most important workforce skills as organizations navigate technological and regulatory change. Professionals who gain experience across industries are often exposed to a broader range of technologies, business models and risk environments, helping them develop these capabilities.  

In a previous Spotlight on Women in GRC podcast episode, former Pets at Home Head of Financial Controls talks about another key benefit of working in different sectors:

“I like change, you know, I thrive on change. So actually being in the same industry, I think I just get bored. So for me, it’s a way of keeping it lively because, you know, you might be doing the same thing. You might still be doing GRC, which is relatively generic, if you like, but actually applying it in different ways in a different industry, that’s where you get a bit of challenge and excitement.” 

Nikki Absolom, Tax Technology and Transformation Lead, IVC Evidensia

What’s next for privacy? AI, regulation and a changing landscape 

AI continues to dominate conversations across GRC, but Lorraine also highlights the importance of understanding broader regulatory developments, including changes to the UK’s privacy landscape and regulatory oversight: 

“So I know most people will say AI and that is true. But something that’s probably immediate for us in the UK, I would say is how is the ICO going to look like? Because we know there are changes happening there.” 

Lorraine Pinter, Data Protection Officer

How privacy teams can prepare 

Strong privacy programs continue to depend on: 

  • Effective governance 
  • Up-to-date policies 
  • Staff training 
  • Accurate documentation 
  • Consistent compliance practices 

As Lorraine states, the best way to prepare for change is to follow best practices and 

“be really good at your compliance and really on top of your policies.” 

Lorraine Pinter, Data Protection Officer

Giving back: Privacy beyond the workplace

How privacy work can help your community 

Outside of work, Lorraine uses her expertise to support charities and community organizations with privacy advice and guidance. She discusses helping local charities better understand privacy requirements and improve their practices:  

This support is becoming more important as charities face growing data and cyber risks. The UK Government’s Cyber Security Breaches Survey 2025 found that 30% of charities experienced a cybersecurity breach or attack in the previous year, affecting an estimated 61,000 organizations. Data from the ICO also shows that the charitable and voluntary sector experienced a 51% increase in reported data incidents between 2020 and 2024, compared with a 26% increase across all sectors. 

By helping charities strengthen their privacy practices, professionals like Lorraine play an important role in protecting the sensitive information of donors, volunteers and beneficiaries. 

“I really do enjoy now giving time back to people. So I quite enjoy offering time to charities. To sort of help them with their privacy, whether it be a local charity and advising on their privacy notice, helping them draft their privacy notice. And so I think just understanding the complexities of data protection has made me, I guess, want to help more.” 

Lorraine Pinter, Data Protection Officer

As a school governor and privacy advocate, Lorraine is also passionate about helping children and young people better understand their data rights and online privacy. 

“I would love to reach out to children in schools and explain how to look after their data.”  

Lorraine Pinter, Data Protection Officer

These examples demonstrate the power of privacy both inside and outside of work, and the fulfilment it can bring. 

Conclusion: Privacy leadership is ultimately about people 

From preparing organizations for GDPR to supporting charities and promoting data literacy, Lorraine’s career highlights how privacy extends far beyond regulatory compliance. Her story demonstrates that successful privacy leaders combine technical knowledge with communication, empathy and a genuine desire to protect people in an increasingly digital world.  

About Lorraine Pinter 

Lorraine Pinter is a Data Protection Officer with nearly a decade of experience helping organizations navigate privacy, compliance and data governance challenges. Beginning her career with a legal background, she entered the privacy profession during the lead-up to GDPR and has since held privacy leadership roles across telecommunications, adtech, technology, retail and sporting organizations. Today, Lorraine is passionate about privacy education, emerging technologies and helping both organizations and individuals better understand their responsibilities and rights around personal data.  

About the Spotlight on Women in GRC podcast 

Spotlight on Women in GRC is a podcast series created to continue the conversations sparked by the Women in GRC Awards and spotlight the diverse professionals shaping governance, risk and compliance today. Hosted by CoreStream GRC’s Lucy Montague, the series explores career journeys, leadership lessons and the trends transforming the GRC profession.

Condensed transcript of the episode 

Lucy Montague:

Welcome to Spotlight on Women in GRC, a podcast series created to continue the conversations sparked by the Women in GRC Awards 2026. Supported by CoreStream GRC, the series shines a light on the women shaping governance, risk and compliance. Today I’m joined by Lorraine Pinter, Data Protection Officer. Lorraine, thank you for being here.

Lorraine Pinter:

Thank you for having me.


Career journey & role

Lucy Montague:

Tell us about your role and how you got into privacy.

Lorraine Pinter:

I’m currently a Data Protection Officer and have worked in data protection for almost ten years. My route into privacy was quite unexpected. I originally trained in law and was completing my Bar exams when my organization identified GDPR as an upcoming priority.

They supported me through data protection training, and I quickly became responsible for helping the organization prepare for GDPR. That included building asset registers, creating policies, delivering staff training and helping the business understand what compliance would mean in practice. It was a fantastic learning opportunity and ultimately led me into a long-term career in privacy.


Implementing GDPR

Lucy Montague:

You were involved in GDPR implementation from the beginning. What was that experience like?

Lorraine Pinter:

It involved a lot of planning and education. We first needed to understand the regulations and assess where our organization had gaps. Then we designed training and worked with teams across the business to improve processes.

Unlike today’s e-learning platforms, the training was delivered in person to large groups of staff. It could be nerve-wracking standing in front of a room full of people, but it created immediate discussion and allowed us to answer questions directly. Looking back, that level of interaction was incredibly valuable.


Why privacy?

Lucy Montague:

What keeps you in privacy rather than moving into broader risk or compliance?

Lorraine Pinter:

Privacy feels personal. Everyone has data and everyone cares how it’s used. I enjoy being able to advise organizations while also thinking about how I would want my own data treated.

Privacy has also evolved significantly. I’ve seen the profession expand into areas such as AI, international law and emerging technologies. It’s a discipline that continues to grow and offers constant opportunities to learn. I also love that most people understand what privacy is and can connect with the work we do.


Working across industries

Lucy Montague:

You’ve worked across several sectors. How different is privacy across industries?

Lorraine Pinter:

The core legal principles remain the same. Every organization needs privacy notices, policies, records of processing and governance frameworks.

The differences come from the products and technology involved. Telecoms, adtech, sport and technology organizations all process data differently, so the challenges vary. Adtech in particular can be complex because of evolving technology and tracking mechanisms, while sporting organizations tend to have greater engagement with fans and consumers.


Becoming a DPO

Lucy Montague:

What helped you take the leap into a more senior DPO position?

Lorraine Pinter:

Confidence was a huge factor. Earlier in my career, I was encouraged to do public speaking, deliver training and run privacy clinics. Those experiences pushed me outside my comfort zone and helped me realize I was capable of taking on greater responsibility.

Seeing colleagues progress into DPO roles also made me realize that I was ready. Eventually I decided to apply for a DPO role, got the opportunity, and learnt quickly that growth comes from being willing to learn while doing the job.


Women in GRC leadership

Lucy Montague:

Why do you think there are still fewer women in senior GRC leadership positions?

Lorraine Pinter:

One reason may be confidence. Many studies suggest women are more likely to wait until they meet most of a job specification before applying, while others may apply earlier in their development journey.

There are also practical challenges such as caring responsibilities that can affect career progression. I’d love to see more flexibility, job-sharing arrangements and recruitment messaging that encourages people to apply even if they don’t meet every requirement. Those changes could help more women step into leadership positions.


Advice for graduates

Lucy Montague:

Why should someone consider a career in privacy?

Lorraine Pinter:

Privacy affects everyone. You learn how data is used, how your own rights work and how organizations can use data responsibly.

It’s also a very diverse profession. You can move into legal roles, operational privacy, security, compliance, governance or emerging areas like AI. It offers multiple career paths and allows you to make a real impact both inside and outside your organization.


Diversity in privacy leadership

Lucy Montague:

Do women bring a different perspective to privacy leadership?

Lorraine Pinter:

I believe diversity brings better outcomes. Privacy decisions affect a broad range of people, so it’s important that decision-making groups reflect the diversity of those individuals.

Different perspectives create stronger debate, challenge assumptions and ultimately result in more balanced decisions. That’s why diversity across leadership teams is so important.


Biggest privacy challenges

Lucy Montague:

What privacy projects have been the most challenging?

Lorraine Pinter:

Keeping Records of Processing Activities (ROPAs) updated can be surprisingly difficult because organizations change constantly.

Another major challenge is applying privacy laws to new and emerging technologies. When regulators haven’t yet issued guidance, privacy professionals need to carefully assess risks and determine how existing law applies to entirely new use cases. Adtech presented many examples of that challenge throughout my career.


The future of privacy

Lucy Montague:

What will shape the next era of privacy?

Lorraine Pinter:

AI will clearly play a significant role, but I’m also interested in the ongoing evolution of privacy regulation and the future direction of the UK Information Commissioner’s Office.

For organizations, the best preparation remains good compliance fundamentals: maintaining accurate records, keeping policies updated, delivering effective training and remaining proactive about privacy governance.


Giving back

Lucy Montague:

How has your career influenced who you are outside of work?

Lorraine Pinter:

Working in privacy has made me more aware of the challenges organizations face, which has encouraged me to give back to local communities.

I’ve volunteered my expertise to charities by helping them develop privacy notices and compliance frameworks. I’m also a school governor and would love to spend more time helping young people understand data privacy, their rights and how to protect themselves online.


Influences & recommendations

Lucy Montague:

Who has had a meaningful impact on your career?

Lorraine Pinter:

I’ve been fortunate to work with several excellent privacy leaders who have supported my development and encouraged me to grow.

For anyone entering the profession, I’d recommend building a strong professional network, attending industry events, following privacy podcasts, and engaging with law firms that provide regular privacy updates and educational resources. Networking and knowledge-sharing are invaluable in this profession.


Lucy Montague:

Lorraine, thank you so much for joining us and sharing your experiences.

Lorraine Pinter:

Thank you for having me. It’s been a pleasure.

Lucy Montague:

And thank you to everyone listening to Spotlight on Women in GRC. Join us next time for another conversation with the women shaping the future of governance, risk and compliance.

Frequently asked questions about privacy careers and data protection 

What does a Data Protection Officer do? 

A Data Protection Officer (DPO) helps organizations comply with privacy laws, manage data protection risks, oversee privacy governance and advise on the responsible use of personal data. 

Is privacy a good career? 

Yes. Privacy combines elements of law, governance, compliance, technology and risk management, offering opportunities to work across multiple industries while helping organizations build trust and accountability. 

How do you become a Data Protection Officer? 

Many DPOs begin their careers in legal, compliance, governance, security or operational roles before developing specialist expertise in privacy regulations, data governance and stakeholder management. 

What skills are most important for privacy professionals? 

Key skills include: 
Communication 
Stakeholder engagement 
Regulatory knowledge 
Risk management 
Problem solving 
Technology awareness 
Data governance expertise 

Why is public speaking important for privacy professionals?

Privacy leaders often need to deliver training, influence business decisions and communicate complex regulations to non-specialist audiences. Public speaking can improve confidence, visibility and leadership opportunities.

What industries hire privacy professionals? 

Privacy professionals work across: 
Financial services 
Technology 
Telecommunications 
Healthcare 
Retail 
Sport 
Education 
Government 
Charities and non-profit organizations 

How is AI affecting privacy? 

AI is creating new challenges around transparency, consent, accountability and data governance. Privacy teams increasingly play a central role in helping organizations adopt AI responsibly while maintaining trust and compliance. 

Why is GDPR still important? 

GDPR remains one of the most influential privacy regulations globally, shaping how organizations manage personal data, transparency, accountability and individual rights. 

  • Spotlight on Women in GRC: DPO on GDPR, privacy culture and ESG 

    Spotlight on Women in GRC: DPO on GDPR, privacy culture and ESG 

    In this episode of CoreStream GRC’s Spotlight on Women in GRC podcast, Lucy Montague sits down with the series’ first DPO, Lorraine Pinter, to discuss her journey from law into privacy, the evolution of GDPR, building confidence as a leader, and why data protection remains one of the most impactful and personally relevant areas of GRC.  The DPO’s podcast episode explores:  Starting your…

  • The future of GRC: what principles-based regulation means for GRC teams

    The future of GRC: what principles-based regulation means for GRC teams

    Key takeaways  Introduction: the GRC rulebook is getting smaller, as accountability grows  Ask any compliance officer what’s changed in their job over the last two years, and few will point to a single new regulation. They will point to something harder to pin down: a growing expectation that they explain and defend their own judgment, rather than simply follow a rule written by someone…

  • Board governance

    Board governance

    What is board governance? Board governance is the way a board of directors directs, oversees, and holds an organization accountable. It covers how the board sets strategic direction, challenges management, monitors performance, oversees risk and internal controls, and makes decisions in the interests of the organization and its stakeholders.  In governance, risk, and compliance (GRC), board governance…