After a long wait, Thailand finally have a law to protect our data privacy. But don’t jump with joy just yet.
Nowadays when we are obliged to give away our personal data for various services, it is only right to have a system to prevent data privacy violations and to punish companies for selling or misusing our personal information.
The recent mega data breach by Facebook shows how easy it is for businesses to violate consumer privacy for commercial gains. It also shows how serious governments are in protecting data privacy.
The Facebook Cambridge Analytica scandal
Following the scandal, the US Federal Trade Commission hit the tech giant with a record US$5 billion (153 billion baht) fine for allowing Cambridge Analytica, a political consultancy firm, to obtain the personal data of up to 87 million Facebook users, possibly for political purposes during the US presidential election.
The Italian Data Protection Authority also ordered Facebook to pay a fine of one million euros (33.8 million baht) for Cambridge Analytica data misuse which violated Italy’s privacy law.I recommend you watch The Great Hack , a Netflix documentary on the Facebook Cambridge Analytica scandal, to understand the danger of data misuse and the urgency of personal data protection.
It is good news, then, that Thailand finally has a law in place to protect consumer privacy and personal data. It took over two decades for this law to materialise despite much public concern over consumer privacy violations.The Personal Data Protection Act came into effect in May this year, a significant move to protect consumer rights in Thailand’s digital age.
Consent is one of the key features for data sharing
Under this law, people have the right to protect their privacy and manage personal data collected by organisations and companies. Consent is one of the key features for data sharing, while people have the right to know which organisations have their data as well as how it is used and shared.Yet implementation remains problematic.
For starters, the national personal data protection commission won’t be able to operate as a regulator for at least another year. Also, many provisions are still vague, which may lead to legal misinterpretation and weak legal enforcement.
Since the law allows business operators only a one-year grace period before legal enforcement, they have little time to adjust their operations to comply with the personal data privacy law.
Without an authorised body to clarify legal provisions and set guidelines, most operators will be unprepared for compliance when the data privacy regulator is ready to enforce the law next year.This is a matter of the law being too slow to materialise, and then too quickly implemented to prepare businesses for change.
According to a survey by the Thailand Development Research Institute (TDRI), business operators are voicing a similar need for legal clarifications and guidelines from the state regulator due to vague legal provisions. Anxiety is running high that unclear legal provisions may lead them into legal and financial wrangles.
But there are still several things they can do to avoid such problems.
Under the new law, business operators have two main responsibilities.
One is to protect personal data by giving its owner the right to access, correct, be fully informed about data use, and manage and delete personal information. Consent is necessary for data collection, use, and disclosure in many cases.
Their other duty is to inform the owner when a data breach occurs and to report it to the national personal data protection commission. Despite the lack of clear legal guidelines, business operators can prepare themselves to meet these two duties.
First of all, they should review and analyse how much personal data they possess and clarify collection channels, methods, and its keepers. They must review policy on data sharing and deletion and conditions under which these occur. They should design a data flow system for data management procedures. Different types of personal data also require different treatment for different levels of legal compliance.
Personal information of employees is also protected by the new law
The company must accord them the right to process their data and protect their privacy.Next, they should set up in-house data protection teams to monitor data privacy and ensure legal compliance.
According to a TDRI study, well-prepared business operators all have in-house teams and internal systems to monitor data flow and to assist other business departments for legal compliance.
These teams will coordinate with the national data protection agency when a data breach occurs. Having in-house data protection teams also prevents the risk of violating the law by sharing personal data with an outsourced third party.
Notably, collecting, processing and disclosing personal information is allowable when it involves contractual obligations, but only with the data owner’s consent, which can be acquired electronically.
However, business operators must be cautious about sensitive information such as on race, health, criminal records and religion. Disclosing such personal data requires the owner’s consent in most cases.
Business operators should also occasionally delete personal data in their possession to reduce the workload.
Better still, they should maintain only what is necessary. It helps to have data flow maps to identify when certain information should be deleted and under what conditions to ensure effective data protection.
Equally necessary is the a management system that owners can access. Maintaining a record of access is also useful for in-house monitoring, not only for data security but also for emergency intervention.To ensure compliance with the data protection law, the operators should have data protection and privacy policies in place and inform customers and the public accordingly. They should reveal how they manage and protect consumer’s personal data and the channels for data owners to access and manage their information.
Staff training on data privacy and protection is necessary to help employees at all levels avoid violating the law. At the same time, organisations must set up a system for staff to access their personal data and exercise their right to manage and protect their data privacy.
Preparation to comply with the Personal Data Protection Act requires much more than creating consent forms for customers or ad-hoc measures. It requires understanding the big picture of one’s business operations and entails participation from all levels of staff, from top executives to customer service.The time needed for organisational adjustment varies with the size and complexity of the business.
From our TDRI study, business operators with over 10,000 employees need at least two years to prepare themselves.Since business preparations cost time and money, businesses should work together under their professional umbrellas, such as the Federation of Thai Industries, the Thai Chamber of Commerce, or other business alliances under the same regulator. Business collaboration to mete out the data protection and privacy standards with input from the national regulator will benefit both parties.
The participatory process will enable the private sector to follow clear and common directions. It also makes it easier for the state regulator to monitor the businesses through mutually agreed standards.When the state regulator is not ready, the business sector must make the first step. If not, their unpreparedness will backfire and people’s data privacy will suffer further.
Chawana Huangsuntornchai is a researcher at the Thailand Development Research Institute (TDRI).
Author : Chawana Huangsuntornchai
First Publish: Bangkok Post, September 11, 2019
The post Businesses must lead on data privacy appeared first on TDRI: Thailand Development Research Institute.
Digital Revolution and Repression in Myanmar and Thailand
Activists have also proactively published social media content in multiple languages using the hashtags #WhatsHappeningInMyanmar and #WhatsHappeningInThailand to boost coverage of events on the ground.
How will oil prices shape the Covid-19 recovery in emerging markets?
– After falling significantly in 2020, oil prices have returned to pre-pandemic levels
– The rise has been driven by OPEC+ production cuts and an improving economic climate
– Higher prices are likely to support a rebound in oil-producing emerging markets
– Further virus outbreaks or increased production would pose challenges to price stability
A combination of continued production cuts and an increase in economic activity has prompted oil prices to return to pre-pandemic levels – a factor that will be crucial to the recovery of major oil-producing countries in the Middle East and Africa.
Brent crude prices rose above $60 a barrel in early February, the first time they had exceeded pre-Covid-19 values. They have since continued to rise, going above $66 a barrel on February 24.
The ongoing increase in oil prices, which have soared by 75% since November and around 26% since the beginning of the year, marks a dramatic change from last year.
Following the closure of many national borders and the implementation of travel-related restrictions to stop the spread of the virus, demand for oil slumped globally.
In the wake of the Saudi-Russia price war in early 2020, Brent crude prices fell from around $60 a barrel in February that year to two-decade lows of $20 a barrel in late April, as supply increased and demand plummeted. The value of WTI crude – the main benchmark for oil in the US – fell to record lows of around $40 a barrel last year on the back of a lack of storage space.
While global demand for oil remains low, one factor credited with reversing the trend is the decision to make significant cuts to oil production, which subsequently tightened global supplies.
Subscribe via Email
Recovering global trade supports APAC economies but Tourism exposure will temper Thailand’s rebound
The direct contribution of travel and tourism to Thailand's economy was around 10% of GDP before the pandemic, but the...
Thailand Expects 600,000 Tourists from Phuket Sandbox reopening
From 1 July, Phuket will waive quarantine requirements for foreign tourists who have been fully vaccinated against COVID-19 under the...
Thai Government Plans to Increase 2022 Investment Budget by 90 Billion baht ($2.84 bln)
According to the 2022 fiscal budget bill, which has public spending set at 3.1 trillion baht, accounting for 17.9% of...
Fitch Affirms Thailand’s rating at ‘BBB+’ with a Stable Outlook
Fitch forecasts Thailand's tourism-dependent economy will recover only modestly, by 1.8% in 2021 after a sharp 6.1% contraction in 2020.
One-stop SME information portal connecting ASEAN businesses and beyond
The ASEAN Access is a flagship initiative of the ACCMSME, spearheaded by the OSMEP, Thailand and supported by the Federal...