Encryption and tools for anonymization. Encryption method allows data to be completed unusable when it is accessed without authorization. Another layer of protection is to anonymize parts of the customer data. It saves the data subject from being identified once a data breach occurs and would have minimal to zero impact to them. Any leaked information can only be useful and damaging if there are actual persons and organizations attributed to the leaked information.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Marvin Punsalan, who has 20 years of data security experience. As the Director of IT at Hey DAN.
Marvin ensures client data, which includes organizations valued at over 8 Trillion dollars, many of which are the top investment firms on Wall Street, remains secure. Marvin is responsible for the overall strategy of the Information Security and IT teams. Marvin’s work experience in Data Management, Data Privacy, CRM, eCommerce, Cloud solutions, and consumer groups, gives him an advantage to see security risks and issues from all angles. His team is responsible for employee security compliance, ensuring systems and controls are in place to safeguard the data in transit and at rest, including managing clean rooms for over 300 employees, and for ensuring all systems are up-to-date to combat the latest security threats. Learn more about what Marvin is up to at https://heydan.ai/
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in one of the progressive cities in the Philippines. I am a city boy and have always loved the fast paced environment. I am close to my cousins who are all living in the northern part of Manila. Whenever we would take a visit every summer, it’s always been a refreshing experience to spend every school break in an environment where things are a little simmered down and low key.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
Just like every typical growing kid, I enjoyed asking how things work. It came to a point that one Saturday morning I wanted to figure out how our TV worked. Coming from a not-well-off family, our TV sets have always been a hand me down unit and would always break after a few times of being used. One day, I tried fixing one of our broken TV sets and, obviously was not successful in doing so. But that triggered some strong connection between me and electronics. When I was first introduced to a computer and its peripherals, it felt easy for me to not be intimidated. My first computer set was given to me right after high school and I had a fear of breaking it. I made sure that if my computer would break, I would be able to fix it on my own. Then I pursued understanding all of its components which then established my desire to pursue a formal education to help me in that area.
Can you share the most interesting story that happened to you since you began your career?
During my first job as a computer operator in a bank’s Data Center Operations, I was involved with running batch jobs and scripts to generate various bank reports. As a fresh graduate, my ideal scenario then was to really make use of what I had learned in school. But my regular tasks at work are far from dealing with computer hardware and networking. One day, I learned of an internal opportunity and applied to it. The role is someone who would evaluate hardware and software solutions before launching it to production. My passion for these special tasks would provide a spark that would energize me to work hard and work late. Because of this passion and drive, the role was finally given to me permanently. From this role, I have been exposed to a lot of different technologies, and was able to often be the first to try it out before anyone else. I enjoyed the work because it opened a ton of opportunities to learn new things.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Yes, from that role as a script or batch job operator, I was given a chance by my department head to finally do things outside of my normal work. When I applied for the role my department head trusted his instincts and took a chance on me. I had 3 years of solid experience in Data Center Operations, but zero experience in Research and Development on networking and security. It paid off. That same leader trusted me to the point that he invited me to join his team a few years later when he moved to a different organization.
Are you working on any exciting new projects now? How do you think that will help people?
I am currently working on a project that will generate savings on our maintenance cost. There is some network security infrastructure we have put in place which we can still enhance by considering an alternate solution. I believe it would help not just the organization, but our users as well. This new solution will simplify the over dependency on high-end computers to perform regular tasks while maintaining compliance, and security of information and data that we process.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Never ran out of passion. You can never give it up. Share your passion because once passion is multiplied, you can always ask for help. Leaning on others allows you some “me time” and helps you avoid getting “burnt out”.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
First of all, the organization must be compliant to Data Privacy Laws. It must have a comprehensive information security program that will provide protection on a physical, technological and organizational standpoint of customer’s and client’s private information. All these security measures must be appropriate to the size, scope and type of operations of the entity obliged to secure personal and sensitive data. The information security program in place must provide measures that will minimize risks on security, confidentiality and/or integrity of customers’ and clients’ information. Depending on which industry the entity is part of, there has to be some level of compliance and data security guidelines being strictly observed and followed.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
There’s this old saying “don’t collect what you can’t protect”. If there is no means for any entity to enforce protection over the information collected, then there’s no reason for processing and storing this information. Customer information should be destroyed once the contractual obligation of the entity has been fulfilled.
In the face of this changing landscape, how has your data retention policy evolved over the years?
Privacy and data protection laws have changed significantly over the last few decades. Over that same period of time, our privacy and data retention policies have evolved dramatically as well. Many of the changes made have empowered data owners to be more in control of their information. For example, data owners can ask for their information to be removed from any system. Although that may sound simple, it’s actually quite complicated. It involves clearly defining a policy on data retention, and implementing technology solutions that adhere to that policy in a way that is safe, secure and flexible enough to accommodate updates as well as on the fly data removal requests.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
Hey DAN is the first voice to CRM solution. We capture all information shared by our clients relayed over the phone. From a quick phone call we convert meeting notes, opportunities, expense items and also do follow up action items or tasks. The type of data that we store may cover a wide range of information. These can be clients contact information, location, gender and any other type of information that may be shared by clients. It stays in our systems for as long as the contractual obligation with the client is active.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
The need to further and heighten the security measures in order to protect access, ensure secured processing, data breach prevention, implement safest data destruction and establish a comprehensive security awareness program has led the team to invest on acquisition of new technology, skills and strengthen the day-to-day protection processes in the organization. For me, instead of worrying about the impact of new or pending legislation on data protection, I’d like to focus more on ensuring that we are ready for anything that may happen. That is, protecting what we currently have and having the flexibility to adjust to future tweaks in legislation protocols and procedures.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
With the implementation of more advanced technology like AI, ASR, ML and NLP, I can say that the tools that are currently in place will not be stuck at its current state. It has matured now and it will continuously be improved over time.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
Major breaches and outages served as our benchmark in ensuring we have the right technology, processes and skill sets to counter the impact of these risks in our overall business. Each major incident of breach and outage allowed us to counter check and be more proactive in doing self checks and be more aggressive in deterring security risks.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Have a full proof of policies and procedures. A strong protection policy in place sends a loud signal to all employees of how serious the organization is in protecting customer data. To an extent, the same policy can also be shared to clients — an indication that you are committed to protecting their data the moment it enters your systems and that you are a reliable and trustworthy organization to work with. Procedures that will make employees adhere to the policies are very important. Methodologies on updating and processing customer data has to be within the same pattern. Robust awareness programs and training can also help in ensuring everyone in the organization is on the same page and level of understanding when it comes to protecting customer data.
- Employ software security. Be it on a cloud based environment or on-premise storage, software versions used to store and protect these customer data has to be updated regularly. It eliminates exposure to known vulnerabilities and security breaches. A strictly followed calendar of activities for package updating and applications review keep everyone abreast with the latest security features.
- Encryption and tools for anonymization. Encryption method allows data to be completed unusable when it is accessed without authorization. Another layer of protection is to anonymize parts of the customer data. It saves the data subject from being identified once a data breach occurs and would have minimal to zero impact to them. Any leaked information can only be useful and damaging if there are actual persons and organizations attributed to the leaked information.
- Secure remote access. With the increase of options to work from remote locations, an organization with vast amounts of client data has to ensure that they have sufficient security applications to encrypt users sessions and the data being accessed. Risks are reduced when accesses are VPN enabled.
- Lastly, implement logical controls on devices being used to access customer data. Disabling USB devices, limiting access to admin functionality and disabling capabilities of users to customize their computing environment essentially minimizes the risks of unauthorized sharing and distribution of customer information.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
It would be educating people about their own privacy. Privacy is something that should never ever be taken lightly. Information taken from us can be used to steal our own persona, cripple our finances and put our future in jeopordy.
How can our readers further follow your work online?
I am a very low key person and enjoy maintaining some level of enigma. But, I’d like to highlight our CRM platform. Our CRM solution is one of the most advanced there is and I encourage enterprises who are up to acquiring more clients and do not want to be bogged down with data protection implementation and compliance to try out our services. You can know more about our products and solutions thru our website,https://heydan.ai/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!