The privacy landscape isn't about one law, one team, or one function. You can’t afford to think in silos anymore. At Empowering Privacy Germany, a standout panel tackled the inevitable question: How do you evolve compliance from a single focus on privacy into a multi-domain function that covers data protection, AI governance, and cybersecurity?
The discussion brought together experts in the field who have navigated the shift from traditional privacy roles to integrated compliance leadership. They shared what has worked, what still creates friction, and how to build governance structures capable of managing increasing complexity. The result is a set of practical, ready-to-apply actions you can share with your team today to future-proof your compliance program.
The panel featured:
- Dr. Philipp Räther, Group Chief Privacy & AI Trust Officer at Allianz
- Catharina Glugla, Partner Data, Cyber, Tech & AI at A&O Shearman
- John Harbison, Director European Region Product Privacy & Privacy Governance at Meta
- Prof. Dr. Nikolaus Fargó, Head of Department at the Department of Innovation and Digitalization in Law at the University of Vienna
Breaking down silos and redefining priorities
As the complexity of compliance obligations increases, from DORA to the EU AI Act, the separation between different company functions such as privacy, security, and IT creates gaps and inefficiencies. The panel discussed that a more holistic view of data risk is now a non-negotiable, whether through merging teams or building strong, structured collaboration across them.
This shift is also redefining the role of data protection from a heavily process-driven function to one that enables digital resilience and compliant data use. Organizations are looking beyond the human rights lens of GDPR to reflect company values and stakeholder trust. As compliance expands to include AI, cybersecurity, and other digital regulations, governance is increasingly built into both strategic decision-making and product development.
AI governance is about building trust
Within this broader privacy scope, AI regulation was a central focus during the discussion. Panelists agreed that it is now inseparable from privacy and other compliance areas like IT architecture and third-party risk. For organizations like Allianz handling vast amounts of sensitive data, the stakes are especially high.
Any mishandling of this information could damage customer and employee trust to the point where they may choose to stop sharing their data altogether, a risk with direct business consequences.
From this perspective, the EU AI Act can be seen as a trust enabler, similar to GDPR, urging companies to focus on accuracy, transparency, fairness, and the absence of bias.
Building and protecting this trust also means keeping AI use cases within agreed boundaries. Catharina Glugla warned about AI “creepage,” where general-purpose AI systems quietly expand into new uses that may not have been part of the original risk assessment.
She advocates for hybrid governance: a central oversight team supported by specialized experts who can keep cross-discipline projects aligned.
From static rules to a compliance network at Meta
Advances in AI demonstrate how regulations can feel static compared to the pace of technological change. The panel highlighted the need to move beyond simply putting policies in place and leaving them there. Compliance has to be “lived” and embedded into day-to-day operations, rather than being treated as a separate oversight function.
John Harbison described how Meta’s approach has shifted in that aspect over the last decade. What began as privacy oversight driven largely by legal teams has evolved into a network of specialized risk teams focusing on topics such as analyzing risks in products or focusing on privacy technology.
The DPO function itself is now part of this network, with privacy being one pillar in a broader risk function. As Harbison put it, “The more integrated this network is, the better results you can expect.”
The evolving DPO’s role: balancing independence with integration
Merging risk and compliance functions inevitably raises the question of whether a DPO can still meet GDPR’s independence requirement. The panel agreed on the need for a more holistic role of the DPO.
Clear separation can preserve impartiality, but it also adds additional complexity when frameworks overlap and different departments try to reach a shared goal. Integration, on the other hand, can work well if safeguards prevent pressure from other parts of the business to approve risky activities. The nuances lie in how far to go with structural changes, and more frequent reviews of the GDPR could help keep this balance in step with the realities of modern compliance.
Alignment between regulators for consistent guidance
From discussing internal structures, the conversation moved on to how alignment between regulators can influence a unified approach to data protection, AI governance, and cybersecurity.
Overlapping mandates from different authorities create challenges for compliance teams. Some regulators in Germany are starting to align, showing that cooperation is possible. The panel shared a mutual understanding that this kind of coordination is essential and agreed it should extend across all digital regulators. Without consistent guidance, companies could risk meeting one regulator’s standards only to be challenged by another.
The discussion also looked at the broader EU level.
Rather than leave newer oversight bodies—like the ones emerging to enforce the AI Act—to start from scratch, experienced regulators could step in to support by sharing established processes and expertise. If experienced regulators are resourced appropriately, greater alignment can build on existing strengths and make regulatory implementation more consistent across jurisdictions.
5 actions you can take right now
Whether you are a DPO, compliance lead, or business stakeholder, here are the key takeaways from the discussion to share with your team:
- Map your risks across functions: Bring together privacy, cybersecurity, AI, and other compliance functions to see the full picture and identify gaps early
- Build AI trust into your strategy: Use the EU AI Act as a trust enabler, ensuring AI governance contributes to long-term business success as well as regulatory compliance
- Monitor AI scope over time: Revisit general-purpose AI system use cases regularly to make sure they still match the descriptions in your original risk assessment
- Embed compliance into daily operations: Move beyond static policies and integrate risk management directly into business and product development workflows
- Align governance with company values: Evaluate data and AI practices not only for legal compliance but also for how well they reflect organizational values and support stakeholder trust
Implement a unified compliance program to future-proof your organization
Compliance is expanding beyond privacy to encompass multiple domains, each with its own set of requirements and risks. At the same time, regulatory frameworks are increasing in number and complexity, and expectations for transparency are rising.
The panel concluded that a unified approach is essential to managing these demands effectively. Achieving this means connecting teams, integrating governance, and building the skills and capacity to respond quickly to change.
Do you want more insights like these into current challenges and opportunities in the security and compliance landscape? Sign up for our newsletter to get the latest insights delivered straight to your inbox.
.jpg?width=250&height=130&name=DataGuard%20epp%20event-27%20(1).jpg)
.jpg?width=250&height=130&name=DataGuard%20epp%20event-78%20(1).jpg)
_EasiestSetup_EaseOfSetup.svg?width=200&height=200&name=ConsentManagementPlatform(CMP)_EasiestSetup_EaseOfSetup.svg)