I came to the data field in 2011, after the entry into force of the Mexican Data Protection Law. One of our clients received a verification visit from the Mexican Data Protection Authority (INAI). It was such a new topic that neither they nor we knew where to start. It also was one of INAI’s first actions, so the background and experience in this area was practically nil in Mexico. Although my work on matter was rather limited back then, I remained intrigued thereafter. Ever since I joined Gonzalez Calvillo back in 2010, the firm has maintained a significant tech client base who take internet privacy quite seriously. I have learned a great deal from our clients and shared their concerns and interest in the subject. As the GDPR was passed in 2016 the conversation changed completely, and I started to become even more specialised in data and privacy matters.
Career highlights so far include working with tech clients; I enjoy their mentality and I always learn so much from them. Personally, my involvement across different Gonzalez Calvillo’s diversity and inclusion initiatives has been a constant highpoint. Gonzalez Calvillo pushed for some time a great D&I agenda and the team involved is outstanding and passionate about the issue, and well informed. I’m glad to be part of Gonzalez Calvillo’s D&I committee and love feeling as part of the drive to advance programmes such as WGC Virtual Coffees, which are monthly virtual conferences with female speakers, and Gonzalez Calvillo Clusters, aimed at providing support and nurturing Gonzalez Calvillo’s women staff on a smaller scale.
In terms of challenges: even though Mexico’s Data Protection Laws came into force in 2010, privacy compliance culture in our country still has a long way to go. Some exceptions include the banking and insurance industries, which have been the focus of the data protection authorities in the recent years. But it remains quite hard sometimes to make clients understand the importance of data protection, despite the fact these laws provide for significant fines and penalties for breaches and violations. I don’t know if it is a cultural issue or lack of knowledge, but as data subjects, our awareness of privacy-related rights remains rather limited and many companies therefore, fail to focus on the issue.
In order to adapt to this, I advise clients that we cannot improve what we do not know is wrong. To be able to take adequate, privacy-forward business decisions, you need to know what the law and the industry require, but just as important, know the customers’ privacy expectations.
It may not be called a trend per se, but I always watch closely news on digital tracking technologies. We have all heard cookies are “dead” or “crumbling”. Truth is there are many other digital tracking technologies that are already in place and should be of concern to us. Keeping an eye on initiatives like Google FLoC, now replaced by Topics API, should always be a priority, so we can make sure we know and prepare (to the extent possible) for what will come next across digital privacy.
A piece of advice I would give aspiring data lawyers: Study and speak out, lean in. The first two go hand in hand together; some people tend to forget that the former is as important as the latter. Still, we should never ever stop learning and updating our knowledge, which is even more relevant in privacy/tech-related fields, as they are always advancing and evolving. As for the leaning in part, I know it sounds trite, but knowing my colleagues (many of them great friends) have my back and I have theirs and that we support each other, has made the good times better and the bad times bearable.