In this Volunteer Spotlight, The Privacy Advisor caught up with Luis Alberto Montezuma, CIPP/C, CIPP/E, CIPP/US, CIPM, FIP, deputy assistant to the chair of Colombia’s Data Protection Authority and Superintendent Delegate for the Protection of Personal Data of the Superintendence of Industry and Commerce.
In his role, Montezuma provides advice to the DPA's chair on issues related to the protection of personal data in Colombia, data protection regulations and cross-border transfer rules. He also serves as a member of the IAPP Privacy Bar Section Advisory Board and is co-chairman of the IAPP Bogota, Colombia KnowledgeNet Chapter. Montezuma touches on the origins of his work, the current data protection landscape in Colombia and what drives his passion for the topic of data protection.
The Privacy Advisor: When did you first get interested in privacy and data protection, and why were you drawn to those topics?
Montezuma: I got interested in data protection and privacy 10 years ago. In fact, I started my career directly in the protection of personal data and privacy responding to claims filed (approximately 400 per month) against the largest consumer credit-reporting agency in Colombia before judges and courts. I won the cases filed before Colombia's Constitutional Court, and at that time, I realized the importance of data protection for both data subjects and organizations as a whole and decided to focus on data protection regimes, including the international data flows.
The Privacy Advisor: What issue involving data protection bothers you the most and why?
Montezuma: Currently, organizations are working on machine learning, artificial intelligence, big data and the fourth industrial revolution. However, they continue to fail to comply with the data protection principles and data subjects' rights. The problem here is that organizations believe they are protecting personal data, but they are not integrating data protection into processing activities and business practices starting at the design stage right through the lifecycle.
The Privacy Advisor: Could you tell us about your current work and your thoughts on the status of data protection in Colombia?
Montezuma: Colombia has aligned its data protection model on a hybrid approach (comprehensive and sectorial). The sectoral regulation, Law 1266 of 2008, takes into account the U.S.-style comprehensive credit reporting system. In contrast, the compressive regulation, Law 1581 of 2012, takes into account the Directive 95/46/EC, replaced by the EU General Data Protection Regulation. Both regulations seek to ensure lawful and fair processing of personal data. Although Law 1581 has not been updated to catch up with the GDPR or the California Consumer Privacy Act, the accountability principle empowers organizations to implement those measures, practices and procedures set out in the GDPR, such as data protection impact assessments, privacy by design and privacy by default, data portability and others. This will allow them to demonstrate compliance with the law to Colombia’s data protection authority.
However, the authority has ordered organizations to: Establish and implement, and thereafter maintain, comprehensive privacy programs; Establish and implement, and thereafter maintain, comprehensive information security programs; Obtain assessments and reports from a qualified, objective, independent third-party professional; Address data protection risks related to the development and management of new and existing products and services for data subjects.
The Privacy Advisor: What’s been your greatest achievement in privacy/data protection to this point in your professional career?
Montezuma: I am proud to be the only Data Protection expert in Colombia to hold five privacy credentials. This clearly demonstrates that I have comprehensive data protection and privacy knowledge and the perspective to ensure compliance and successful data protection around the world. I am actually taking a privacy by design course with former Ontario Information and Privacy Commissioner Ann Cavoukian.
The Privacy Advisor: What has had the greatest positive impact on your professional career?
Montezuma: The greatest positive impact on my professional career has been able to work on directly on data protection issues at organizations, law firms, consultancy firms and Colombia's DPA. Additionally, that work and my passion for data protection and privacy have allowed me, at a global level, to speak the same language worldwide, regardless of data protection or privacy regimes. I've co-written articles with specialists in the Americas, Europe and Asia, been a data protection lecturer at universities, and understand how authorities, organizations, systems and technologies work.
The Privacy Advisor: What’s the best professional advice you’ve received?
Montezuma: The best advice I have ever received was very simple: “Luis, you must always ask yourself why, who, how, when and where personal data is processed before resolving any case.”
If you want to comment on this post, you need to login.