Dawn of a new paradigm

Dawn of a new paradigm

It remains to be seen whether the Personal Data Protection Act will be effective at reining in tech behemoths and serial data abusers

The Personal Data Protection Act (PDPA) came into effect in May with a one-year grace period for compliance by companies and government agencies that handle personal data.

The measure is in conjunction with the EU's General Data Protection Regulation (GDPR) that went into effect in May last year, penalising any company worldwide that mishandles the data of EU citizens.

A new paradigm of personal data protection is dawning, following the former Wild West days of companies flagrantly commodifying, buying and selling deeply personal information. But it's still unclear whether these sweeping regulations will rein in tech behemoths and serial data abusers like Facebook.

Under the GDPR, mishandling the data of EU citizens by any company, even those outside the bloc, could be punished by a maximum fine of 4% of annual turnover or €20 million, whichever is higher.

Meanwhile, under Section 42 of the PDPA, companies must appoint a data protection officer (DPO) to manage compliance of the law and collaborate with the Office of the Personal Data Protection Commission.

The DPO is the contact person if problems occur in the storage, use and disclosure of personal data. Under the PDPA, there are penalties starting from six months' jail time to a maximum fine of 5 million baht.

These new laws are creating new career opportunities for data experts, benefiting from the surge in demand from companies needing such expertise.

"We are in the process of establishing the Office of Personal Data Protection Commission that is estimated to require establishment capital of 200 million baht and 200 staff," said Vunnaporn Devahastin Suthapred, deputy permanent secretary of the Digital Economy and Society (DE) Ministry.

The permanent secretary will submit the organisational structure and budget to the Budget Bureau and the Office of the Public Sector Development Commission.

Moreover, the process of creating a selection committee for the Personal Data Protection Commission needs to be completed within 90 days after endorsement of the law.

"We are close to a draft of all related regulations under the PDPA, as currently there are 22 regulations which we need to consolidate and group," Mrs Vunnaporn said.

The DE Ministry is working with Chulalongkorn University to draw up guidelines for qualifications for DPOs who will be required for organisations that handle large amounts of personal data.

In addition, the regulation needs minimum guidelines for personal data protection, particularly for public services and banks and financial systems, which are the two priority sectors.

The regulation is expected to include five vertical sectors: healthcare, telecom, utilities, defence/national security and one more yet to be decided.

All those guidelines and regulations will be approved by the Personal Data Protection Commission, including audit principle guidelines.

The Office of the Personal Data Protection Commission will have an automated system to receive complaints and handle disputes from data subjects and data owners.

A source from the legal department at the DE Ministry said DPOs are used in Singapore, Malaysia and the Philippines, countries that already have personal data protection laws.

Businesses can choose DPOs from internal staff, training them in data management, risk assessment and security.

Other countries also have businesses that outsource DPOs to other firms more experienced in the matter.

Dhiraphol Suwanprateep, partner for technology and intellectual property at Baker McKenzie, said the PDPA generally requires all government agencies and private organisations that process large amounts of personal data to appoint a DPO.

Those organisations are likely to be large private organisations rather than small and medium-sized enterprises, unless those SMEs mainly process sensitive personal data.

A DPO is generally required to have knowledge of IT or data privacy or both. Thailand has a number of people who have IT knowledge, but data privacy is new to them.

"If the DE Ministry issues guidelines on how to comply with the PDPA, those IT personnel could quickly become qualified DPOs," Mr Dhiraphol said.

He said the enactment of privacy protection laws will broadly impact all businesses operating in Thailand, regardless of size, industry or other factors.

Thailand's new privacy law aligns with international privacy standards. These laws may initially be burdensome for some businesses, particularly startups, as they create many compliance obligations that will require careful planning, time and money to address.

However, in the medium term such laws will establish Thailand as a privacy leader, improving consumer trust and attracting foreign investment.

The DE Ministry should soon be able to assist Thai businesses by issuing guidance and providing sample compliance-related documents like privacy policies and consent forms.

Startups tend to have simpler organisational structures and more straightforward data flows than established multinational corporations, which means the ministry-provided templates can be easily adapted and applied directly to a startup's business to ensure compliance with the most significant aspects of the privacy laws.

This should minimise the need for extensive compliance-related legal advice and costly, time-consuming preparation of customised privacy-related documents, Mr Dhiraphol said.

COST OF COMPLIANCE

The PDPA is closely related to the Cyber Security Act that came into effect on the same day, May 27. The two laws set up two new agencies initially called the Office of the PDPA board and the Office of the Cybersecurity Agency, both expected to be established this year.

The data protection law is not an alternative or option for corporates but is mandatory because it protects the rights of individuals, especially in the digital-driven economy, according to Pichet Durongkaveroj, the DE minister.

Currently, only a few major corporates have prepared for data protection and appointed DPOs dealing with its operation, despite personal data laws imposing hefty fines on service providers for non-compliance.

"We [at the ministry] understand it is a very new development, but Thai corporates and SMEs have to understand it well and prepare for it," Mr Pichet said.

Enterprises have to make organisations accountable for personal information under their control of collection, use and disclosure with the consent of the owner of the data.

Mr Pichet said big corporates should urgently recruit a task force to handle companies' data protection strategies and implementation to ensure compliance with the GDPR and PDPA. The head of this task force should be the DPO.

DPOs could help monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs), and act as a contact point for data subjects and the supervisory authority.

Small corporates and SMEs, meanwhile, could assign and develop the knowledge of their existing IT support teams to handle the new data protection regime. Owners and IT support teams should update and monitor the data protection obligations of companies.

"Enterprises which operate businesses connected to EU citizens must have their teams to carry out certain types of processing activities," Mr Pichet said.

Jean Herveg, head of the Liberties and Information Society Department at the University of Namur, said that apart from DPOs, implementation of data protection rules will also result in the creation of new professions such as counsellors on data security, data brokers and data processors.

Some of these professions should be regulated as such (apart from the data protection side) in terms of training, certification and ethics.

BUILDING AN ECOSYSTEM

The DE Ministry plans to create awareness of data protection literacy through developing a digital economy ecosystem.

First, the PDPA and the Cyber Security Act will set up two new agencies initially called the Office of the PDPA Board and the Office of the Cyber Security Agency.

These two agencies will help shape proper literacy of enterprises for data protection knowledge through collaboration with outside agencies.

Second, Mr Pichet said the government needs to cooperate with major associations to continuously share, update and discuss issues related to data protection with their members, which include more than 10,000 companies nationwide.

"I have urged cooperation from three major associations, the Thai Bankers' Association, the Federation of Thai Industries and the Board of Trade of Thailand," Mr Pichet said.

Nuttapon Nimmanphatcharin, president and chief executive of the Digital Economy Promotion Agency, said his organisation plans to provide short courses to create awareness among state agencies and educate local enterprises on data protection literacy some time this year.

"Besides the private sector, state agencies that are contact points for regulatory issues of private companies need to be educated," he said.

Mr Nuttapon said personal data is not only names, addresses and identities, but also includes the context of significant activities or transactions. Local enterprises have to be clearly acknowledged, especially businesses engaged in social platforms.

Do you like the content of this article?
COMMENT (3)