Zavior Founder/CEO Glenn Tan // Web3 Accountant Radio Ep14 Transcript
Glenn Tan is the Founder/CEO of Zavior
Zavior aims to enable businesses towards achieving continuous compliance with its AI powered platform. They are on a mission to allow organizations to scale their business by simplify compliance and cyber security for all.
In this conversation, we dive into:
1. Emphasis of DPO in Singapore
2. What if you are appointed as a DPO for your company
3. 30 Sep requirements for DPO
4. What does a DPO do
5. Why did Glenn started Zavior?
6. One key finance / compliance lesson from Glenn
7. What is Glenn looking forward to in the Data Protection space?
And more!
__________________________________
Connect with Glenn & Zavior👇
Linkedin: / glenntwh/
Website: https://www.zavior.ai/
Email: [email protected]
Hi everyone, welcome to the Web3 Accountant Radio, the podcast where we dive into the fascinating world of Web3 Finance and Compliance. I’m today’s host Diana and my partner is Wei Xiang. Hi Wei Xiang.
Hi Diana. Today we are very lucky to have Glenn here with us with the current requirements for all companies in Singapore suggested to appoint a data protection officer and put it on ACRA and with this announcement, you know, I met Glenn at an event and then I invited him to speak so that all of us here can benefit from what he’s about to share with us to know about, you know, what does DPO carry and what kind of penalties would you face if you do not follow the order. Yeah, Glenn Tan is leading Zavior in the regulations and cybersecurity sector, focusing on helping business of all sizes comply with personal data protection laws and information security standards, as well as achieving ISO and local certifications.
He also serves on the board of various industry trade organizations where he contributes to community building and offers expertise in technical and business solutions. Welcome Glenn. Thank you.
Thank you Diana. Thank you Wei Xiang. Thanks for having me.
Yeah, thank you Glenn. Glenn, what will you be sharing with us today with regards to the data protection officer? Yeah, so I think it’s a very interesting time we live in, right, where we’re talking about data protection officers, right? Probably a couple years back no one even talked about how do you actually secure data, right? I think in the space of Web3, right, a lot of new things come up. But I think the foundation of every tech has always been security, right? Home security is one thing, but now digital security is such an important thing.
And I think the emphasis of data protection in Singapore is actually a very interesting direction, right? I think Singapore is trying to lead in that manner how data is handled. And so today I think what I kind of want to share as well, based on what we discussed, was like how do we simplify this thing, right? Because sometimes it’s very complicated. It’s law sometimes and law is always very challenging, regulatory, right? But I think we are in the space of simplifying the work, simplifying the understanding of what a data protection officer actually does, right? And then what actually are the potential pitfalls or things that you could expect, you know, if you were to take up the responsibility or even if you’re a business owner and you have to delegate the responsibility as well, how would you have, what risks do you actually face as well in terms of compliance and overall cyber security as well? So that’s something that I think will be quite exciting to share as well.
Before we dive into the hard stuff, I had a conversation with a friend just a day ago, today if I’m the compliance officer of my company or I’m the chief information security officer of my company and with this requirement to appoint a data protection officer and my CEO has came to me as a Singaporean to say, Wei Xiang, you are going to be the data protection officer. What kind of comments, Glenn, would you be giving to such a staff? How should he respond, you know, should he go for training or like, yeah? Yeah, well, I think number one, don’t be scared because in our context, we always feel like when someone gives us more responsibility, then we always say, oh, I don’t know, I don’t know, I don’t know, right? The truth is we always don’t know, right? We don’t know where to start. I think as long as we take it, you know, in a proactive manner.
I would say first thing is don’t be afraid of it. It’s a responsibility, right? But it doesn’t mean that you are the person that has to do everything, right? In fact, I joked to some people, I said, if you become the DPO, you can actually boss your boss because you actually can tell him, hey, boss, you created a form, where’s the content, right? You better do, you know, because you’re technically now in a way the officer for the company, right? In a funny way, you know, there is a certain hierarchy to this, but I will share like even larger organizations, right? It’s a very good practice, like you’ll be heartened to know that schools, right? Beyond the data protection officer, they have individual department heads that also are data protection advocates, right? It’s not just a single person’s role, it’s a collective role. You shouldn’t be too worried.
And I think there are other things that later on I can sort of deep dive a little bit, right? Some of the requirements or some of the guidelines as well, right? That a data protection officer has to deal with. Yeah. Yeah.
Thank you, Ken. So yes, I’m all ears listening to what you have to share. Yeah, cool.
What I’ll do is I’ll just maybe do some slides because I think it’s easy to see and visualize as well while I share a bit, right? Share my screen. Cool. As mentioned by Diana, we are in the business of actually helping people, you know, handle their compliance and meet regulatory requirements as well.
And we are in the business of helping people automate that process because we believe a lot of things that we do today in the digital space, we actually do it very manually by actually excels and checklists, right? Why don’t we use tech to solve this problem, right? Let me just start in a very simple, maybe in context that we talked about this requirement, right? Just to give some context as well in this manner is that Singapore is the very first country that kind of decided that they want to lead this part, right? Especially in Southeast Asia and Asia-Pacific as well. There’s no heavy requirement for an organization to ever publicly put something, right? For them to have this and then now trying to, you know, encourage, strongly encourage, right? For all organizations to have someone. This is something that I know for some people it’s like, you know, it’s a burden, but for some people this is also in a good positive direction because remember all businesses today are no longer transforming digitally.
They’re all digital by design already, right? A couple of things to take note, right? Number one is when you ever have an appointment of a DPO, right? Every organization in Singapore has to have one, right? Then you ask the question, what if I don’t have any staff? The answer is yes. And then I have another scenario whereby there’s no, even people, right? Involved in the company. But in that case, what happens is that they have, maybe they have a holding company for shares for another company, right? What do they do? Do they still have to meet the requirement of the DPO? The answer is yes, right? Because there could be shareholders, there could be directors, there could be corporate secretaries involved as well, and then personal data is moved around.
Unfortunately, the regulation does state that every organization needs to appoint someone, right? The second thing to note, I get this question a lot as well. They say, hey, can I appoint someone overseas, right? I think the answer is yes and no, but we’re still not sure because it’s not law, right? Because the law essentially just requires you to appoint somebody, right? But it does state in the facts or it’s listed in the FAQ, right? Of the regulation is not legislation, but the guidance, right? From PDPC is that the information must be made available, right? That person needs to be contactable for the point that if something happens, okay? That’s kind of one thing that we want to show as well. Now, let me talk a little bit about what they publicize, right? What’s kind of the biggest risk that everyone has to face, right? Actually, the biggest risk is the number that they will find people is actually up to 1 million for any data breach or up to 10% of the company’s annual turnover.
That’s the law already. It’s been around for about a good many years just that they haven’t enforced, right? But I also want to draw your attention to something very interesting, correct? You can see this bubble over here, right? It shows all the different sizes of fines that has happened and there is actually a story to all of this, right? That’s actually a verdict. But what I want to explain a little bit is that, look, sometimes we think data is not affecting us or scams or maybe don’t affect our business.
But it’s not true, right? Because you can see all the companies that are affected by this. These are everyday companies that you consume, right? Your grocery store, to your e-commerce, to even the leasing, car leasing and home property agents as well, right? You can see so much of a variety that actually is affected by this, okay? Now let’s go to something a bit exciting. Wei Xiang, you might like this, okay? Let’s talk about this.
This is actually two comparisons. People always ask me, hey, so how would they essentially penalize or put in perspective things, right? I put two examples here. One is Starbucks.
Everyone knows Starbucks, right? They actually run a loyalty program, right, over here. They got fined $10,000, okay? And then on the other side is actually a car leasing company at $82,000, right? Very interesting, right? Why they get fined $82,000, why Starbucks and this other company only got $10,000, right? His number is 140,000 of the data that was breached. And then the one that got fined less, actually more data got breached.
Very interesting, right? Think about this, right? What is happening now is that these are situations I want to share that are actually very real. You might actually do whatever it takes, right? But yet sometimes you might still get penalized to a certain extent. But remember, everything counts for something, right? In the day and age.
I think those that are in the space of finance, right? You have been in an industry that’s heavily regulated. But here’s the thing, DPOs are still in the early days. They are starting to create more regulation.
But I think before they start making black and white, right? I think it’s good to sort of learn what you can or cannot do, right? A couple of things to point out, right? Number one is when you run a company, right? If you run a standard company, let’s talk about this leasing company. They just built a website to arrange for leasing agreements. It’s like how we have a website, ask people to fill up a form, right? Or we do like an engagement form, right? Which is very common, right? And then one of the ways they found out that this happened was through the ransomware was actually they couldn’t submit an application, right? It’s so interesting, right? They cannot submit.
And then they found out their servers were affected by ransomware. And then long story short, they found out that actually their software never got patched or software never updated. How many of you, you know, today your iPhone always ping you, you know, whether to update or not, then you like, you reject, right? And some of you could be still stuck on iOS 15 or 14, right? Yeah.
I mean, they always like update and it takes them very long. Yeah. Correct.
Correct. In this manner, right? Guess what? They found out that the company didn’t update their software. They bought an old software like ERP software to do this.
And for almost three years, they never update, right? That’s actually one thing that in the verdict was a very strong emphasis, right? Other than passwords and all this kind of thing. And guess what? It happens to all of us, right? I joke in the room whenever I speak about this, I say, don’t raise your hand. Nobody’s going to catch you.
But you know, I think everyone relates to this as well. Right.
And I’m sure that, you know, maybe one person did not update their computer and the whole company got fined like $82,000. Because my understanding for this is, it’s not like the attacker has to attack maybe five different computers to access the system. You know, one person is a leak and then, yeah.
Correct. Correct. So what I just want to share is not so much of the fear of this happening.
I think it’s the reality that sometimes we assume things are there and then we don’t look into it. And that’s why I think this is where they try to punish a little bit more if you are negligent in a sense.
But if you do all the necessary steps, as you can see, even though the leak is a little bit bigger on the other side. Right.
There’s actually a lot of leeway that you can get as well. Yeah. I won’t go too deep into all this.
I think for those who, my separate audience who runs a software company. It actually is very realistic on the right side.
But I think what they try to emphasize is a couple of things like multi-factor, strong passwords, you know, and then update your software as often as you can when you are advised to as well. Just again, remember, these are things that we also do today. Right.
We are. And they also, some of them take some necessary steps. Yeah.
But I think that’s what we also want to share about today. It’s not just about a role to take on something, but it’s also a collective effort. Yeah.
One leak all will leak. Yeah. Okay.
Well, I’ll just share maybe one last piece about the whole concept of, and I like to simplify it in four ways. What are the responsibilities of a data protection officer? Right.
Again, these are guidelines. It’s all hidden in all the FAQ. So you can still appoint, but just be careful because these are things that you need to take into account.
First thing, very simple, equip yourself or the person that handles this, the data protection officer. He is an internal person. He needs to go for basic training, which is what we call a data protection fundamentals.
And this is already covered by grants in Singapore, but of course it’s also not very costly for those who are not local, local companies as well.
That’s one thing to do. Second thing to do is training and communication. Very, very important because even though it’s a small, maybe 10 minutes, 15 minutes video to explain to people that you shouldn’t put your passwords, you know, posted on your laptop in case you forget, very small things.
And sometimes when you walk away from your computer, please do lock it because sometimes people can come and do it, even though you might know the people or whatever, there’s always this, this unnecessary things that could happen. So communication and training is very important.
And then the third thing is, is, is policy creation.
Now this is not too hard for some of you who are in the space of corporate secretary. It’s like equivalent to board resolution.
But then in this manner, it’s policies of how data should be handled, how data should be removed as well, because removing data is also a very important part.
So policy creation, policy practices is the third thing. And of course the final one, this one’s a little bit harder.
It’s because you need to be the person that is able to respond to say a query, a government query or a client that says, I saw my data somewhere else. You know, you shouldn’t be having this, what happened? You still just need to be able to respond in time.
Of course, I ask the question, do you have all the answers? You don’t know. You might outsource that work to somebody else, but the key is you must commit to responding to either authorities or queries.
These are four simple rules. I will sort of simplify it.
Of course, there are more things, but I think these are four fundamental things that are very crucial. Well, when you spoke about the DPO, I keep recurring a certain person in the company.
And from this slide, I kind of understand who the DPO will be familiar to. It’s like the fire safety officer. You need to have the training and then have like incident response.
Correct. Correct. And I think funnily, right.
Fire training is also surprisingly very unique to Singapore. Okay. Emphasis on fire safety is actually a very important thing.
And you know, that actually does save life, you know it’s so sad to hear stories like of even, you know, buses, you know, like in Thailand that got burned because they didn’t know that the door is behind. They’re all rushing to the front.
I think to the same concept of fire safety in buildings, What are you doing with your digital business? What are you doing with your business? Why are you not doing the same steps, you know, of taking care either your home or your building in that manner. Thank you, Glenn, for giving us 20 minutes, you know, briefly data protection 101.
Now, can we hand the time over to Diana to share some personal insights, something that we don’t find quite often outside. Yeah. Okay.
Let’s move to today’s free talk session. And in today’s free talk session, I have a few questions I am particularly curious about. And the first question is, why did you found Zavior? Well, very, very funny and good question.
I think we built Zavior with the mindset to help people and ultimately businesses, right, to handle compliance, handle cybersecurity, handle PDPA, something like this as well. Because think about it like we are a digital company, right? I mean, all of us, right? And we shouldn’t be just using Excel. I know Excel is very powerful, but why can’t we have a tool that can pull data that already exists, right? In the same one simple way, we want to help businesses learn to attain some level of certification or competency and then also maintain as well.
How do they maintain and sustain that competency? So that’s why we started Zavior because we felt the pain as well when we were doing our ISO, when we were trying to get all the documents for all sorts of things in other parts. My co-founder and I decided, okay, let’s build something that at least can help more people. Under your experience, helping the organizations to protect their information security, can you share maybe one tip for the finance and compliance leaders? Yeah, well, I think one tip that’s very important when you have data, right? I think in the finance side is data retention, which means also data disposal, right? I think maybe very specific to the industry, everyone believes that you need to keep for five, seven years, right? But after the five, seven years can let go.
And I kind of know the space as well, because very similar in a sense, your balance sheet, if it’s already balanced, why do you need to pull all the data, all your journals, all the from the past history, what for, right? Yes, it gives you a sense of security, right? But don’t forget in a data world today, right? Even in the old world, you store it in a warehouse, you locked it up, but now digital space, where is it, right? So you should always have a plan to remove it over time, right? I think, and then if you can collect less data also is better because then you don’t have liability as well. So again, it’s a little bit of a mindset change, especially for the people in this space, but I think it’s something that you need to believe that it’s very different, right? Physical space versus digital space is definitely very different. Oh, okay.
And what are you looking forward to with respect to the data protection? Sorry, looking forward? What are you looking forward to with respect to the data protection? Well, I think data protection is the beginning, right? So I think one thing we never touch a little bit, which a lot of topics today cover is AI, right? So for AI to thrive, imagine the amount of data, the amount of information that is being given, right? And cybersecurity and data protection is actually the very fundamental thing to do, right? If you don’t, even if you want to touch AI, then how do you handle data? How do you store data? How do you teach your employees to not share confidential things over personal social media messages, right? I think what’s to come requires us to just have a slightly different mindset. There’s no need to change everything, but just see things in a different lens, right? Because I can end, I can say this in a very funny story, right? I used to come from the hard disk industry where we were very technical and we built hard disks. And people say, oh, hard disks, when cloud comes, no more hard disks, right? I think that’s the perception people feel.
But you know, for us in the industry, right, we laugh because when we go to cloud, it’s no longer one drive, it becomes four drives. So just think about it, one becomes four. Why? Because you haven’t noticed why your Facebook photos or some of your old Instagram posts, like a few years ago, take a while to load? Because they’re all stored in a different part of the cloud.
There’s actually more drives. Yeah. If you think about it, right, we have this perception that, oh, this thing is going away, but actually it’s not true.
It’s actually, things are here to stay. In fact, they’re accelerated. But of course, sometimes we don’t know because we don’t know the tech behind it, right? But yeah, I think what’s to come is that with more AI adoption, with more digital adoption, we have to just have good practices, keep the house clean, keep the office clean in some sense.
And it just requires a bit of that. Thank you, Glenn. I would like to dig deeper into the tip that you are sharing.
Think about when you should remove your data. To be honest, before you share this tip, the thoughts of removing my data has never came to me. The one that came to me is how do I secure it or back it up? So your five or 10 years finance data, I’m more than happy to back it up a few more times.
The thought of, you need to throw away data, like why? Why should a company be incentivized to remove data? What if one day, what if somebody needs it and it is not there? The person who throws it away is to blame or he has to, you know? Yeah, so very funny story. I gave you an experience in the finance world. I used to do a bit of that, right? So maybe I ask it back and the question is, if you have a 10-year-old supplier invoice and then you move to a new system, right? What do you do? Do you bring the general entry over? That depends on system migration, whether they can support.
I mean, if they can, they can. If not, then yeah. In that case, a lot of practices is, you know, like it’s a 10-year debt, right? Or, you know, I might or might not pay him.
When I bring over, it’s an AP, right? If you come back, then I just generate a new AP, you know? I mean, sorry, being a bit technical, right? But it’s a funny thing to realize that, hey, you don’t need that data, right? Just that if the client does come back and they say you owe them money, right? Then okay, then you just generate a new supplier invoice, right? Or either you register it as bad debts, right? The same concept is actually with data, right? Why you want to keep so much data? And here’s the thing. First thing, it saves money because you actually, as you store more data, it gets more expensive, right? And maybe another joke is don’t store double cloud because you don’t need to, because the cloud is already full, I just mentioned, right? I think in that same concept of, you know, accounting and finance practices, right? Data is the same, right? The more data you handle, the second important thing is that you then have more risk as well. Because if you were to get rich, right? Then what happens to that data? It’s on your responsibility, right? And if you don’t really need that data, it’s more like the old school, I just want to hold my hard drive, you know, then I feel good.
But actually you don’t need it already, right? Even regulators don’t come back, right? Even if they fine you or if there’s any mishap in terms of the financial world as well, like they can’t go so far back as well, right? The truth is you don’t need that data anymore. But of course, it feels good if you can hold it, you know? But yeah, to that context, I hope it helps. Yeah, thank you.
Then the other one is, I heard there was a mention of a DPO as a service, but I think it wasn’t mentioned. Would you want to share a little? Sure, sure. I think whatever I shared today, right? You know, we found out that there is a demand as well, right? Besides equipping yourself, right? And how do you continue to do it? What we do is we recently launched our DPO as a service, on our platform to do this.
And what we kind of do is maybe I show one simple slide just to give a perspective, right? So what we do is we try to simplify the process, right? In a manner whereby we actually were trying to solve the cybersecurity problem. Then we realized, hey, can we simplify it for even DPOs today that maybe appoint themselves, right? And then they don’t know where to start, don’t know what to do, right? So all the four steps I mentioned, right? We can cover that. And then of course, we will then hire a consultant together with you as well to deliver the work.
We are in that space of now trying to give people an option, right? They want to do it themselves or they want to work with a consultant. Of course, in Singapore, we are blessed with a lot of grants or even consultants being available, right? I think that’s kind of like one offering that we’ve recently launched not too long ago, right? To serve this market, right? And ultimately, I will also say in the long term, always think of it this way, you can use this service to get from zero to one. Then later on, if you want to stay at one or 1.2, right? You can run it on your own.
You build up internal capabilities. And I think that’s the mission of the government, right? The mission of the government is to ensure people learn to handle data well. So yeah, it’s not a main thing that we try to do, but because we serve a lot in the cyberspace and ensuring more infrastructure are done.
But I think DPO is something that we felt that, okay, it affects everybody, every business, every walk of life, right? And data, of course, affects all as well. Yeah. So that’s kind of a thanks for bringing up.
I think that’s something that we advocate for as well. Yeah. Thanks.
Thanks a lot for sharing. I think this is very helpful. The idea of bringing zero to one.
And then if you want to do more 1.1, 1.2, because I think many of us today, I safely say most of my friends at zero. So yeah. Thanks a lot for sharing.
Yeah. Diana, any other questions? Actually, I have one extra question. Very curious because you mentioned AI before.
I’m very curious that whether the AI will raise the difficulty of the data protection. Well, I don’t think it’ll make things difficult. It should make things easier, right? Same like how we were trying to use AI to solve some of these policy compares, right? And all that.
I think what AI will do for data protection is that we always say the same tools are being used by the bad guys.
If we are genuinely doing good business, we’re trying to make a decent living of our lives and our society, why are we not using the same tool as well? Because they’re using that for bad and we should be using that for good. AI is here to stay, it’s here to assist us. The word we always use is Augment.
Augment means let’s make it a better version of ourselves and emphasize some of the things that we do better. Different forms and size like all humans as well. And then, yeah, I think it definitely is going to help data protection, that is for sure.
Okay, thank you very much. I have no further questions. Cool, cool.
Thank you. Glenn, do you have any last words? No, I think I’m very thankful for this opportunity to share to the community as well. And I think if there’s anyone who needs any queries, questions, help, do reach out to us.
We’re more than happy to help jump in a call, understand your business. If there are other things that can be done, we’ll assist as well. And I think I’ll also end with this statement I always tell people.
So we hope to achieve this, that every business needs a Zavior, and that we can have this ability to assist all businesses, forms and sizes, especially in all their regulatory requirements as well. Yeah, thank you, Glenn. Yeah, every business needs a Zavior, totally agree with you.
Yes, today I learned so much about data as a resource, data as a burden. So yeah, if you like the video, please subscribe to us. Okay, that’s all for today.