Walking the data tightrope

Updated: Jun 1, 2021

Compliance with the upcoming privacy law is at the forefront for all sectors

Top government officials and business leaders are stressing the importance of collecting big data on the population, but also protecting personal, commercial and governmental data from increasingly frequent cybersecurity threats.

At Wednesday's Bangkok Post Conference, titled "Power of Data Privacy in a Connected World", a data expert panel discussed how the country's newly minted data protection laws will change Thailand and how companies can comply, specifically with the Personal Data Protection Act (PDPA) that comes into effect in May 2020.

Paiboon Amonpinyokeat

Member, PDPA preparation committee


Paiboon Amonpinyokeat, a member of the preparation committee for the PDPA, said the new law will be enforced after a year-long grace period and will have a vast impact on Thai society.

"Of all the new digital laws, the PDPA will have the most drastic impact on the nation's 75 million people and our companies," he said. "Everyone will be affected, it will definitely affect you."

The PDPA's definition of personal data is any data that can identify that person directly or indirectly such as photo, national ID, address, internet behaviour, IP address and MAC (media access control) address of a computer user, to name a few.

Mr Paiboon said the PDPA is in line with the EU's General Data Protection Regulation (GDPR) that has become the de facto international standard for data protection. The new law will help Thai companies avoid violating the GDPR and subsequent fines and sanctions.

The PDPA mandates that data controllers and data processors who use personal data receive consent from data owners and use the data only for expressed purposes. The PDPA's penalty for the use of data beyond the stated purpose and without consent is a jail sentence of six months and a fine of 500,000 baht. A company that uses personal data for commercial purposes without users' consent could face up to a year in jail and a fine of 1 million baht.

The PDPA will impact four key groups: human resources (employee data), marketing and public relations (customer data), IT departments (databases) and legal (information in contracts).

Mr Paiboon suggested that every key sector (banking, insurance, healthcare, telecom) that has regulations for each vertical sector needs to outline a code of conduct for data security and data privacy that is submitted to the Digital Economy and Society (DE) Ministry for guidance in order to comply with the PDPA expediently.

Businesses should have a data protection officer that maintains compliance for all four groups and changes the existing standard agreement.

Moreover, the DE Ministry needs to educate citizens to avoid complaints and unnecessary lawsuits. After the PDPA comes into effect, if someone takes a photo of someone without the person's knowledge and posts it to social media or makes commercial use of the photo, the photographer will be in violation of the PDPA.

The PDPA has exceptions for personal use and for government agencies that collect data related to national security purposes.

Michael Gryseels

President, True Digital Group


Michael Gryseels, president of True Digital Group, said his company welcomes the new data protection and cybersecurity laws, as he believes his company has long-standing high standards for protecting data.

"We are very capable with customer data, and the legal framework forces us to double-check how we are doing things," Mr Gryseels said. "If businesses are already taking care of data the right way, the new law should not hinder your business."

He said the technology and telecom sectors are in for a great disruption in the next few years, due to how companies can leverage the rapid increase in computing power, network connected devices and advances in data analytics through machine learning.

"Innovation does not come without disruptions," he said. "Companies that disrupt themselves faster than they can be disrupted will better survive in the long run."

Vira-Anong Phutrakul

Managing director, consumer business management, Citi Thailand


Vira-Anong Phutrakul, managing director of consumer business management at Citi Thailand, said companies should be conservative about what customer data they decide to get, as storing data is a liability in itself.

"Possessing the data is a burden in a way, so we have to make sure data is well protected and not abused," Ms Vira-Anong said. "In reality, [companies] will have to adapt and update technology."

She said criminals are improving their techniques every day, so companies have to constantly improve fraud detection and cybersecurity methods. Businesses should also ask consent from their customers when requesting personal data.