Spotlight on... Jay Gomez, CISM, CIPM (IAPP), Head of Information and Data Protection, ABS-CBN Corporation.

In this edition, we feature Jay C. Gomez, CISM, CIPM (IAPP), Head of Information Security and Data Protection Officer, ABS-CBN Corporation.

Please share with us your background.

I am Jay C. Gomez, currently the Head of Information Security and Data Protection Officer of the largest media and entertainment company in the Philippines. I am a Certified Information Privacy Manager (IAPP) and a Certified Information Security Manager (ISACA). Like many DPOs out there, I wear multiple hats in my organization but it was a choice that I made. I like reading a lot about science, history and I'm also a Star Wars and Star Trek fan. I play golf as a sport but I also play basketball, table tennis and badminton.

How is it that you got interested in data privacy/protection?

I can say that I heeded the call of duty that's why I got into data privacy and protection. As a matter of fact, I volunteered for the position even if there was still some uncertainty and apprehension in general on what the role was really all about at that time.

When did you first get involved and exposed to the importance of data privacy?

My previous jobs were in the Contact Center and Business Process Outsourcing companies and got immersed in information and data security. We used to have clients who must adhere to different regulatory compliance and laws in North America and other countries such as SOX, HIPAA, HITECH, PCI-DSS and GLBA. Included were the pre-GDPR laws in the EU and UK.

What data privacy courses did you take from Straits Interactive /DPEX network and why?

I took the CIPM course from Straits Interactive/DPEX Network since the job of the DPO is really dealing with the day-to-day operational aspects of data privacy and protection. My information security certification was already pre-existing but it proved extremely helpful in the technical aspect of the job. What I'm considering right now is to take the CIPP/E or CIPT.

How was that different from other courses you took? What is your current job role?

The CIPM course gave me the requisite knowledge on how to operationalize data privacy framework and protection. As mentioned, I am a Certified Information Security Manager (CISM) and I can say that CIPM and CISM are complementary in so many aspects. I double hat as the Head of information security and a Data Protection Officer.

Which privacy functions are you involved in?

I am currently a Data Protection Officer thus my job is to make sure that my company complies with the law.

What practical advice would you offer to those wanting to implement a data protection management programme in their organization?

My advice is to reach out and get the buy-in of your stakeholders. Continuous awareness sessions is key since the concept of data privacy is relative new and it's not ingrained yet in the company culture. Proper change management is also critical.

Any interesting case, experience or scenarios to share for readers to get more insights into data privacy?

Our company experienced a data breach late in 2018 and I must say that it was both unnerving but a great learning opportunity for us. It was handled following the requirements of the regulator and our internal incident management process. We came out a better team after, learning through the ordeal. As a matter of fact, it was used as a good test case on how an organization should handle one by the regulator.

What advice do you have for others?

I personally believe that going through a formal and structured learning best equips an individual in maximizing the learning since there is an opportunity to ask the instructor of his/her real-life experiences and the practical approaches on how to be effective in the role. It would then help him or her in applying those and in operationalizing it. Taking the certification exam and passing it is cherry on the cake. Once you passed one, I think there rest would be easy with ample study time and review.

Any final words or thoughts?

The role of the DPO has evolved rapidly from just a "compliance" role but to a business enabler. However, the requisites of the role needs a properly trained, supported and empowered individual. The DPO needs all the support he/she can get either internally - from his peers, superiors, upper management, and externally - from professional groups, knowledge networks, training and higher educational institutions. Good luck!

By -  Leong Wai Chong (GRCP)