Luiz Oliveria on the Importance of Data Maps when Building Privacy Programs

What is your role and how does it relate to ensuring data privacy?

I'm a developer specialist focused on privacy and cybersecurity. It's part of my job to analyze and help the teams to build applications that are secure with less personal data as possible.

Tell us about your approach to building privacy programs

A privacy program needs to have people dedicated to building your privacy program and, for me, a DPO and a governance team to be good references for your company. After you get it, the people are always good to have a place where people can ask questions or search for an answer that has already been made.

Tell us about your approach to measuring and prioritizing data privacy risks

To measure, the best thing to do is create a data map that shows where your data is, so try to create automation from every part code, database, and contract. Knowing where your data is, you can define the risk by type of data, like who had access to this part, how easy is to create a dump and upload, which apps are using this data, and what are their security levels. 

What has surprised you the most about your privacy work? 

The size and depth of this area impressed me. Working in privacy is dynamic and ongoing. From a legal standpoint, new laws are surfacing, and we must adhere to them. Teams working on developing software continually produce new databases and applications that aren't completely privacy compliant. It's a never-ending task to detect these anomalies and capacitate teams automatically!

What are some challenges you have faced and how have you overcome them?

How to ensure that our existing data is privacy compliant is one of the main issues. The volatility and continual growth of our data make manual approaches nearly impossible. The data governance team's automation, the concentration of critical data in single databases, and team capacity building through internal training help us to continuously solve this issue.

Who are other stakeholder teams, and how do you engage and interact with them to solve data privacy concerns?

We have a DPO that gives us a lot of information and helps us manage data and how to be compliant in the organization, and a data governance team that helps us to create automatizations and improve our process to accomplish the next level.

For all privacy practitioners, privacy engineers and/or security folks out there, what are some best practices to share or pitfalls to avoid when trying to ensure data privacy?

My recommendation is to learn about the process and understand the maximum before starting to implement, you need a solid background to make the process and avoid the maximum exposure you can.

The best approaches, in my opinion, are to capacitate teams with data training, collaborate with cybersecurity teams to create policies to make data safe, and routinely audit your data.

Predictions - what do you see coming in 2023 for data privacy?

I think that would be some new regulations CCPA was the first one in the US, and this year some states will release theirs, another thing is the restrictions on website cookies, we live a long period of data tracking using this feature, and last year this type of use is going to be less common, but this doesn't mean that the company will not track your data this will be done in another way and everyone should be warned about it.

The last thing is about the jobs that are data privacy related these jobs will be more common in every organization in 2023, so expect to see more open positions too.

What’s one thing everyone who has a Data Privacy mandate should keep in mind during Data Privacy Day?

It's a work in progress, and your first solution won't be the last one you made, new regulations and concepts are being developed right now so changes will be necessary to your solution.