Walking the data tightrope
Compliance with the upcoming privacy law is at the forefront for all sectors
Top government officials and business leaders are stressing the importance of collecting big data on the population, but also protecting personal, commercial and governmental data from increasingly frequent cybersecurity threats.
At Wednesday's Bangkok Post Conference, titled "Power of Data Privacy in a Connected World", a data expert panel discussed how the country's newly minted data protection laws will change Thailand and how companies can comply, specifically with the Personal Data Protection Act (PDPA) that comes into effect in May 2020.
‘‘ The PDPA will have the most drastic impact on the nation’s 75 million people and our companies.
Member, PDPA preparation committee
NEW PRIVACY ERA
Paiboon Amonpinyokeat, a member of the preparation committee for the PDPA, said the new law will be enforced after a year-long grace period and will have a vast impact on Thai society.
"Of all the new digital laws, the PDPA will have the most drastic impact on the nation's 75 million people and our companies," he said. "Everyone will be affected, it will definitely affect you."
The PDPA's definition of personal data is any data that can identify that person directly or indirectly such as photo, national ID, address, internet behaviour, IP address and MAC (media access control) address of a computer user, to name a few.
Mr Paiboon said the PDPA is in line with the EU's General Data Protection Regulation (GDPR) that has become the de facto international standard for data protection. The new law will help Thai companies avoid violating the GDPR and subsequent fines and sanctions.
The PDPA mandates that data controllers and data processors who use personal data receive consent from data owners and use the data only for expressed purposes. The PDPA's penalty for the use of data beyond the stated purpose and without consent is a jail sentence of six months and a fine of 500,000 baht. A company that uses personal data for commercial purposes without users' consent could face up to a year in jail and a fine of 1 million baht.
The PDPA will impact four key groups: human resources (employee data), marketing and public relations (customer data), IT departments (databases) and legal (information in contracts).
Mr Paiboon suggested that every key sector (banking, insurance, healthcare, telecom) that has regulations for each vertical sector needs to outline a code of conduct for data security and data privacy that is submitted to the Digital Economy and Society (DE) Ministry for guidance in order to comply with the PDPA expediently.
Businesses should have a data protection officer that maintains compliance for all four groups and changes the existing standard agreement.
Moreover, the DE Ministry needs to educate citizens to avoid complaints and unnecessary lawsuits. After the PDPA comes into effect, if someone takes a photo of someone without the person's knowledge and posts it to social media or makes commercial use of the photo, the photographer will be in violation of the PDPA.
The PDPA has exceptions for personal use and for government agencies that collect data related to national security purposes.
‘‘ If businesses are already taking care of data the right way, the new law should not hinder your business.
President, True Digital Group
PRIVATE SECTOR PROTECTION
Michael Gryseels, president of True Digital Group, said his company welcomes the new data protection and cybersecurity laws, as he believes his company has long-standing high standards for protecting data.
"We are very capable with customer data, and the legal framework forces us to double-check how we are doing things," Mr Gryseels said. "If businesses are already taking care of data the right way, the new law should not hinder your business."
He said the technology and telecom sectors are in for a great disruption in the next few years, due to how companies can leverage the rapid increase in computing power, network connected devices and advances in data analytics through machine learning.
"Innovation does not come without disruptions," he said. "Companies that disrupt themselves faster than they can be disrupted will better survive in the long run."
‘‘ Possessing the data is a burden in a way.
Managing director, consumer business management, Citi Thailand
LESS IS MORE
Vira-Anong Phutrakul, managing director of consumer business management at Citi Thailand, said companies should be conservative about what customer data they decide to get, as storing data is a liability in itself.
"Possessing the data is a burden in a way, so we have to make sure data is well protected and not abused," Ms Vira-Anong said. "In reality, [companies] will have to adapt and update technology."
She said criminals are improving their techniques every day, so companies have to constantly improve fraud detection and cybersecurity methods. Businesses should also ask consent from their customers when requesting personal data.
‘‘ If you are careless about the proper protection measures, all methods of cyberattack could happen.
Chief technology officer, Huawei Thailand
Tanin Noirungsee, chief technology officer of Huawei Thailand, said storing data privately is not always the safest option. Companies that offer cloud services could have better security capabilities than one's own personal computer.
With cloud services, he said Huawei customers can trust in Huawei to keep data safeguarded through its internal rules and regulations, which will be strengthened by the upcoming PDPA requirements.
Organisations that store their data in their internal systems may have to take precautionary measures against attacks, Mr Tanin said.
"If you are careless about the proper protection measures, all methods of cyberattack could happen," he said.
Huawei's technology is the basis of the 5G infrastructure for Thailand. Thai citizens must trust the Chinese company with their data, even as Huawei faces accusations of spying on behalf of the Chinese government by the US.
According to Mr Tanin, Huawei's cloud service has drawn many customers from many industries.
"Customers expect that we will take care of them well and their data will not be exploited or leaked," Mr Tanin said.
Any process of storing, processing or retrieving data must be protected and entitled to proper monitoring, he said.
‘‘ The organisations will be at an advantage when they comply with the law.
Lawyer, Baker & McKenzie
Benefit from PDPA
Siranya Rhuvattana, a lawyer at Baker & McKenzie, said that while organisations may face challenges in complying with the PDPA, the law could also be beneficial to their operations because all data will be systematically organised in a clear data flow.
The PDPA will govern how data is collected, processed and disseminated, and organisations will be keenly aware of the life cycle of the data they use, she said.
"This would be an overhaul in organisations' in-house data arrangement," Ms Siranya said. "The organisations will be at an advantage when they comply with the law."
She acknowledged the challenges that could also entail after compliance with the law.
In the future, the volume of data will rise because of the emergence of new technologies such as the Internet of Things and automation, which could immeasurably burden employees who are responsible for compliance, Ms Siranya said.
How these organisations will deal with substantial incoming requests to change or delete the information is also a forthcoming challenge, she said.
The law could also conflict with other laws, such as those linked with the telecom sector that prevent the erasure of information.
According to her, organisations need to embark on "who, what, when, why, how" criteria in relation to the data they obtain and they should know their duties based on the law that they need to comply with.
She urged all parties to prepare themselves for the legislation.
"I want all relevant documents to be prepared for the enforcement of the law," Ms Siranya said.
‘‘ We are capable of issuing the law, but enforcement is problematic.
Chief data scientist, Sertis
Jarun Ngamvirojcharoen, chief data scientist at Sertis, said there may not be enough data professionals in Thailand to meet the requirements of the law.
"We are capable of issuing the law, but enforcement is problematic," he said. "We don't know how many data scientists there are in Thailand, but just based on who is on LinkedIn, there is maybe 1,000, and 100,000 globally."
Mr Jarun said data protection and privacy knowledge should be part of academic curricula in order to ensure sufficient staffing of data scientists in the coming generations.
"Analytics can benefit business of every size, even SMEs, but the field requires a mindset of data literacy and the use of tools to automate aspects of data management," he said.
In his view, the law poses no threat to the advancement of data analytics because firms can use data that is anonymised, or metadata, to draw analytical conclusions.
Additional reporting by William Hicks and Tharittawat Samejaidee