IC4 – Sr Data Privacy Analyst

Spin is FEMSA’s business unit that enriches and simplifies people's lives. It is an ecosystem of financial and digital solutions that creates added value by helping our users and communities make the most of their time and money. The Spin ecosystem consists of simple, agile, and accessible solutions that help our customers address everyday needs and receive rewards for doing so; such as the digital wallet, Spin by OXXO, the loyalty program, Spin Premia, and Spin Negocios, which offers various solutions for businesses, including NetPay and OXXO PAY.

Objective of the Role

Apply business knowledge and data privacy expertise, combined with technical skills, to ensure that all personal data is collected, inventoried, processed, masked, stored, and deprecated in accordance with data privacy laws, company policies, and industry best practices. This aims to ensure the implementation of defined privacy and data protection strategies while ensuring compliance with privacy laws/regulations such as LFPDPPP, GDPR, CCPA, PAV, and other applicable frameworks for the Spin Business Units, considering privacy and security requirements for personal data, including cross-border transfers and regulatory alignment with financial institutions.

Main Responsibilities

Data Privacy/Protection Regulatory Framework

• Develop and implement the data privacy regulatory framework, including policies, procedures, and guidelines in accordance with applicable privacy laws.

• Define, implement, evaluate, and continuously improve the Personal Data Management System (SGDP), ensuring alignment with the privacy strategy and legal obligations.

• Ensure privacy indicators (KPIs) are designed and monitored to evaluate SGDP maturity and effectiveness.

Manage Personal Data Inventory

• Identify, map, document, and maintain the Personal Data Inventory up to date for the processes that collect, process, store, and transmit personal data within Spin’s BUs, including systems, platforms, and third-party providers.

Analyze Risks and Controls of Personal Data

• Establish and execute Privacy Risk Assessments, integrating methodologies aligned with ISO 31000 and other international standards.

• Evaluate TFAL-based security controls and ensure consistency with the data lifecycle and potential impact.

• Conduct compliance evaluations for third parties and service providers with privacy relevance.

Manage Privacy Policy

• Ensure the development and continuous validation of privacy notices aligned with local and international legislation.

• Align data processing purposes, data subject rights, and transfer frameworks across Spin's Business Units.

Monitor Personal Data (DLP)

• Analyze data flows to prevent unauthorized access or misuse.

• Establish clear rules to enable authorized personal data processing only via approved mechanisms and channels.

Data Governance

• Define a robust data classification system, covering personal, sensitive, and confidential data categories.

• Establish privacy controls and treatment rules by data category, system, or processing purpose.

• Collaborate with cross-functional teams to embed Privacy by Design and Privacy by Default principles.

• Handle privacy incidents and personal data breaches by analyzing, reporting, and mitigating risk.

Address Privacy Requirements

• Provide support to product, legal, and IT teams in interpreting, applying, and enforcing privacy-related requirements.

• Define and implement mechanisms for communication consents, cookie banners, and opt-out options in compliance with legal requirements.

• Support privacy implications in digital transformation initiatives and product development cycles.

Manage Exclusion Lists

• Evaluate implications of online/offline marketing initiatives from a data privacy standpoint and implement controls accordingly.

Train and Raise Awareness

• Design and deliver targeted privacy training and communication materials, particularly for Digital House stakeholders (Data, Tech, and People).

• Create engagement activities and workshops for key teams managing personal data.

Authority Requests/Internal and External Reviews

• Attend and respond to audits, inspections, and formal requests from data protection and financial regulatory authorities (INAI, BANXICO, etc.).

• Compile evidence and documentation for internal and external audits.

Address ARCO Rights and Revocation

• Analyze, monitor, and report compliance with ARCO rights and consent revocation processes.

• Participate in the design and execution of procedures for requests from data subjects.

Analyze Gaps – Gap Analysis

• Conduct privacy gap analysis across systems, vendors, and processes.

• Execute SGDP maturity assessments and support privacy program evolution.

Evaluate and Implement Continuous Improvement / Analyze Privacy Impact (PIA)

• Lead the implementation of PIAs across new and existing systems and initiatives.

• Propose and track action plans derived from audit findings, gap analyses, and maturity reviews.

• Ensure documentation and evaluation of privacy controls in cloud-based architectures (DWH, Data Lakes).

Culture and Collaboration

• Promote a culture of autonomous and responsible data handling across Spin.

• Act as a privacy ambassador, aligning privacy culture with Spin’s overall mission and values.

Required Knowledge and Experience

• 5+ years of experience in privacy and personal data protection.

• 4+ years of experience in privacy risk management, data security, compliance, or auditing.

• Deep understanding of national and international privacy regulations: LFPDPPP, GDPR, CCPA, PAV, etc.

• Hands-on experience defining, implementing, and evaluating Personal Data Management Systems (SGDP) in complex environments, including KPIs.

• Demonstrated ability to manage data privacy programs in regulated sectors such as financial services.

• Experience in privacy audits and responding to regulatory authorities.

• Strong knowledge of ISO 27701, ISO 27001, and ISO 31000.

• Execution of Privacy Impact Assessments (PIA) and GAP Analyses using industry standards.

• Solid understanding of the entire data lifecycle and ability to analyze and define end-to-end personal data flows across systems and third-party interactions.

• Knowledge of cross-border data flows and required mitigation measures.

• Strong business acumen with the ability to translate privacy requirements into actionable strategies.

• Technical fluency in concepts such as data architecture, cloud platforms, database security, infrastructure, and application development.

• Legal fluency to interpret regulations and contractual clauses and convert them into technical/operational solutions.

• Ability to assess privacy controls in cloud DWH and Data Lake environments.

• Excellent analytical skills with the ability to contextualize regulatory requirements in practical, scalable solutions.

• Familiarity with tools for data mapping, privacy assessments, and automation of controls.

• Effective communication, resilience, proactivity, time management, and agility.

Nice to Have

• At least 3 years of experience managing regulatory compliance in the Mexican financial system (Ley Fintech, CUB, BANXICO) with a focus on data protection and information security.

• Experience implementing SGDP within financial institutions.

• Knowledge and execution of personal data inventory processes.

• Active participation in digital transformation or product development projects involving privacy impact.

• Familiarity with privacy-enhancing technologies (cookies, mobile data, biometrics, geolocation).

• Experience with additional control frameworks like ISO 27017, ISO 27018, and ISO 42001 (AI governance).

• Agile methodology experience (Scrum/Kanban) in privacy-related implementations.

• English proficiency B2 or higher, with ability to read technical documentation and participate in cross-border collaboration.

Spin está comprometida con un lugar de trabajo diverso e inclusivo. 
Somos un empleador que ofrece igualdad de oportunidades y no discrimina por motivos de raza, origen nacional, género, identidad de género, orientación sexual, discapacidad, edad u otra condición legalmente protegida. 
Si desea solicitar una adaptación, notifique a su Reclutador.