Before the General Data Protection Regulation (GDPR) became official in May 2018, I heard a similar story from many CISOs. Data privacy programs were legal exercises focused on data classification and governance. Yes, there were security angles around compliance, DLP, and incident response, but legal had oversight around which data was considered as private and what could and could not be done with sensitive data.
GDPR changed everything. Data privacy was no longer a background legal project but rather a set of business-critical processes, and this impacted the cybersecurity team. CISOs were asked to utilize their operational expertise to help operationalize data privacy programs.