PDPA deep dive: Don't dispute it, embrace it
- Location: Bangkok
- type: Home
- Sort by: A to Z
Data will always be king for businesses, and it is no secret as to why organizations crave it incrementally. Through consumer behavior analytics, businesses nowadays have immediate access to a plethora of accurate information. This information often comes in the form of Personal Identifiable Information (PII), which can be crucial data points for businesses in evaluating their goals and targets. Examples of PII are subscriptions, emails, items purchased online, and given that these types of information are now readily available when they want, it only spurs the obsession for more data.
Unfortunately, but unsurprisingly, sensitive data has proliferated online at a frightening pace and has caused reasons for concern. The addictive culture of always wanting more data has demonstrated that actions need to be taken before things get out of hand as there are qualms that businesses are inept and unprepared to manage and secure such information at a desired level, and these fears are only mounting.
It is hoped that, PDPA, a legislation to tame the violation of data privacy in Thailand, can succeed as it intends to. The purpose of the regulation is to not only reinforce the way businesses are handling personal data, but also allow individuals to protect their rights of access to personal data. Without PDPA, it could be argued that privacy is non-existent, a very dangerous territory. But with PDPA, it essentially ensures there is compliance and accountability on the shoulders of organizations.
As with any regulations, there are punishments for any breaches, and with PDPA, failure to comply could see companies see fines of up to 5 million baht, demonstrating a zero tolerance policy and that anyone can be held accountable. While the law has been in effect since 1st June 2022, given the drastic change, a one year grace period where leniency is granted for any infringements is currently in place to allow for any adjustments to be adapted.
To help you understand and better acclimate to the changes that may affect your company, let's take a deep dive into what PDPA actually is in Thailand. Fundamentally, it functions as a means to govern the collection, use disclosure and care of personal data.
To distinguish the differences between personal data and sensitive data, you may find the below helpful:
Personal data: data that is related to identifying a person, which includes but not limited to customers, employees and business partners
Sensitive personal data: this includes, racial, ethnic origin, sexual orientation, health data, religious beliefs etc
As a guidance for how to take the necessary actions in order to thrive in this new era, an overview on the best practices to take can be found below.
Data required for business operation
Identify which types of personal data is required for your business operations. Such data should take into account the dealings and services with customers, internal operations, day to day relationship with employees and vendors. Each type of personal data, the personnel involved and risks involved in processing data should be given considered attention. This allows the implementation of relevant measures for collection and protection of personal data in a legal manner.
Prior to the introduction of PDPA, the purpose of consent was to ensure that the use of personal data would not be opposed. However, the PDPA goes deeper by laying down a marker in terms of processing, collecting or disclosing any personal data. It should also ensure that processing activities do not harm the rights of the data subject, with rights to request access to their personal data, have their data erased, object to the collection, usage or disclosure of data. Any request for attaining sensitive personal data must also be isolated from general personal data.
The details on how each personal data will be used needs to be transparent. This includes legal bases for data processing, to whom the personal data may be disclosed to, the length the personal data may be stored, contact details and rights of the data subject.
For any activities that are not done in-house and require data processing, an agreement is necessary in order to proceed. This includes day-to-day, back office activities and both offline and cloud storage. Civil administrative liabilities
Data security should also be given utmost importance. After all, PDPA not only governs just how the data is stored, but personnel that have access to the data. Hence, adopting security measures can not only minimize the chances of a cyber attack, but also fines from not adhering to PDPA principles. Moreover, appointing a Data Protection Officer is required, either double hatting with their other role or a dedicated DPO.
In Singapore, fines have resulted from a variety of violation across varying industries, including a hotel’s inability to do due diligence to security systems, exposing personal data of hundreds of millions of guests, a restaurant being a victim of ransomware due to their failure in correctly configuring firewall, a telecommunication company’s failure to install reasonable security arrangements was found to be the culprit of unauthorized disclosure of personal data, the Central Depository sent dividend checks to outdated addresses, putting customers at risk, a shipping company failed in implementing adequate data protection practices
In Singapore, where PDPA is already in place, and other countries where GDPA, a tougher legislation, fines have been handed right, left and center for various violations from business across multiple industries. Below you can see some examples and how hefty it can be.
- A hotel failed to do due diligence to secure their security systems, exposing personal data of hundreds of millions of guests. Result: £99m fine.
- A restaurant fell victim to ransomware causing encryption of personal data of over 300 current and former employees, leading to an investigation that found that it failed to correctly configure a firewall. Result: S$16,000 fine.
- A telecommunication company failure to install reasonable security arrangements was found to be the culprit of unauthorized disclosure of personal data: Result: $9,000 fine.
- A securities company sent dividend checks to outdated addresses, putting customers' personal data at risk. Result: $32,00 fine.
- A ferry service failed to appoint a data protection officer, develop data protection policies and practices and arrange adequate security measures in order to protect its customers personal data. Result: $54,000 fine.
With that in mind, the value of a cyber insurance policy rises. Taking on a cyber policy will also allow further evaluation on your readiness as insurers will carry out an assessment on your cyber security.
At CHAZ, we are fully committed to complying with all the regulations. Despite the adjustments, we undoubtedly recognize the benefit the legislation brings to all parties involved and will continue to ensure that any of our client’s information are obtained with consent.