In this episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan sit down with Leah Camilla R. Besa-Jimenez, Group Head, Enterprise Risk Management at PLDT, about how she approaches privacy inside one of the largest Southeast Asian telecommunications companies. The discussion focuses on privacy as an operational practice, not only a legal one: using risk matrices to structure decisions, coaching teams to exercise judgment, raising privacy issues early in project conversations, and shifting the company mindset from data ownership to data stewardship.

In this episode, the conversation centers on how privacy functions inside day-to-day operations. Leah explains that privacy is largely about process: how data is handled, how risks are assessed, and how teams are trained to identify issues before launch. The episode also discusses how leaders must empower privacy teams to make better decisions.

What this episode covers:

Why privacy work is often operational, not only legal
How risk is assessed using impact, likelihood, and specific privacy dimensions
Why teams need to exercise judgment instead of waiting for answers
Why privacy questions should be addressed early in design and planning
Why customer data should be treated as something the company stewards, not owns
And so much more!

Connect with Leah Camilla R. Besa-Jimenez here: LinkedIn

Connect with Kellie du Preez here: LinkedIn

Connect with Danie Strachan here: LinkedIn

Follow VeraSafe here: LinkedIn

If you enjoyed this episode, make sure to subscribe, rate, and review it.

Episode Highlights:

[00:05:21] Using Risk Matrices to Structure Decisions

Risk assessments are used to guide conversations by assigning scores based on impact and likelihood. This helps teams explain their reasoning and makes discussions more structured and less reactive.

[00:09:04] Privacy by Design as a Cultural Practice

Privacy by design is described as a behavior, not just a process. Embedding privacy depends on how teams think, interact, and raise issues during day-to-day work.

[00:10:59] Breaking Risk Into Specific Dimensions

Risk is not treated as a single concept. It is broken down into customer impact, compliance impact, potential harm, exercise of rights, and operational cost, allowing for more precise evaluation.

[00:14:54] Clarifying Roles in Decision-Making

Privacy teams do not make business decisions. Their role is to outline the risks associated with each option so that the business can make an informed choice.

[00:19:51] Planning for Exercise of Rights Early

Teams are expected to consider how customers will exercise their rights as part of the design process, not after implementation.

[00:22:10] Starting With Conversation, Not Just Assessment

Rather than relying only on formal reviews, early conversations are used to understand what teams want to build and to identify privacy considerations before requirements are finalized.I

[00:24:18] Moving From Fear to Practical Enablement

Privacy often starts as a response to risk or pressure, but the goal is to integrate it into how the organization operates so it supports decision-making rather than blocking it.

[00:27:43] Reframing Data as Stewardship

Customer data is not owned by the company. It is entrusted to the company to process according to what the customer agreed to, which changes how responsibilities are understood.

Episode Resources:

Leah Camilla R. Besa-Jimenez on LinkedIn
Kellie du Preez on LinkedIn
Danie Strachan on LinkedIn
VeraSafe Website