Spotlight on... Ronald Allan Pablo, a Deputy DPO

In this edition, we feature Ronald Allan Pablo

Please share with us your background

My background can easily be summarized as follows: A lawyer by education, an IT professional by training, an information security professional by circumstance, and lastly a data privacy professional by necessity (or destiny if you want a poetic ring to it). My career started out in the public sector mostly on administration, but this has changed quite rapidly depending on the needs of the times. From administration, I found myself in IT, policy, program management, corporate re-engineering, finance, information security, and data governance, before finally settling on data privacy. 

It is ironic that data privacy, as a discipline, is essentially an amalgamation of all of my previous fields. I've applied data privacy in the context of social health insurance from my years of government service, to the private sector, specifically in the areas of B2B lead generation and marketing, to telecommunications, where I am right now.

How is it that you got interested in data protection?

When I first entered the field of information security around eight years ago, data privacy wasn't that well known nor was it a specific compliance concern until 2012, when the Philippines' Data Privacy Act was signed into law. As is often the case at the time, no one really starts out in data privacy, often transforming their careers from some other field. It was no different for myself as data privacy was folded in the requirements of information security.

After a time, data privacy started to take center stage with information security playing a supporting role in order to achieve the objectives of data privacy. Data protection as a whole took on a more human perspective...instead of focusing on the notional concepts of confidentiality, integrity and availability, you start looking at things from the perspective of data subjects and their rights.

What data protection courses did you take from Straits Interactive and why?

I took the CIPM, CIPT, and CIPP/E courses. These courses are different from previous technical trainings that I've attended in the past as they are all centered on data subjects...on people, on protecting their privacy and their rights, rather than technologies or processes. Yes, technologies and processes are still in the picture, but in this context they play a supporting role in the context of overall data protection. It is essentially perspectives going full circle. Before, there was an emphasis on the needs of individuals, and technologies and processes were developed to enhance the delivery of goods and services to everyone.

As processes became more complex and technologies became more advanced, we started focusing on these instead of the individuals these processes and technologies were intended to serve. Now we are going back to the human component, specifically the right to privacy which for the longest time took a back seat to speed and efficiency.

What is your current job role, which data protection function are you involved in?

I am currently designated as a Deputy Data Protection Officer in an organisation focused in the marketing and delivery of fixed, wireless and information and communication technology solutions. My area is specifically with regard to data privacy program operations, that is, ensuring that the stakeholders and their respective initiatives comply with set data privacy standards, policies and guidelines.

What advice do you have for others?

The most basic piece of practical advice I can give if you're starting out, whether as an individual practitioner or are in the process of instituting an organisation-wide data protection program, is to immediately get training from an IAPP accredited training provider, and if possible, get certified under any of the IAPP's certification programs, as may be relevant to your role. This reason for this is while data protection as a whole covers ideas coming from various fields you may be familiar with, these are all melded in an intricate way which makes your current, stand-alone understanding of any of these concepts, particularly if you're coming from other disciplines, markedly different to how they are applied holistically in the context of data privacy. IAPP trainings and certifications guide you towards a common, baseline understanding of data protection in line with best practices, industry standards, and laws and regulations, and provides a stable foundation on which you can build a functional and compliant data protection management program.

What advice do you have for other organisations?

I've seen many instances of organisations jump the gun when it comes to instituting a privacy management program without the benefit of appropriate knowledge and training, and later finding out that their implementations are way off from best practices or industry standards. Unfortunately, at times, it becomes impractical or difficult to redo your privacy management program approaches so flawed implementations become embedded in your organisation's processes...or vice versa. Do not skimp on training and learning opportunities. These are investments which will pay out in the end.

It goes without saying, when doing something difficult or complex which impacts your way of doing business, it pays to do it right from the start rather than use trial and error.

By Leong Wai Chong in an email interview with Ronald Allan Pablo

The opinions expressed here are the interviewee’s personal views and do not represent the official position of organisation the interviewee works for.