In this episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan sit down with Leah Camilla R. Besa-Jimenez, Group Head, Enterprise Risk Management at PLDT, about how she approaches privacy inside one of the largest Southeast Asian telecommunications companies. The discussion focuses on privacy as an operational practice, not only a legal one: using risk matrices to structure decisions, coaching teams to exercise judgment, raising privacy issues early in project conversations, and shifting the company mindset from data ownership to data stewardship. 

In this episode, the conversation centers on how privacy functions inside day-to-day operations. Leah explains that privacy is largely about process: how data is handled, how risks are assessed, and how teams are trained to identify issues before launch. The episode also discusses how leaders must empower privacy teams to make better decisions.


What this episode covers:

• Why privacy work is often operational, not only legal
• How risk is assessed using impact, likelihood, and specific privacy dimensions
• Why teams need to exercise judgment instead of waiting for answers
• Why privacy questions should be addressed early in design and planning
• Why customer data should be treated as something the company stewards, not owns
• And so much more!
  
  

Connect with Leah Camilla R. Besa-Jimenez here: LinkedInConnect with Kellie du Preez here: LinkedInConnect with Danie Strachan here: LinkedInFollow VeraSafe here: LinkedIn


If you enjoyed this episode, make sure to subscribe, rate, and review it.


Episode Highlights:

• [00:05:21] Using Risk Matrices to Structure Decisions

Risk assessments are used to guide conversations by assigning scores based on impact and likelihood. This helps teams explain their reasoning and makes discussions more structured and less reactive.

• [00:09:04] Privacy by Design as a Cultural Practice
  
  

Privacy by design is described as a behavior, not just a process. Embedding privacy depends on how teams think, interact, and raise issues during day-to-day work.

• [00:10:59] Breaking Risk Into Specific Dimensions
  
  

Risk is not treated as a single concept. It is broken down into customer impact, compliance impact, potential harm, exercise of rights, and operational cost, allowing for more precise evaluation.

• [00:14:54] Clarifying Roles in Decision-Making
  
  

Privacy teams do not make business decisions. Their role is to outline the risks associated with each option so that the business can make an informed choice.

• [00:19:51] Planning for Exercise of Rights Early
  
  

Teams are expected to consider how customers will exercise their rights as part of the design process, not after implementation.

• [00:22:10] Starting With Conversation, Not Just Assessment
  
  

Rather than relying only on formal reviews, early conversations are used to understand what teams want to build and to identify privacy considerations before requirements are finalized.I 

• [00:24:18] Moving From Fear to Practical Enablement
  
  

Privacy often starts as a response to risk or pressure, but the goal is to integrate it into how the organization operates so it supports decision-making rather than blocking it.

• [00:27:43] Reframing Data as Stewardship
  
  

Customer data is not owned by the company. It is entrusted to the company to process according to what the customer agreed to, which changes how responsibilities are understood.


Episode Resources:

• Leah Camilla R. Besa-Jimenez on LinkedIn
• Kellie du Preez on LinkedIn
• Danie Strachan on LinkedIn
• VeraSafe Website

Privacy in Practice is handcrafted by our friends over at: fame.so.

Connect with us at [email protected]

This podcast is brought to you by VeraSafe.