Livestreaming on 13 February 2024, #RISK Digital examines the changing risk landscape in a content rich, knowledge sharing environment. The one-day event sees over thirty expert speakers provide insight and guidance on how organisations can mitigate risk, reduce compliance breaches and improve business performance in the digital age.

Head of Privacy at Glovo, Mireia Martínez Campo is a lawyer specialising in Public Law, Personal Data Protection and Regulatory. She leverages over a decade’s industry experience accrued in Spain, the USA and Canada.

Mireia Martínez Campo will be at #RISK Digital to discuss the 2023 data breach suffered by genetic testing company, 23andMe, which affected the personal data of nearly 7 million people.

Below, Mireia answers questions on her professional journey and introduces the key issues of her #RISK Digital session.

Could you briefly outline your career pathway so far?

I started my professional career in Spain working as a lawyer at a large firm that specialized in public, regulatory and antitrust law. After five years, I relocated and gathered some international experience by working in Washington DC (US) and Montreal (Canada) for four years.

Then, I returned to Spain to work in a Big Four where I complemented my law experience with cases from a different perspective. In 2019, I joined in a big Swiss multinational pharmaceutical company as a corporate lawyer; that year, GDPR came into force and I stood up to take on the challenge of being the person responsible for privacy, own the implementation of GDPR and prepare for the ISO 27001 certification.

To that goal, I followed several courses, soaking up European Commission information, and attending many conferences. To close the loop, I completed a Master’s degree specialising in e-commerce and data protection.

Since then, I have been passionate about the world of privacy and its implications in digital law. Currently, I am responsible for privacy in a technology platform, where I strive to spread a culture of awareness and respect for personal data.

What does the 23andMe data breach event say about the average online user’s approach to data privacy, and what can people do to better protect their online information?

Users are steadily evolving regarding their sensibility about the protection of personal data, but there is still a long way to go. Just yesterday, a friend asked me how I felt about signing an authorisation for the recording and use of her child’s image rights. On one hand, this showed me that users are beginning to understand the importance of privacy protection, but on the other hand and when I explained the implications of this signature, I was surprised by the lack of knowledge that still exists on the subject.

In my opinion, users have little room for manoeuvre to better protect their online information and it should be the authorities and technological companies’ duty to facilitate the protection of users’ rights.

This should be done by simplifying processes and bureaucracy, and by deepening the spirit of the GDPR, which should be none other than protecting people’s interests and raising awareness about privacy and risks of new technologies. I believe that under no circumstances should the GDPR be intended to collect money through fines, and it should always be analysed on a case-by-case basis by assessing whether data controllers are being diligent.

What can businesses learn from the 23andMe data breach event with regards to optimising cyber security?

When faced with a security breach, it is very important to always be clear that the culprit is the attacker. While it is true that companies, in this case 23andMe must be diligent and have high security standards and privacy protection measures in place; the real problem we have in society today are the attackers (the hackers), and not the companies. 

Therefore, I do not like to “demonise” companies that have been “attacked” as they are the victims of the attack, but I prefer to advocate for joining efforts to fight cybercrime. A lesson to learn from the 23andMe security breach is to emphasise the importance of good coordination between corporate communication departments and privacy/security departments. Additionally, and in my humble opinion, some press releases issued by the company could have been improved.