
IC4 – Sr Data Privacy Analyst
Spin is FEMSA’s business unit that enriches and simplifies people's lives. It is an ecosystem of financial and digital solutions that creates added value by helping our users and communities make the most of their time and money. The Spin ecosystem consists of simple, agile, and accessible solutions that help our customers address everyday needs and receive rewards for doing so; such as the digital wallet, Spin by OXXO, the loyalty program, Spin Premia, and Spin Negocios, which offers various solutions for businesses, including NetPay and OXXO PAY.
Objective of the Role
Apply business knowledge and data privacy expertise, combined with technical skills, to ensure that all personal data is collected, inventoried, processed, masked, stored, and deprecated in accordance with data privacy laws, company policies, and industry best practices. This aims to ensure the implementation of defined privacy and data protection strategies while ensuring compliance with privacy laws/regulations such as LFPDPPP, GDPR, and other applicable regulations for the Business Units of Spin, considering privacy and security requirements for personal data.
Main Responsibilities
- Data Privacy/Protection Regulatory Framework:
- Develop and implement the data privacy regulatory framework, including policies, procedures, and guidelines in accordance with applicable privacy laws.
- Operate the Personal Data Management System (SGDP) and ensure compliance with the established parameters in each of its components based on the assigned scope and responsibilities.
- Manage Personal Data Inventory:
- Identify, map, document, and maintain the Personal Data Inventory up to date for the processes that collect, process, store, and transmit personal data within the BUs of Spin at least once every six months or annually.
- Analyze Risks and Controls of Personal Data:
- Conduct risk assessments and control evaluations on processes, processing systems/applications, personnel, vendors, and third-party services that collect, process, store, and transmit personal data to determine the level of compliance with privacy and data protection.
- Evaluate physical, technical, administrative, and legal security measures in the processing of personal data and their systems, considering internal guidelines, references, recommendations, and international best practices.
- Conduct a risk assessment and compliance evaluation of Data Processors/Controllers based on privacy/personal data protection requirements and their acceptance criteria.
- Manage Privacy Policy:
- Evaluate the design and compliance of Privacy Notices based on the requirements established in the LFPDPPP, its regulations, and related guidelines, as well as applicable international legislation such as GDPR, CCPA, among others.
- Assess the alignment of the Privacy Notice concerning categories, purposes of processing, and the transfer of personal data carried out in each of the Spin BUs.
- Evaluate the compliance and alignment of the Privacy Notice with respect to the rights of the data subject and their fulfillment.
- Monitor Personal Data (DLP):
- Analyze the flow of personal data (lifecycle), processing systems, and involved roles to identify risks of unauthorized personal data processing.
- Establish parameters/rules to maintain authorized processing and prevent the breach of personal data.
- Set parameters/rules to ensure the authorized processing of personal data and its flow through approved means
- Data Governance:
- Address and evaluate the requirements for the processing of personal data within the Spin BUs, considering their purpose, scope, categories, parties involved, frequency, security measures (TFAL), compliance with principles, purpose of processing, and the deletion of personal data.
- Implement and execute data privacy initiatives within the Spin BUs, aligned with the Data strategy.
- Establish a robust classification system for personal and sensitive data, along with the necessary privacy controls.
- Analyze, identify, and ensure the categorization of personal data in accordance with the consent of its owner and the initiatives of the Spin BUs
- Data Governance:
- Address personal data breaches arising from an identified/reported security incident or unauthorized data processing, analyze the situation/scenarios, and determine/propose an action plan.
- Prepare and formalize a personal data breach report considering the nature/origin of the data breach, category of breached personal data, preventive actions, corrective actions, and applicable sanctions.
- Address Privacy Requirements:
- Address requirements related to privacy and the protection of personal data.
- Collaborate with product development teams with a privacy focus and identify new uses of personal data, assess alignment with privacy notices, and notify/request legal teams to modify or update privacy notices if necessary.
- Implement and operate the data security management system (SGSDP) with the defined scope.
- Collaborate with the Product, Legal/Compliance, and IT teams to address privacy requests and ensure that communication consents, cookie consent mechanisms, and opt-out options are implemented correctly and in accordance with privacy laws/regulations.
- Manage Exclusion Lists
- Have a comprehensive understanding of online and offline marketing practices, considering the implications for data privacy, and establish and implement related controls.
- Train and Raise Awareness:
- Develop materials/content related to the communication plan established for the Digital House (Data, Tech, and People).
- Create awareness and training material addressing the needs of the Digital House (Data, Tech, and People.
- Design materials, dynamics, and reinforcement workshops for key areas handling personal data.
- Implement/facilitate/provide training sessions for the staff of the Digital House (Data, Tech, and People).
- Address Authority Requests/Internal and External Reviews:
- Address information/evidence requests related to the operation and assigned responsibilities of the components of the Personal Data Management System (SGDP).
- Address ARCO Rights and Revocation:
- Analyze and evaluate the attention and compliance with the rights of personal data subjects, report results and action plans
- Analyze Gaps – Gap Analysis
- Validate or ensure compliance with privacy requirements in Privacy by Design practices across all initiatives at Spin and/or within product teams.
- Perform privacy impact assessments within new projects and existing ones.
- Execute the privacy audit plan to identify potential weaknesses and gaps and propose solutions to achieve regulatory compliance.
- Apply expertise in privacy regulations to our data processing practices to mitigate risks.
- Evaluate and Implement Continuous Improvement / Analyze Privacy Impact (PIA)
- Conduct privacy impact assessments on existing applications, new applications, and improvements.
- Address/implement action plans in the process of continuous improvement/ review/ internal/ external audits.
- Execute the evaluation of the Binding Self-Regulation Scheme regarding personal data.
- Promote an autonomous work culture by encouraging self-management, accountability, and proactive problem-solving among team members.
- Serve as a Spin Culture Ambassador to foster and maintain a positive, inclusive, and dynamic work environment that aligns with the company's values and culture.
Required Knowledge and Experience
- 5+ years of experience in privacy and data protection, data security.
- 4+ years of experience in risk management, privacy, security, compliance, operations, auditing, and/or finance.
- Comprehensive understanding of all facets of privacy throughout the data lifecycle, including the protection of personal and corporate data.
- Proven experience in creating or managing compliance programs within a technology or financial services context.
- Basic certifications issued by INAI regarding personal data handling in Mexico.
- Familiarity with data privacy laws and regulations (LFPDPPP and its Regulations, GDPR, CCPA).
- Experience with control frameworks such as ISO 27001 (desirable).
- Strong technical acumen, capable of quickly grasping technical details associated with privacy solutions.
- Comfortable working in a fast-paced, results-oriented environment.
- Ability to see the "big picture": end-to-end connections across privacy, data, and systems.
- Practical knowledge of laws, rules, regulations, risks, and appropriate data privacy compliance controls. Familiarity with privacy-related technologies such as cookies, mobile devices, biometric data, and geolocation data is desirable.
- Understanding of encryption mechanisms (data at rest and in transit).
- Excellent analytical skills with the ability to interpret complex regulations and apply them to practical scenarios.
- Proactive, detail-oriented approach to identifying risks, gaps, and areas for improvement in privacy compliance.
- Effective communication skills, both written and verbal, with the ability to articulate privacy-related concepts to various stakeholders.
- Ability to work independently and collaboratively in a cross-functional team environment while managing multiple projects simultaneously.
- Familiarity with data protection impact assessments, data mapping, and other compliance-related tools and methodologies.
- Capacity to think beyond the current state (processes, roles, and tools) and work towards an optimized and unobstructed design.
- Automation of policies and controls.
- Effective communication.
- Resilience.
- Analytical thinking.
- Agility.
- Time management.
- Proactivity.
Nice to have:
-
Experience designing and implementing methodologies for privacy and data protection.
-
Understanding of financial regulatory authorities and their role in data privacy compliance.
-
Ability to design and implement KPIs/indicators for the Personal Data Management System (SGDP).
-
Solid understanding of the use and functioning of Artificial Intelligence (AI) and its impact on data privacy.
-
Knowledge of additional regulatory and best practice frameworks, including:
- PAV (Privacy Accountability and Verification)
- ISO 27701
- ISO 27017
- ISO 27018
- Fintech Law (Mexico) -
Familiarity with Agile methodologies and their application in privacy and data protection initiatives.
Spin está comprometida con un lugar de trabajo diverso e inclusivo.
Somos un empleador que ofrece igualdad de oportunidades y no discrimina por motivos de raza, origen nacional, género, identidad de género, orientación sexual, discapacidad, edad u otra condición legalmente protegida.
Si desea solicitar una adaptación, notifique a su Reclutador.
Create a Job Alert
Interested in building your career at Spin Careers? Get future opportunities sent straight to your email.
Apply for this job
*
indicates a required field