Digital economy ministry calls for data protection officers
Heavy fines await unsuspecting firms
The Digital Economy and Society (DE) Ministry is calling for mandatory appointments of data protection officers (DPOs) at every organisation that processes or stores personal data from EU citizens to comply with the nation's Personal Data Protection Act (PDPA) and the EU's General Data Protection Regulation (GDPR).
Running afoul of the GDPR could mean the EU imposing heavy fines on companies outside the bloc that handle the data of EU citizens.
Only half of big corporations in Thailand have been preparing their operations to deal with implementation of the data protection regime, said Chayathawatch Atibaedya, senior adviser to the DE Ministry.
Small and medium-sized enterprises are concerned about compliance with data protection rules that could be costly and complicated.
More importantly, the data protection rules impose stiff fines on service providers, both data controllers and processors, for non-compliance. The GDPR imposes a fine of up to €20 million or 4% of the worldwide annual revenue of the prior financial year for infringements.
For the PDPA in Thailand, the fine rate is set at a maximum figure of 5 million baht per infringement.
The GDPR also addresses the export of personal data outside the EU and the European Economic Area. The GDPR aims to give control to individuals of their personal data and to simplify the regulatory environment for international business by unifying regulations within the EU.
Mr Chayathawatch said Thailand's PDPA went into effect on May 27, but the law gives a one-year grace period for enterprises to prepare to comply.
"The data protection law is not an alternative for corporations but a mandatory condition that all players have to comply with because it protects the rights of individuals, especially in digital-driven economies," he said.
Mr Chayathawatch said corporations should not consider the PDPA as a barrier but rather a reference to shore up their data policy. Local enterprises that operate businesses that deal with EU citizens must appoint a DPO for carrying out certain types of processing activities.
The DPOs could help monitor internal compliance, inform and advise on data protection obligations, provide advice regarding data protection impact assessments, and act as a contact point for data subjects and the supervisory authority.
He said tourism-related businesses are a critical sector that will have to closely prepare for implementing their data protection obligations. Tourism activities may engage in other businesses such as life insurance that involve personal data disclosure.
Enterprises have to be accountable for the personal information they collect, use and disclose with the consent of the owner of the data.
Mr Chayathawatch made his remarks at the "Thailand-EU seminar on e-commerce and GDPR" recently held at Bangkok.
Jean Herveg, head of the Liberties and Information Society Department at the University of Namur, said implementation of data protection rules will also result in the creation of new professions such as data protection officers, counsellors on data security, data brokers and data processors.
Some of these professions should be regulated (apart from the data protection side) in terms of training, certification, deontology and ethics.
Mr Herveg said the GDPR is relevant to Thai-EU business relations in three categories.
First, the GDPR covers data processing outside the EU as long as EU citizens are involved. For example, a processor located outside the bloc while the controller is in the EU.
Second, the law covers enterprises that are not registered in the EU, but have data processing activities concerning the offer of goods or services to data subjects in the union.
Third, if an enterprise has no establishment in the EU but its data-processing activities concern the monitoring of behaviour of data subjects (consumers) who are in EU.
DE Minister Pichet Durongkaveroj said all sectors need to be prepared to take care of personal data to comply with the principles of the law.
The PDPA is closely related to the Cybersecurity Act, which also went into effect May 27. The two laws set up two new agencies, initially called the Office of PDPA board and the Office of the Cybersecurity Agency, both expected to be established by the end of this year.
Mr Pichet said personal data protection is quite complex and driven by rapidly evolving technology, but many agencies and sectors still lack awareness and knowledge for understanding about personal information protection.
"A few big corporations have prepared well for data protection regulations such as Thai Airways International, which has already appointed data protection officers in dealing with its operation," he said.
Mr Pichet said he has urged collaboration among three associations -- the Thai Bankers' Association, the Federation of Thai Industries and the Board of Trade of Thailand -- to help make enterprises more aware of the data protection rules.
Thailand also cooperates with the Asean Economic Community for cybersecurity and data protection.