After a long wait, Thailand finally have a law to protect our data privacy. But don’t jump with joy just yet.
Nowadays when we are obliged to give away our personal data for various services, it is only right to have a system to prevent data privacy violations and to punish companies for selling or misusing our personal information.
The recent mega data breach by Facebook shows how easy it is for businesses to violate consumer privacy for commercial gains. It also shows how serious governments are in protecting data privacy.
The Facebook Cambridge Analytica scandal
Following the scandal, the US Federal Trade Commission hit the tech giant with a record US$5 billion (153 billion baht) fine for allowing Cambridge Analytica, a political consultancy firm, to obtain the personal data of up to 87 million Facebook users, possibly for political purposes during the US presidential election.
The Italian Data Protection Authority also ordered Facebook to pay a fine of one million euros (33.8 million baht) for Cambridge Analytica data misuse which violated Italy’s privacy law.I recommend you watch The Great Hack , a Netflix documentary on the Facebook Cambridge Analytica scandal, to understand the danger of data misuse and the urgency of personal data protection.
It is good news, then, that Thailand finally has a law in place to protect consumer privacy and personal data. It took over two decades for this law to materialise despite much public concern over consumer privacy violations.The Personal Data Protection Act came into effect in May this year, a significant move to protect consumer rights in Thailand’s digital age.
Consent is one of the key features for data sharing
Under this law, people have the right to protect their privacy and manage personal data collected by organisations and companies. Consent is one of the key features for data sharing, while people have the right to know which organisations have their data as well as how it is used and shared.Yet implementation remains problematic.
For starters, the national personal data protection commission won’t be able to operate as a regulator for at least another year. Also, many provisions are still vague, which may lead to legal misinterpretation and weak legal enforcement.
Since the law allows business operators only a one-year grace period before legal enforcement, they have little time to adjust their operations to comply with the personal data privacy law.
Without an authorised body to clarify legal provisions and set guidelines, most operators will be unprepared for compliance when the data privacy regulator is ready to enforce the law next year.This is a matter of the law being too slow to materialise, and then too quickly implemented to prepare businesses for change.
According to a survey by the Thailand Development Research Institute (TDRI), business operators are voicing a similar need for legal clarifications and guidelines from the state regulator due to vague legal provisions. Anxiety is running high that unclear legal provisions may lead them into legal and financial wrangles.
But there are still several things they can do to avoid such problems.
Under the new law, business operators have two main responsibilities.
One is to protect personal data by giving its owner the right to access, correct, be fully informed about data use, and manage and delete personal information. Consent is necessary for data collection, use, and disclosure in many cases.
Their other duty is to inform the owner when a data breach occurs and to report it to the national personal data protection commission. Despite the lack of clear legal guidelines, business operators can prepare themselves to meet these two duties.
First of all, they should review and analyse how much personal data they possess and clarify collection channels, methods, and its keepers. They must review policy on data sharing and deletion and conditions under which these occur. They should design a data flow system for data management procedures. Different types of personal data also require different treatment for different levels of legal compliance.
Personal information of employees is also protected by the new law
The company must accord them the right to process their data and protect their privacy.Next, they should set up in-house data protection teams to monitor data privacy and ensure legal compliance.
According to a TDRI study, well-prepared business operators all have in-house teams and internal systems to monitor data flow and to assist other business departments for legal compliance.
These teams will coordinate with the national data protection agency when a data breach occurs. Having in-house data protection teams also prevents the risk of violating the law by sharing personal data with an outsourced third party.
Notably, collecting, processing and disclosing personal information is allowable when it involves contractual obligations, but only with the data owner’s consent, which can be acquired electronically.
However, business operators must be cautious about sensitive information such as on race, health, criminal records and religion. Disclosing such personal data requires the owner’s consent in most cases.
Business operators should also occasionally delete personal data in their possession to reduce the workload.
Better still, they should maintain only what is necessary. It helps to have data flow maps to identify when certain information should be deleted and under what conditions to ensure effective data protection.
Equally necessary is the a management system that owners can access. Maintaining a record of access is also useful for in-house monitoring, not only for data security but also for emergency intervention.To ensure compliance with the data protection law, the operators should have data protection and privacy policies in place and inform customers and the public accordingly. They should reveal how they manage and protect consumer’s personal data and the channels for data owners to access and manage their information.
Staff training on data privacy and protection is necessary to help employees at all levels avoid violating the law. At the same time, organisations must set up a system for staff to access their personal data and exercise their right to manage and protect their data privacy.
Preparation to comply with the Personal Data Protection Act requires much more than creating consent forms for customers or ad-hoc measures. It requires understanding the big picture of one’s business operations and entails participation from all levels of staff, from top executives to customer service.The time needed for organisational adjustment varies with the size and complexity of the business.
From our TDRI study, business operators with over 10,000 employees need at least two years to prepare themselves.Since business preparations cost time and money, businesses should work together under their professional umbrellas, such as the Federation of Thai Industries, the Thai Chamber of Commerce, or other business alliances under the same regulator. Business collaboration to mete out the data protection and privacy standards with input from the national regulator will benefit both parties.
The participatory process will enable the private sector to follow clear and common directions. It also makes it easier for the state regulator to monitor the businesses through mutually agreed standards.When the state regulator is not ready, the business sector must make the first step. If not, their unpreparedness will backfire and people’s data privacy will suffer further.
Chawana Huangsuntornchai is a researcher at the Thailand Development Research Institute (TDRI).
Author : Chawana Huangsuntornchai
First Publish: Bangkok Post, September 11, 2019
The post Businesses must lead on data privacy appeared first on TDRI: Thailand Development Research Institute.
Innovative Asian Blockchain Companies Who Are Taking Over
The acceptance and regulation of cryptocurrency in Asia may be polarised depending on location, but one thing is for sure. Companies spanning the whole of Asia value blockchain technology and are putting it to good use.
Asia has always been at the forefront of technological innovation, and that is no different when it comes to blockchain technology. What was primarily developed to make peer-to-peer payments easier has now merged into new areas.(more…)
Malaysia and Thailand better positioned to develop e-commerce
Countries with more developed infrastructure, such as Malaysia and Thailand, are better positioned to develop e-commerce. Thailand could be set to experience a surge in e-commerce activities over the coming years
Online shopping is increasingly popular in key ASEAN cities, thanks to improved infrastructure and the variety of payment options, including cash-on-delivery, bank transfer or paying at the 7-Eleven store.(more…)
Retail in the age of social media
E-commerce is becoming easier and faster, making it increasingly popular. Recently, Instagram introduced a shopping feature that allows users to purchase products within the app.
Social media is transforming retail and expanding the e-commerce world. It goes without saying that the presence of social media in any retail store is critical to its marketing and sales reach.(more…)
Thailand Ecommerce Market: Shooting For Success
At present, the Thai ecommerce market is valued at USD 3.5 billion. According to a Google Temasek study, Thailand’s e-commerce...
Aspire Set to Become First SME Neobank in Southeast Asia with US$32.5 Million Raise
The recent financing has been led by Mass-Mutual Ventures Southeast Asia with participation from Silicon Valley’s Arc Labs and existing...
How is Thailand Bringing Technology to the Table?
In Asia, a country like Thailand has taken the initiative to implement agricultural biotechnology in its industry. The country has...