Businesses must lead on data privacy
After a long wait, we finally have a law to protect our data privacy. But don't jump with joy just yet.
Nowadays when we are obliged to give away our personal data for various services, it is only right to have a system to prevent data privacy violations and to punish companies for selling or misusing our personal information.
The recent mega data breach by Facebook shows how easy it is for businesses to violate consumer privacy for commercial gains. It also shows how serious governments are in protecting data privacy.
Following the scandal, the US Federal Trade Commission hit the tech giant with a record US$5 billion (153 billion baht) fine for allowing Cambridge Analytica, a political consultancy firm, to obtain the personal data of up to 87 million Facebook users, possibly for political purposes during the US presidential election.
The Italian Data Protection Authority also ordered Facebook to pay a fine of one million euros (33.8 million baht) for Cambridge Analytica data misuse which violated Italy's privacy law.
I recommend you watch The Great Hack, a Netflix documentary on the Facebook-Cambridge Analytica scandal, to understand the danger of data misuse and the urgency of personal data protection.
It is good news, then, that Thailand finally has a law in place to protect consumer privacy and personal data. It took over two decades for this law to materialise despite much public concern over consumer privacy violations.
The Personal Data Protection Act came into effect in May this year, a significant move to protect consumer rights in Thailand's digital age. Under this law, people have the right to protect their privacy and manage personal data collected by organisations and companies. Consent is one of the key features for data sharing, while people have the right to know which organisations have their data as well as how it is used and shared.
Yet implementation remains problematic.
For starters, the national personal data protection commission won't be able to operate as a regulator for at least another year.
Also, many provisions are still vague, which may lead to legal misinterpretation and weak legal enforcement.
Since the law allows business operators only a one-year grace period before legal enforcement, they have little time to adjust their operations to comply with the personal data privacy law. Without an authorised body to clarify legal provisions and set guidelines, most operators will be unprepared for compliance when the data privacy regulator is ready to enforce the law next year.
This is a matter of the law being too slow to materialise, and then too quickly implemented to prepare businesses for change.
According to a survey by the Thailand Development Research Institute (TDRI), business operators are voicing a similar need for legal clarifications and guidelines from the state regulator due to vague legal provisions. Anxiety is running high that unclear legal provisions may lead them into legal and financial wrangles.
But there are still several things they can do to avoid such problems.
Under the new law, business operators have two main responsibilities. One is to protect personal data by giving its owner the right to access, correct, be fully informed about data use, and manage and delete personal information. Consent is necessary for data collection, use, and disclosure in many cases.
Their other duty is to inform the owner when a data breach occurs and to report it to the national personal data protection commission.
Despite the lack of clear legal guidelines, business operators can prepare themselves to meet these two duties.
First of all, they should review and analyse how much personal data they possess and clarify collection channels, methods, and its keepers. They must review policy on data sharing and deletion and conditions under which these occur. They should design a data flow system for data management procedures. Different types of personal data also require different treatment for different levels of legal compliance. Personal information of employees is also protected by the new law. The company must accord them the right to process their data and protect their privacy.
Next, they should set up in-house data protection teams to monitor data privacy and ensure legal compliance. According to a TDRI study, well-prepared business operators all have in-house teams and internal systems to monitor data flow and to assist other business departments for legal compliance. These teams will coordinate with the national data protection agency when a data breach occurs. Having in-house data protection teams also prevents the risk of violating the law by sharing personal data with an outsourced third party.
Notably, collecting, processing and disclosing personal information is allowable when it involves contractual obligations, but only with the data owner's consent, which can be acquired electronically.
However, business operators must be cautious about sensitive information such as on race, health, criminal records and religion. Disclosing such personal data requires the owner's consent in most cases.
Business operators should also occasionally delete personal data in their possession to reduce the workload. Better still, they should maintain only what is necessary. It helps to have data flow maps to identify when certain information should be deleted and under what conditions to ensure effective data protection.
Equally necessary is the a management system that owners can access. Maintaining a record of access is also useful for in-house monitoring, not only for data security but also for emergency intervention.
To ensure compliance with the data protection law, the operators should have data protection and privacy policies in place and inform customers and the public accordingly. They should reveal how they manage and protect consumer's personal data and the channels for data owners to access and manage their information.
Staff training on data privacy and protection is necessary to help employees at all levels avoid violating the law. At the same time, organisations must set up a system for staff to access their personal data and exercise their right to manage and protect their data privacy.
Preparation to comply with the Personal Data Protection Act requires much more than creating consent forms for customers or ad-hoc measures. It requires understanding the big picture of one's business operations and entails participation from all levels of staff, from top executives to customer service.
The time needed for organisational adjustment varies with the size and complexity of the business. From our TDRI study, business operators with over 10,000 employees need at least two years to prepare themselves.
Since business preparations cost time and money, businesses should work together under their professional umbrellas, such as the Federation of Thai Industries, the Thai Chamber of Commerce, or other business alliances under the same regulator. Business collaboration to mete out the data protection and privacy standards with input from the national regulator will benefit both parties. The participatory process will enable the private sector to follow clear and common directions. It also makes it easier for the state regulator to monitor the businesses through mutually agreed standards.
When the state regulator is not ready, the business sector must make the first step. If not, their unpreparedness will backfire and people's data privacy will suffer further.
Chawana Huangsuntornchai is a researcher at the Thailand Development Research Institute (TDRI). Policy analyses from the TDRI appear in the Bangkok Post on alternate Wednesdays.