Jose La Riva to speak at Global Privacy Day

Livestreaming on 25 January 2024 as part of Data Privacy Day, Global Privacy Day brings together thought leaders and senior industry professionals to discuss the present landscape of data protection and privacy, and the current and future challenges that professionals face.

Jose La Riva acts as Data Protection Manager (Advisory) within Meta’s Office of the Data Protection Officer (ODPO). Leveraging a strong corporate/M&A background, Jose’s role involves advising on a variety of product-related topics and emerging privacy issues.

Jose La Riva will be at Global Privacy Day to discuss Privacy Impact Assessments (PIAs) and their importance on the road to compliance.

Below, Jose talks about his professional journey and introduces some of the key issues arising in his Global Privacy Day session.

^{N.B. The views expressed below are those of Jose La Riva as a Privacy Professional, not the views of Meta.}

Could you briefly outline your career so far?

My career journey began in 2012 at Baker McKenzie in the Latam region, where I worked as an attorney for nearly seven years. Even though my practice was initially focused on Corporate and M&A deals, I had the opportunity to support a number of Global IT clients from a privacy and consumer law perspective - that’s when I realized that Privacy and Data Protection was my (true) passion!

In 2018, after obtaining an Advanced LLM degree in Law and Digital Technologies by Leiden University, I decided to move in-house and joined Phillips as their Privacy Counsel in Amsterdam. For almost four years I was the lead (privacy) counsel for Phillips’ signature mobile apps and connected devices, and strengthened the business’ privacy set-up on multiple fronts. I was also heavily involved in the design and implementation of Philips’ data strategy, advising on topics such as AI and ML.

In 2022, I took a new step in my career and decided to join Meta as Data Protection Manager within the Office of the Data Protection Officer (ODPO). As part of my role, I advise on a variety of product and internal initiatives through the lens of a DPO. It has been a wonderful experience that has allowed me to look at privacy issues from new and challenging perspectives!

What does best practice with Privacy Impact Assessments (PIAs) look like, and what benefits do correctly executed PIAs deliver?

In my view, best practices in PIAs can take form in different ways, as they can relate to substantive, procedural or formal aspects of the assessment.

If we focus on substantive aspects of PIAs when taking the first steps of the assessment (where organizations need to describe the product/service being assessed, as well its supporting processing operations), I believe that organizations should go beyond providing a high-level description of the product or service.

They should develop best practices to capture the key (technical and operational) elements that are relevant from a privacy perspective. Best practices can include supplementing the PIA with data flow diagrams reflecting the IT components and vendors in scope, as well as how the (personal) data is captured and flows through the different systems. Diagrams can help organizations to easily identify requirements, visualize where risks could materialize and design appropriate mitigation strategies.

In terms of benefits of correctly executed PIAs, I can think of benefits from at least two perspectives. From the perspective of the organization, I believe that a correctly executed PIA supports the early identification and mitigation of privacy compliance risks. This can help organizations meet business objectives (including product launches), minimize regulatory risks and safeguard their reputation in a competitive environment. From the perspective of data subjects, a correctly executed PIA ensures that their rights are timely and adequately protected, which can in turn foster trust and brand loyalty.

What are the primary challenges that organisations face as they bid to master PIAs and integrate them into robust privacy strategies?

I believe that every organization is different. Challenges may vary depending on the industry, size and maturity of the organization. In general, I believe that organizations could face challenges such as:

Lack of a privacy-by-design culture, where PIAs are prepared too late in the product development cycle. This can result in the identification of risks once the product is already built, limiting opportunities to timely design and implement appropriate mitigation measures.

Lack of collaboration and stakeholder buy-in, where privacy professionals find themselves working in isolation, without input and support from key stakeholders such as IT, Security, Engineering, Design, etc. This can result in inefficiencies and an incomplete or inaccurate view of the product or service being assessed.

Finally, I’d like to highlight that I’ve shared my thoughts on these questions based on my experience with Data Protection Impact Assessments (DPIAs) under the EU GDPR - noting that these are my personal views as a privacy professional, and not the views of Meta.