Shauli Zacks
As data privacy regulations evolve and cybersecurity threats become more sophisticated, organizations need more than just legal advice—they need partners who can bridge the gap between compliance and practical implementation. That’s where Dr. Loredana Tassone, Managing Consultant and Head of EU and UK Representative Services at GRCI Law, comes in. Based in Brussels, Dr. Tassone brings over 15 years of cross-sector experience and a deep understanding of European law to help organizations turn privacy obligations into operational strength. In this SafetyDetectives interview, she shares her journey from the European Court of Human Rights to the forefront of data protection consulting, and offers insight into what it really takes to build effective, trustworthy, and future-ready privacy programs.
Can you tell us a bit about your role at GRCI Law and what drew you to the intersection of law, cybersecurity, and data protection?
At GRCI Law, data privacy is at the heart of everything we do. We’re a specialist legal consultancy, focused exclusively on helping organisations navigate the complex world of privacy, data protection, and cybersecurity. What sets us apart is the way we combine deep legal expertise with real-world technical insight to deliver practical, end-to-end support for GDPR and beyond.
As Managing Consultant and Head of our EU and UK Representative Services, I oversee our consultancy operations, service delivery, and the development of our expert consultant team. Based in Brussels, I help clients across a wide range of industries navigate complex challenges in data protection, cybersecurity and privacy matters, drawing on more than 15 years of experience in both the private and public sectors.
My journey into this field began with a passion for international and European law. I’m a qualified attorney in both France and Italy, and I started my career at the European Court of Human Rights and the Council of Europe. Those formative experiences gave me a deep understanding of privacy as a fundamental right, protected under both the European Convention on Human Rights and the EU Charter of Fundamental Rights. That conviction has guided my career – from advising on landmark privacy cases at the Court to leading capacity-building projects and now helping businesses build practical, real-world compliance programmes.
What drew me to this field was the opportunity to help organisations effectively implement the right to personal data protection in practice, not just in principle. The GDPR created a new paradigm – empowering individuals while placing real accountability on organisations. Helping businesses rise to that challenge is what continues to drive me. Over time, I’ve come to see that effective data protection is not just a legal or technical obligation – it’s a matter of trust, culture and organisational maturity. Those that embrace this build stronger relationships, reduce risk and create more resilient operations. At GRCI Law, we’re proud to help organisations lead that transformation.
GRCI Law offers a unique blend of legal and technical services. How does the firm help clients navigate today’s complex data protection landscape?
What makes GRCI Law different is how proactive and comprehensive we are. We’re not a traditional law firm handing you a checklist and walking away. We take a hands-on approach and work side by side with clients to implement real, sustainable compliance programmes. Our model blends legal expertise with technical understanding, enabling us to support clients across the full data protection lifecycle.
We provide everything from outsourced DPO services to GDPR audits, breach response, contract reviews, and training – all delivered by a team that understands both the law and the technology behind it. We help organisations not only understand their obligations but also build the systems, policies, and cultures that make compliance stick.
We’ve supported thousands of organisations from startups to global enterprises, and what we’ve consistently seen is that good privacy governance pays off. Clients with mature compliance frameworks experience fewer incidents, respond faster to breaches, and handle data subject rights requests more efficiently. Many of our long-term clients now report zero active incidents or unresolved DSARs – which speaks volumes about the power of doing privacy right.
When a company suffers a data breach, the response window is short and the stakes are high. What does a well-managed breach response look like from your legal perspective?
The best breach response actually starts well before a breach happens. It’s about building a culture of preparedness such as having the right policies, procedures, and training in place so that when something does go wrong, you’re ready to act fast.
From a legal perspective, a solid breach response involves several key elements:
- Quick containment and investigation of the incident,
- A documented risk assessment, especially regarding harm to affected individuals,
- Transparent communication with regulators and data subjects (if required),
- And steps to fix the root cause and prevent recurrence.
At GRCI Law, we emphasise early risk identification. Our clients regularly test their incident response plans and train staff so that everyone knows what to do in a crisis. We also encourage involving DPOs and compliance teams early, especially in new projects involving personal data. Prevention is powerful, and preparation is everything.
With both the UK and EU maintaining their own privacy regimes, how can international organizations stay aligned without duplicating effort or missing key requirements?
The divergence between the UK and EU regimes can be challenging, but it’s manageable with a unified, adaptable compliance framework. Many organisations take EU GDPR as a baseline and then tailor certain components, such as appointing representatives or specific contractual clauses, in order to meet UK requirements.
We help clients create a unified compliance framework that works across borders. Because we offer both UK and EU representative services, we’re well-positioned to ensure seamless alignment. That means our clients can avoid duplicated effort while staying fully compliant on both fronts.
The key is continuous monitoring and refinement. Privacy laws evolve and your compliance programme should too. With the right strategy, you can stay ahead without being overwhelmed.
You work with a range of clients, from startups to large enterprises. What are some common misconceptions you encounter around data privacy or legal risk in cybersecurity?
One of the biggest misconceptions is that technical solutions alone are enough. Yes, strong security tools are essential, but they’re just one piece of the puzzle. Real compliance also requires organisational maturity, legal awareness, and a privacy-first mindset across the business.
Another myth is that privacy is a “tick-box” exercise – something you can set up once and forget. In truth, it’s an ongoing journey. Laws change, systems evolve, and so must your approach.
We often see confusion around lawful bases, especially with legitimate interests or third-party marketing data. Some businesses also underestimate the risks of international data transfers or neglect to put proper contracts in place.
We guide our clients through privacy-by-design principles, encouraging them to involve compliance early in product and service development, and to maintain updated documentation, conduct annual audits, and implement training and monitoring systems that ensure compliance lives in practice, not just on paper.
Looking ahead, what trends in regulation, litigation, or technology do you think will most impact how organizations approach privacy and cybersecurity?
We’re entering a new era where compliance isn’t just about having policies – it’s about proving that those policies actually work. There are several major trends shaping the landscape:
- AI regulation, especially the EU AI Act, is redefining how companies approach profiling and automated decisions.
- Cross-border enforcement and litigation are picking up pace – collective redress actions in particular are becoming more common.
- Vendor risk and transparency will stay in the spotlight, as organisations must be clear on who’s processing their data and how.
Organisations will increasingly be evaluated not just on whether they have policies, certifications or audits in place, but on how effectively they are implemented. Ultimately, the winners will be those who can demonstrate operationalised compliance – not just talk about it. That kind of accountability builds trust with customers, partners and regulators, and serves as a real competitive advantage, especially in tenders or client evaluations.
At GRCI Law, we see privacy and cybersecurity as strategic enablers of trust. If you can show that you handle data responsibly from start to finish, you’re not just compliant – you’re future-proof.
