Walking the data tightrope

Updated: Jun 1

Compliance with the upcoming privacy law is at the forefront for all sectors


Top government officials and business leaders are stressing the importance of collecting big data on the population, but also protecting personal, commercial and governmental data from increasingly frequent cybersecurity threats.


At Wednesday's Bangkok Post Conference, titled "Power of Data Privacy in a Connected World", a data expert panel discussed how the country's newly minted data protection laws will change Thailand and how companies can comply, specifically with the Personal Data Protection Act (PDPA) that comes into effect in May 2020.

Paiboon Amonpinyokeat

Member, PDPA preparation committee


NEW PRIVACY ERA


Paiboon Amonpinyokeat, a member of the preparation committee for the PDPA, said the new law will be enforced after a year-long grace period and will have a vast impact on Thai society.

"Of all the new digital laws, the PDPA will have the most drastic impact on the nation's 75 million people and our companies," he said. "Everyone will be affected, it will definitely affect you."


The PDPA's definition of personal data is any data that can identify that person directly or indirectly such as photo, national ID, address, internet behaviour, IP address and MAC (media access control) address of a computer user, to name a few.


Mr Paiboon said the PDPA is in line with the EU's General Data Protection Regulation (GDPR) that has become the de facto international standard for data protection. The new law will help Thai companies avoid violating the GDPR and subsequent fines and sanctions.


The PDPA mandates that data controllers and data processors who use personal data receive consent from data owners and use the data only for expressed purposes. The PDPA's penalty for the use of data beyond the stated purpose and without consent is a jail sentence of six months and a fine of 500,000 baht. A company that uses personal data for commercial purposes without users' consent could face up to a year in jail and a fine of 1 million baht.


The PDPA will impact four key groups: human resources (employee data), marketing and public relations (customer data), IT departments (databases) and legal (information in contracts).


Mr Paiboon suggested that every key sector (banking, insurance, healthcare, telecom) that has regulations for each vertical sector needs to outline a code of conduct for data security and data privacy that is submitted to the Digital Economy and Society (DE) Ministry for guidance in order to comply with the PDPA expediently.


Businesses should have a data protection officer that maintains compliance for all four groups and changes the existing standard agreement.


Moreover, the DE Ministry needs to educate citizens to avoid complaints and unnecessary lawsuits. After the PDPA comes into effect, if someone takes a photo of someone without the person's knowledge and posts it to social media or makes commercial use of the photo, the photographer will be in violation of the PDPA.


The PDPA has exceptions for personal use and for government agencies that collect data related to national security purposes.

Michael Gryseels

President, True Digital Group


PRIVATE SECTOR PROTECTION


Michael Gryseels, president of True Digital Group, said his company welcomes the new data protection and cybersecurity laws, as he believes his company has long-stand