The next expert whom we had the opportunity of speaking with is Agustina Villamide. Currently, she is holding the position of Legal Counsel Privacy and Data Protection Officer at Dott, an Amsterdam-based micro-mobility startup. Agustina is experienced in implementing data privacy programs from the ground up for global organizations with locations around the world. She is certified by the IAPP as CIPP/E and Maastricht University as Data Protection Officer. In this interview, she shared her personal views on the most dangerous threats to the security of personal data and whether all malware attacks need to be reported under the GDPR. To uncover Agustina’s thoughts, continue reading the full interview below.

1. Firstly, thank you very much for taking part in this campaign, Agustina. Can you tell us about your professional background and areas of interest?

Thank you for inviting me to participate in this series. My background is in law, I began my law studies back in Argentina and then moved to the Netherlands and got my LL.B. and LL.M. in European Law. Later on, I decided to specialize in Data Protection, so I decided to get trained and certified through Maastricht University, and also got my CIPP/E certification (and currently working on my CIPP/M one). I was lucky enough to finish my studies when GDPR was announced, so I had the chance to develop professionally together with this Regulation. 

Throughout my career, I’ve had the luck to carry out my role in different fields, which has given me the opportunity to see data protection in action as well as its potential challenges from very different points of view. In my current role at Dott, the field is micro-mobility where I work with specifications such as MDS and GBFS, while I also have the opportunity to work alongside the various cities where we operate or are trying to operate in. I’ve also worked in the Humanitarian sector in the past (with Medecins sans Frontieres), which included traveling to remote places and learning about different types of health conditions and how data was collected in those cases. 

My focus is on data protection and technological developments that may impact it, especially in fields like AI and IoT. I really enjoy learning about new technologies and imagining how they may affect individuals in the future, and what measures may be necessary. 

On a more personal note, I’ve always had an interest in mystery novels, and I always joke that they’ve been extremely useful for my role as DPO, as I have to ask plenty of questions and ‘investigate’ what data the company processes, how, if it’s shared, whether any updates are needed, how any potential vendors to process this data, etc. 

2. You are currently holding the position of a Data Protection Officer. Is there a typical workday for a data protection officer and more specifically, what are some of your primary concerns on a daily basis?

I would have to say that no two days are alike, as every day brings its own new activities and challenges. One day I will be talking to our Product team and looking at our app interface, while the next one I will be working alongside User Research and looking at how we inform participants of how we will collect, use and transfer their data.  While there are long-term goals, there are always new topics and activities to assess, especially because Dott is growing so fast!

Since I began working with Dott last December, three new countries have been added, so there are always new challenges to tackle. My primary concern is trying to ensure that everyone is up to date with our obligations under GDPR and that they can link these to any new activities, ensuring privacy by design and default, so that this is part of the process without having to think about it. Anticipating what comes next or what we may need with any future developments is something that is daily on my mind.

3. Would you say that you have had any barriers during your career and success as a female leader?

I believe being female, as well as being a rather young professional, have sometimes added an extra layer of difficulty to exercising my role and moving forward. People sometimes assume that the more technical roles – despite data protection being a very legal area – should mostly be handled by men, and there can be a certain distrust when they are asked something or given instructions by a female professional. While I do not mind proving my knowledge and ‘earning’ that respect, I do think there is still work to be done to encourage that this is equal between counterparts. 

Nevertheless, I have to say that at the moment, quite the opposite happens at Dott, as our Legal team is made up of only women (currently 3 ladies, soon to be 4). While this has not been intentional, I think it shows that many companies do not have the same type of prejudices and that they work hard to ensure equality.  

4. What are the most dangerous threats to the security of personal data on the Internet today, and how can we protect ourselves from them?

I think the biggest problem at the moment is still a lack of awareness, which is what allows for a lot of threats to actually materialize. While most individuals have at least one electronic device, not everyone is aware of the risks that can come from them. I believe that electronic literacy should cover these points so that when people learn to use a device, they also need to learn the potential risks and implications of it.

While we ingrain certain concepts that have physical implications into people’s heads, like for example ‘don’t leave your doors unlocked’ or ‘don’t talk or go with any strangers’; we do not put the same emphasis on the online equivalents of these. Thus for example, when the phishing emails begin increasing, such as they did with the Covid-19 pandemic, this becomes a bigger threat when people do not know what these are and assume they are official emails than when people know how to identify them and know to report and delete them.

5. What key malware trends have dominated 2020 and what should we expect in 2021?

I believe we will continue to see malware designed to target home devices such as cameras, as well as smart devices, including smart cars and other vehicles, which is why it’s so important that companies have this in mind when developing their solutions. Given the interconnectedness of devices, and how essential they’ve become to people’s lives, these types of malware could cause even bigger problems than they have in the past. 

The targeting of IoT devices is also a big one to look out for, as it could affect individuals with health devices, where this might mean that not only an individuals’ device -such as a phone or a laptop and associated data – are at risk, but it could be their own physical safety that would be threatened, and in some cases (such as with peacemakers for example) their own life. This escalation in the impact that cybercrimes can have, marks a pretty big moment in history, in my opinion.  

6. Do all malware attacks need to be reported under the GDPR?

There are a few conditions for the attack to be reported under GDPR: the attack needs to consist of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

Thus, for example, if no personal data is involved in this case, there is no need to report this under the mechanism under GDPR.

If the conditions are met, then the attack will need to be reported, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. So in each situation, there will need to be an analysis of the data compromised, the number of data subjects, as well the potential risks to the rights and freedoms of these and based on that, determine whether this notification is needed. 

The EDPB’s Guidelines 01/2021 on Examples regarding Data Breach Notification are very insightful and provide various examples depending on the type of attack experienced.

7. What trends do you foresee happening in the data protection landscape over the next 3 to 5 years?

I think we will continue to see new legislation introduced in other countries which is based or inspired by GDPR, as well as more countries being deemed adequate for transfers outside the EEA. Given the changes brought on by GDPR, there is certainly a tendency to opt for similar measures, which makes it easier for the users and allows them to exercise their rights more easily. On top of that, the courts will also continue developing case law and clarifying topics which are of concern, or where the law does not provide sufficient clarity. 

Services that help with compliance with data protection legislation, as well as those claiming to help the data subjects exercise their rights will also continue to show up and grow.   

The biggest trend I see, however, is that awareness of the data subjects will keep growing, which encourages them to ask questions, report non-compliant measures, and exercise their rights. This also helps to keep organizations accountable for their processing of the data subjects’ personal data, and I believe this is key. The more that this happens, the more ingrained that data protection will be into a company’s DNA.  

Finally, the e-Privacy Regulation should hopefully finally be adopted, providing further guidance and protection for the privacy of individuals. 

8. Where do you go for inspiration or resources that you use in your own development?

I find that the websites for the various Data Protection Authorities have good publications, such as guidance and templates, including the CNIL, the AEPD, and the ICO. The IAPP also has copious amounts of helpful resources, including policy templates, maps showing the various laws around the world, opinions on various topics, as well as updates on developments such as the e-privacy Regulation or such as Schrems II. Finally, we also use DataGuidance from OneTrust, which provides very helpful overviews and up-to-date news and relevant information.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.