IC4 - Sr Data Privacy Analyst

Spin is FEMSA’s business unit that enriches and simplifies people's lives. It is an ecosystem of financial and digital solutions that creates added value by helping our users and communities make the most of their time and money. The Spin ecosystem consists of simple, agile, and accessible solutions that help our customers address everyday needs and receive rewards for doing so; such as the digital wallet, Spin by OXXO, the loyalty program, Spin Premia, and Spin Negocios, which offers various solutions for businesses, including NetPay and OXXO PAY.

Role Objective

Apply business knowledge and data privacy expertise, combined with technical and regulatory skills, to ensure that all personal data is collected, inventoried, processed, stored, and deleted in compliance with data privacy laws (LFPDPPP, GDPR, CCPA, among others), internal policies, and industry best practices. The role focuses on implementing and operating personal data protection management strategies and systems within Spin’s Business Units (BUs), ensuring full regulatory compliance and a Privacy by Design approach.

Main Responsibilities

Privacy Governance and Compliance

• Develop, implement, and maintain the privacy framework (policies, standards, procedures).
• Operate and monitor the Personal Data Management System (SGDP) and the Data Security Management System (SGSDP).
• Execute privacy audits, gap analyses, maturity assessments, and evaluations of the binding self-regulation scheme.
• Apply Privacy by Design principles in all initiatives and products.

Regulatory and Risk Management

• Conduct risk and control assessments on processes, systems, vendors, and staff handling personal data.
• Evaluate physical, technical, administrative, and legal security measures aligned with frameworks such as ISO 27701, ISO 27001, and ISO 31000.
• Address regulatory requirements, ARCO rights, revocations, and requests from authorities (INAI, financial entities).

Personal Data Inventory and Classification

• Identify, map, document, and keep updated the personal data inventory across BUs.
• Classify personal/sensitive data based on purpose, scope, consent, frequency, involved parties, and security measures.

Impact Assessment and Incident Response

• Perform Privacy Impact Assessments (PIA) on new and existing products.
• Analyze security breaches, generate corrective action plans, and prepare incident reports.

Third-Party Management

• Assess data controllers’/processors’ and third parties’ compliance with privacy regulations.

Collaboration and Team Support

• Collaborate with Legal, Compliance, Product, and IT on implementing consents, cookies, opt-outs, and privacy-related requests.
• Participate in agile and digital transformation initiatives with a privacy-first approach.

Training and Awareness

• Design and deliver training sessions, workshops, and awareness materials to internal teams (Digital House: Data, Tech, and People).
• Promote an autonomous organizational culture focused on proactivity and privacy.

Marketing and Opt-Outs

• Understand online/offline marketing practices and ensure adequate controls for personal data protection.

Mandatory Requirements (Must)

• Over 5 years of experience in privacy, data protection, and information security.
• Over 4 years of experience in risk management, compliance, auditing, operations, or security.
• Deep knowledge of the data lifecycle and its protection (personal and corporate).
• Experience in regulatory compliance within the tech or financial sectors.
• Basic certifications issued by INAI (Mexico) related to personal data handling.
• Solid understanding of LFPDPPP and its regulation, GDPR, and CCPA.
• Experience with control frameworks such as ISO 27001, ISO 27701, ISO 31000.
• Knowledge of the Mexican financial regulatory framework: Fintech Law, CUB, BANXICO, with a privacy focus.
• Experience in implementing and assessing SGDP.
• Ability to conduct PIAs, privacy audits, and risk analyses.
• Proficiency in legal, technical (cloud, architecture, databases, security, development), and business language.
• Ability to interpret complex regulations and apply them to real-world scenarios.
• Capacity to visualize end-to-end personal data processing flows.
• English level B2 or higher.

Desirable Requirements (Nice to Have)

• Familiarity with additional frameworks: ISO 27017, ISO 27018, ISO 42001.
• Knowledge of privacy technologies such as cookies, mobile devices, biometrics, geolocation.
• Experience in Cloud DWH or Data Lake environments and in evaluating their privacy controls.
• Experience working under agile methodologies.
• Knowledge of policy and control automation.
• Future-focused design thinking: process, tools, and role optimization.
• Strong soft skills: effective communication, resilience, analytical thinking, agility, proactivity, and time management.
• Ability to work autonomously and collaboratively in multifunctional, dynamic environments.

Spin está comprometida con un lugar de trabajo diverso e inclusivo. 
Somos un empleador que ofrece igualdad de oportunidades y no discrimina por motivos de raza, origen nacional, género, identidad de género, orientación sexual, discapacidad, edad u otra condición legalmente protegida. 
Si desea solicitar una adaptación, notifique a su Reclutador.