"There is no digital strategy without data and no big decisions without good data"

Daniel Vargas, data protection officer and digital counsel for L'Oréal Latin America, tells us about the current state of data-protection regulation in Colombia and others countries of Latam, the measures being implemented by the company to improve privacy, and what they value most in an external advisor.

Publicado Monday, April 25th 2022
"There is no digital strategy without data and no big decisions without good data"

Daniel Vargas

Leaders League: You only recently joined L'Oréal, tell us about your role and the countries you are in charge of? 

Daniel Vargas: I am the Data Protection Officer and Digital Counsel for L'Oréal Latin America. The L’Oréal Latin America Zone includes Mexico, Colombia, Peru, Brazil, Argentina, Uruguay and Chile, in additional to Central America.

L'Oréal, as the world's top beauty company, is in a state of perpetual evolution. Our purpose is to “create the beauty that moves the world”, and one of the priorities today is developing the technology and science behind beauty - beauty tech; as well as expanding digital channels and becoming a data-driven company.

My role is to help the group in Latam with all data-protection issues as well as the legal challenges that digital transformation brings. L’Oréal is one of the most ethical companies in the world, and so naturally legal compliance is a priority, as in our view this is the way to build a sustainable business.

What is the current state of data-protection regulation in Colombia? Is it very different from the rest of Latin America? 

The most recent change to data protection regulation in Colombia came in 2021. The data protection regime in Colombia consists of two laws: Law 1266 of 2008 (credit data protection law) and Law 1581 of 2012 (general data protection law).

The first law regulates how credit data, use for credit risk purposes, should be processed. For example, it sets data retention periods for negative data, outlines express consent requirements and the rights of the data subjects to access, update and rectify their personal credit data.

In 2021, Law 1266 was partially amended by Law 2157, which, among other measures, provided new retention periods for negative data, a data retention amnesty period for those who had unpaid debts and, for the first time, standardized credit scores.

Concerning how similar Colombian regulations are to those in the rest of Latin America, there are some common aspects. For example, Mexico, Panama, Brazil, Colombia and Peru have two-pronged data-protection regime: a general data protection law and a credit data protection law. Also, in all the data protection regimes express consent is the legal cornerstone of the use of personal data.

That said, data protection laws do vary from country to country. The Brazilian General Data Protection Law set several data processing legal foundations, such as express consent, contract performance and legitimate interest, however the Colombian and Peruvian regulations mainly cover express consent as a legal requirement for processing personal data.

In the last number of years, Latin American countries’ data-protection regulations have tried to mirror European Union regulations. This is the case with Brazil and Panama, whose recent data-protection laws were inspired by the EU’s GDPR. Colombia, Argentina, Peru and Uruguay took their cues from older European regulations, although Argentina and Chile are in the process of updating their regulations to be more in sync with the GDPR.

What lessons do you think the pandemic has taught companies in terms of data protection? 

The pandemic reset what companies took for granted about the market, and the lockdowns which followed changed shopping habits, the way we lived, socialized, traveled, among many other things. Therefore, companies were naturally forced to take big decisions and make huge changes. And in this, personal data, played a crucial role in providing more knowledge about consumer behavior.

Because of lockdowns, companies were compelled to accelerate digital transformation, and invest more in creating direct relationships with consumers. In the case of L’Oréal, digital channels are now more important than before the pandemic and we have been innovating to create new experiences and remain close to consumers. One of the examples is our virtual try-on service for makeup and hair, a feature that predates pandemic but became even more relevant over the past two years as it allowed consumers a way to digitally try before you buy products without leaving their home.

So, in terms of data protection, the pandemic has posed challenges and provided lessons, because there is no digital strategy without data and no big decisions without good data. To build a data-driven company and a successful digital strategy, data protection is one of the foundations. L’Oréal is highly committed to having the best data-protection practices and standards.  

What changes have been made at L’Oréal to improve privacy and data protection? 

We are strengthening our accountability program, implementing new and modern tools to have better compliance governance.

In Latam we are introducing a new data-mapping tool, which will allow the company to keep records of processing activities and have an overview of what the company is doing with the personal data.

Also, we are consolidating how we assess projects, making them all privacy complaint by design. The privacy by design approach that is been applied in Latam consists of integrating privacy into the design process in the early stages of every project to make privacy a priority rather than an afterthought.

Most important of all, L’Oréal has a strong commitment to privacy. Based on which, we are strengthening governance, engaging employees on privacy issues and holding them accountable for their decisions. Today all regional L’Oréal operations have privacy committees, and we are creating a network of collaborators who are involved in privacy issues.

What does L’Oréal look for in an external advisor? 

Many external advisors in the market have the requisite experience and knowledge. But what I, personally, look for is a lawyer with experience in both business and in legal matters, one with enough knowledge to anticipate issues and identify risks associated with a potential decision. They need to understand L’Oréal as a business. And of course, to work with us, a lawyer or a law firm must have an outstanding reputation and be above reproach.