Interview Questions for Pasquale Esposito, DPO of the Year 2025
This article comes from Cybersecurity Luxembourg published in November 2025.
Pasquale Esposito, Grant Thornton's DPO and newly crowned DPO of the Year 2025, at the Cybersecurity Week Luxembourg (CSWL) Gala & Awards Night, is redefining data protection in Luxembourg.
Moving beyond the "compliance checkbox" mindset, he champions Privacy by Design as a strategic advantage - not legal burden. As ambassador for Luxembourg's DPO community, he's shifting the narrative: DPOs aren't gatekeepers; they're enablers of trust and innovation.
Q1. What does being named DPO of the Year mean to you, and how does it reflect data protection's evolving importance in Luxembourg's business landscape?
‘’I am truly honoured by this recognition, not only as a professional achievement, but as a validation of a mission and a vision that I bring to every DPO mandate: that data protection should be understandable to everyone, and implemented in a way that is proportionate, pragmatic and effective. Historically, the role of DPO has been assigned to colleagues in the legal or compliance department and sometimes without a clear understanding of what the DPO function entails. For a long time, it was seen as an administrative obligation rather than a strategic role. I believe that this recognition reflects a shift in that perception. It signals that organisations are beginning to understand the real value of the DPO not as a “necessary compliance checkbox,” but as a bridge between legal, IT, and business functions.’’
Q2. Could you share an example from Grant Thornton where embedding privacy-by-design created tangible value—beyond compliance, delivering genuine competitive advantage?
‘’For me, Privacy by Design is one of the most fundamental principles of data protection because it is the first step of building privacy compliance. It ensures that compliance is achieved ex ante, by preventing issues before they occur rather than justifying or repairing them afterward. In practice, it means building systems and processes that render data breaches highly unlikely, for example by preventing the wrong email from being sent or sensitive data from leaving a secure network. Once information leaves, control is lost. That’s why Privacy by Design is more than a legal concept; it’s a philosophy of anticipation and prevention over reaction. When embedded into daily practice, it quietly protects companies, employees, and clients, turning privacy into a driver of trust, efficiency, and long-term value.’’
Q3. As ambassador for Luxembourg's DPO community this year, what challenges or misconceptions about data protection would you most like to address? How can we shift the narrative from compliance gatekeepers to strategic enablers?
‘’Too often, data protection is perceived as a complex legal exercise reserved for lawyers. The DPO is sometimes seen as an isolated figure, a constraint, or even the person whose job it is to say NO to all brilliant new marketing ideas. I tell our clients we are not here to say “yes” or “no”, but to guide them through the “how.” For this vision to succeed, a DPO must be able to both define a strategy aligned with the organisation’s business objectives, and speak a language understandable to everyone, from the CEO to the trainee working in HR. Ultimately, this is not an individual mission. It’s a collective effort, where management is listening and IT, Information Security, and Legal collaborate to ensure people feel protected.’’
Q4. With AI governance becoming central to Luxembourg's cybersecurity strategy, how should DPOs adapt their approach to ensure responsible AI adoption? What does effective AI governance look like from a data protection standpoint?
‘’The EU AI Act closely aligns with the GDPR. But unlike the GDPR, it does not establish a formal compliance role such as the DPO. This leaves organisations responsible for defining their own governance framework. Given the strong overlap between data protection and AI compliance, I believe the DPO is uniquely positioned to take a central, or even leading role in this field. Effective AI governance, in my view, should be built around a dedicated committee (adequately trained) that brings together the DPO, CISO, CITO, and Legal to oversee due diligence, risk assessment, contractual obligations, and training. This body should provide management with clear, actionable guidance while preserving an independent advisory role, similar to the DPO’s function under the GDPR.’’
Q5. What key qualities should professionals or organisations prioritise when building data protection functions? How has the DPO role evolved beyond what many still perceive it to be?
‘’An effective DPO must combine deep expertise in data protection compliance with strong business insight, technical fluency, and the ability to translate complex regulations into actionable guidance. It is equally important to recognize that, sometimes, a DPO cannot ensure continuous compliance alone. Even a one-person support team can make a critical difference; success relies on close collaboration with Information Security, IT, and Legal/Compliance functions. By bridging compliance, operations, and strategy, the DPO can transform data protection into a source of trust and value. Today, the role extends beyond personal data compliance, encompassing oversight of all data flows, ensuring early involvement in projects, and monitoring evolving legislation across the broader digital landscape.’’
Want to discuss the data protection function in your organisation? Contact Pasquale Esposito: pasquale.esposito@lu.gt.com
Learn more about our Data Protection and Privacy services.
With more than 340 people and 27 partners, Grant Thornton Luxembourg is a leading provider of Audit, Tax & Accounting, Advisory, Financial Services and Technology services for all types of entities in Luxembourg.
-
![Pasquale Esposito]()
Pasquale Esposito Pasquale Esposito is Data Protection Officer at Grant Thornton Luxembourg and DPO of the Year 2025 in Luxembourg.View Profile
