In this, our third installment of our Path to the Privacy Profession series, we sat down with Krete Paal, Chief Executive Officer (CEO) of GDPR Register. GDPR Register is an Estonian privacy startup helping European companies manage privacy through a practical, AI-powered platform. Krete has more than 13 years of legal experience, including 9 years focused exclusively on privacy. She is the former head of the DPO Office at Veriff, where she built the company’s global data protection framework. She has a double Master’s degree in Law and IT Law. She holds the CIPP/E and CIPM certifications from the IAPP and has been recognized as a Fellow of Information Privacy (FIP).
The below conversation has been lightly edited for clarity.
Q: You have a unique background, having been a former DPO who transitioned into the role of an executive role as the CEO. At the same time, the company you run, GDPR Register, is directly related to privacy compliance. So, you’re still very much “in the game” of privacy, so-to-speak. Was there a defining moment when you realized you wanted to move from “advising” to “building”?
A: It was a quiet realization rather than a dramatic turning point.
While leading the DPO Office at Veriff, I observed something: our clients had strong privacy teams, deep expertise, and genuine commitment. Yet much of their time was spent navigating spreadsheets, maintaining reactive documentation, and managing fragmented processes.
The expertise was there. The commitment was there. What was missing was infrastructure.
I began to understand that privacy did not need more advice–it needed better systems.
As Veriff’s management increasingly trusted me with decisions beyond compliance, I started thinking about the broader value I could create. I found myself drawn toward privacy engineering and system design, exploring how compliance could be embedded directly into operational workflows rather than layered on afterward.
This direction became concrete in mid-2023, when the founders of GDPR Register–Merlin Seeman and Toomas Seppel, attorneys from an Estonian law firm, Hedman Law Firm–approached me about leading the startup. They had been advising Estonia’s technology sector for over 30 years. Long before compliance became mainstream, they were supporting the country’s rising tech companies.
I often say I am lucky with the founding team behind GDPR Register. Merlin and Toomas were among the first legal experts in Estonia to recognize that privacy would become a central business enabler. Being entrusted to build on that legacy is both a privilege and a responsibility.
Instead of solving privacy challenges one organization at a time, I now have the opportunity to design infrastructure that supports many.
Q: Early on, was this something that you always were aiming for? In other words, when you first started your career in privacy, did you always intend to move into an executive role?
A: No, and I believe that has shaped my leadership style.
I started my career in privacy nine years ago because I genuinely care about protecting people and enabling responsible innovation. Over time, I became increasingly involved in product discussions, strategic trade-offs, and growth decisions. Privacy sits at the center of trust, and trust shapes business.
DPOs are often individual contributors. One thing that I came to learn was that to create real impact, you must learn to influence beyond formal authority and challenge the stereotype that privacy is a blocker.
That mindset became tangible when I served as the first DPO of the Estonian Police in 2019. Transforming perceptions of privacy in such an operationally intense environment required credibility, clarity, and strategic communication.
I was fortunate to have strong mentorship early on in the Estonian Police, which helped me understand that privacy leadership is not only about regulatory interpretation–it’s about relationship-building and influence.
Q: Looking at privacy from the opposite perspective, how has your experience as CEO changed your view about compliance? Did you have to unlearn anything?
A: It has broadened my perspective.
As a DPO, you dig deep to identify risk and ensure control. That discipline is essential.
As a CEO, you must also scan the horizon. Market shifts, capital efficiency, team momentum, customer expectations. All those things start to matter too. You carry responsibility not only for risk mitigation but for direction and growth.
I didn’t lose my attention to risk. But I did learn how to weigh it against growth and business priorities.
The real work is designing solutions that protect individuals while allowing organizations to move forward confidently. That balance has made me more pragmatic and more empathetic toward leaders navigating complexity in uncertain times that the world is facing currently.
Q: I guess the question then is, how do you do that? For example, how do you approach trade-offs between compliance, speed, and customer expectations?
A: Trade-offs are not about choosing between one or the other.
Earlier in my career, I instinctively wanted safeguards fully designed before implementation. Today, I see that responsible innovation and strong governance can evolve together-embedded directly into product development.
We approach trade-offs through clarity: What problem are we solving? What is the actual impact? Can we design a solution that preserves both trust and agility? As a product-led organization, we build based on real usage patterns, not theoretical checklists. One shift we are seeing, for example, is that companies no longer want more isolated tools. They want integrated data layers, where regulations become structured overlays on operational workflows.
That’s why, starting in 2024, we began extending the platform beyond privacy management toward a broader governance layer-connecting privacy with risk management, vendor oversight, information security, and AI governance. We’re taking a deliberately structured, layered approach, using guided workflows and AI-assisted tools to support teams while at the same time trying not to overwhelm them.
In practice, this means reducing the administrative burden on privacy leads and DPOs so they can focus on higher-value decisions. Earlier in my career, complex DPIAs could take months, coordinating with engineering for data flows, or waiting on security teams for safeguard details. Today, we want to enable privacy professionals to draft them in hours, giving teams space to address actual risks while still keeping operational compliance moving at scale.
Overall, regulation is not a separate function. It is part of business architecture.
Q: In what ways has being a former practitioner given you an advantage? Any disadvantages?
A: The advantage is empathy and precision. I understand the daily realities of privacy teams-the accountability, the expectations, the constant balancing act. We are building a platform I once wished I had. The greatest compliment we receive is when a client says, “You help us stay on top of everything.” That perspective shapes every product decision.
If there is a challenge, it is between executing versus refining. Practitioners understand complexity intimately, which can create a bias toward completeness over usability.
I have learned that simplicity is not the enemy of rigor-it enables adoption. True impact comes from solutions people can confidently use.
Q: Beyond the substantive aspects of product and compliance, in what other ways has your background helped you. For example, at a corporate strategy level, how has your background shaped product strategy and market focus?
A: Being a DPO in a global company requires anticipating regulatory and technological shifts six to twelve months ahead. That habit of forward-thinking has also helped me to shape our roadmap.
Our European focus is intentional. Europe operates within one of the most demanding regulatory environments globally. Building here requires rigor and creates a strong foundation.
Our thinking is that if you can build within Europe’s accountability framework, you can scale globally.
Today, we serve clients beyond Europe, including companies in Africa and the United States, with expansion toward Latin America underway. Privacy may begin regionally, but trust is universal.
Q: You’ve talked a lot about trust and accountability. How do you ensure privacy remains a strategic asset rather than a checkbox?
A: I think language and structure both matter. If privacy is framed as simply documentation, it becomes administrative. If it is framed as accountability and trust, it becomes strategic.
Our goal is not merely to help organizations complete compliance tasks. It is to provide visibility and structured oversight to leadership and auditors. To provide a concrete example, when privacy metrics are discussed alongside revenue, operational KPIs, and risk indicators, privacy becomes part of governance-not a side function. That shift changes behavior. And behavior is what ultimately defines compliance culture.
Q: What were the most valuable lessons you learned from building Veriff’s global data protection framework?
I think one lesson that really stands out from scaling Veriff from an Estonian scale-up to a global company is that policies don’t scale, ownership does.
Beautifully written policies were insufficient. What enabled sustainable compliance was embedding clear accountability structures across departments-from HR and Product to Engineering-turning privacy requirements into practical workflows and ensuring documentation reflected actual processes.
A second key insight came from executive alignment and strategic thinking. Working closely with leadership, particularly COO Indrek Heinloo, shaped my view of privacy as part of broader operational and commercial strategy. He challenged me to frame risks in business terms, prioritize by impact, and think ahead on complex issues. That mentoring really helped me mature from legal expert to strategic leader.
Finally, global frameworks must be adaptable, risk-based, and resilient. In practice, this means that they must be flexible across jurisdictions, aligned with business needs, and built to withstand audits, fundraising due diligence, certifications, and litigation. Ultimately, a global privacy program succeeds only when it becomes part of the company’s operating system.
Q: With AI newly emergent, how do you approach integrating AI into regulatory tools and software for your clients?
A: Years of translating regulatory language into internal controls gave me insight into where friction occurs. Regulations are abstract. Organizations need structure. One of our clients called it MVC, “Minimum Viable Compliance.” What they meant was that organizations need to establish a structured baseline before layering complexity. I find that framing insightful.
AI can bridge that gap by organizing documentation, identifying inconsistencies, and guiding users through complex requirements. But it must be transparent and controllable.
We design our AI implementations as an assistant, not an authority. Professional judgment remains central. Technology should enhance expertise, not replace it.
Q: You are listed as both GDPR Register’s CEO and Chief Product Officer. How do you balance both of those roles?
A: The roles require different lenses but share the same foundation: trust.
As CEO, I am responsible for where we are going. As Chief Product Officer, I ensure the product leads us there. The tension that occasionally arises-particularly around speed-is healthy. It ensures decisions are examined from multiple perspectives.
Structure is what keeps that balance sustainable. Holding both roles reinforces the principle that privacy is not a department, it is an executive responsibility.
Q: What advice would you give to experienced privacy professionals that are looking to move into a more executive role and progress further in their career path?
A: The first shift is internal. Many privacy professionals already operate at a strategic level, but do not necessarily see themselves that way.
If you want to move into executive leadership, expand your lens. Understand how your organization generates revenue. Learn how product roadmaps are prioritized. Observe how trade-offs are made under uncertainty.
Move from being the “guardian” to being the “architect.” Not only asking, “What could go wrong?” but also, “How can we design this well from the beginning?”
Curiosity is a strategic advantage. Speak with engineers. Study emerging technologies. Invest in structured learning and credible certifications–not merely for credentials, but for intellectual discipline. I am a huge champion of the work that Privacy Bootcamp is doing regarding training. I have used Privacy Bootcamp training for my CIPM certification prep and still to this day go back to the materials to get some fresh ideas. High-quality, well-curated sources are no longer just helpful-they are invaluable.
Finally, seek exposure. Present how privacy is an enabler in team meetings. Contribute to strategic discussions. Build credibility not only as a subject-matter expert, but as a business partner. Executives are responsible not only for identifying risk but for allocating resources and setting direction. Privacy provides a powerful foundation: structured thinking, accountability, principled judgment. What elevates you into executive leadership is proactiveness, commercial fluency and the ability to communicate in terms of impact rather than obligation.
Privacy professionals are uniquely positioned to lead in this era of technological acceleration. The progression into executive leadership is not about leaving privacy behind-it is about bringing its discipline, foresight, and integrity into broader decision-making. That is where real influence begins.
This is the third installment of our “Path to the Privacy Profession” series. If you think you have an interesting story to tell or would like to be featured, reach out to us at hello@privacybootcamp.com
