The upcoming deadline for meeting the compliance requirements of Thailand Personal Data Protection Act (PDPA) has forced companies to assess and upgrade their current data management practices. While this definitely is a must from a legal perspective, at the practicality level all organizations and their employees should take this as an opportunity to review how data is currently being managed and revise these processes in order to appropriately reflect the importance and urgency as intended by these new laws.
Thailand Personal Data Protection Act (PDPA)
Similar in concept with the General Data Protection Regulation (GDPR), the Thailand PDPA was designed to protect individual personal information by means of a National Privacy Commission. It was approved and endorsed by the National Legislative Assembly on 28th February 2019 and was scheduled to come into effect on 27th May 2020 as published in the Government Gazette. However, due to the unexpected COVID-19 outbreak and its aftermath, Thailand’s Cabinet acknowledged the need for a Draft Royal Decree to postpone the effective date for one year, as proposed by the Ministry of Digital Economy and Society (MDES). Unfortunately, according to the latest update, this deadline has been postponed once again. Companies who are considered data controllers or data processors under the Act will now have until 31st May 2022 to become compliant. In any case, all companies should take this extension period as an opportunity to prepare even better, with full commitment and effort.
The Importance of Data Protection
The core of this law signifies the need for companies to manage their data better, especially Personal Data, which is defined as any information identifiable to a living person, whether directly or indirectly, such as name, address, phone number, ID card number, photographs, or biometric data. Data breaches can cost companies significant amounts in fines, penalties, and settlements as highlighted by some of the following:
- Uber | 600,000 driver and 57 million user accounts breached in 2016. Fined USD $148 million in 2018.
- Yahoo | Security breach of entire database of approximately 3 billion accounts in 2013. Fined USD $35 million for failure to disclose as well as another USD $47 million in litigation settlement expenses, both in 2018.
- Capital One | Breach of over 100 million people in the US and Canada including names, addresses, zip/postal codes, phones numbers, email addresses, and more in 2019. For failure to establish effective risk assessment processes” and “failure to correct the deficiencies in a timely manner” leading to a penalty of USD $80 million assessed in 2020.
These cases illustrate just the financial impact of data breaches, not to mention the loss of customer confidence and negative impact on these companies’ brands.
What Can You Do – What We Did
To prepare for the PDPA, and more importantly to prevent such potential disasters, Nikkei Research & Consulting (Thailand) launched a series of initiatives to raise awareness, evaluate current situations, and develop better ways for managing data in the future.
Our first initiative was to unexpectedly send a fake phishing email to all of our employees. We wanted to observe how many would fall for this trap, as well as how they would react afterwards. What would they do with the email message? Would they inform their colleagues? Would they escalate this to their supervisors, or IT, or HR? As so many data are received digitally nowadays, informing employees how to detect suspicious messages (such as by clicking to check the sender address) and how to handle such incoming threats (immediately deleting the message as well as warning others) should be a basic minimum practice.
Our next initiative was to prepare a knowledge quiz, conducted online, based on the core terms and conditions of the PDPA as well as different data management scenarios. Prior to taking the test, we encouraged employees to study the actual PDPA document, or through different information summaries that were prepared.
The test was designed to include easy questions to review important behaviors expected as well as complicated questions to uncover areas where employees may have potential difficulties or misunderstandings. The overall intention of this exercise was to encourage employees to be proactive in getting ready for upcoming priorities and to reinforce necessary actions through self-learning. Having such a resource readily prepared was also intended to help support orientation activities with new employees who may join the company in the future.
Our last initiative was to conduct an internal workshop to reinforce awareness, understanding, and interventions necessary in order to better manage data operations. The agenda of the workshop consisted of:
- Overview of how to handle personal data
- Examples of data breach incidents
- Review of current types, locations, and processes for managing data
- Case studies to analyze situational implications and potential solutions
- Discussion based of online learning results
- Personal reflections of learnings and commitments going forward
Each topic was facilitated as active learning activities, both individually and in groups. This opportunity to learn together allowed everyone to collectively share ideas about how to fix and prevent data management troubles. In order to create commitment to change existing the status quote, it is important not only to make the desired future state clear but to also inspire the willingness to do so from within.
What delighted us most was everyone’s willingness and eagerness to make proper data management an even higher priority. While some of these new protocols would increase the time and effort required to complete certain tasks, it was unanimously agreed that these additional steps were absolutely necessary and essential. The outcome of this workshop was to serve as an open invitation for all staff to reflect on what they learned about data management and how each and every member would contribute to helping the company achieve these new compliance goals.
Keys Success Factors for Managing Readiness
To sum up, here are some principles to help guide your company towards success on this journey:
- Demonstrate Leadership Support | Top management should display their own commitment through communications as well as participation in everything that is required from employees.
- Encourage Openness & Honesty | Help employees feel confident that should mistakes occur, it can and should reported in order to quickly address them. Employees should not fear punishments, which may lead them to cover up or hide serious issues.
- Create Momentum Together | Design activities that include and involve everyone in the process, to make everyone aware of new target destinations while motivating everyone to take action from the inside out, not from top down.
How We Can Help
No matter where you are in terms of readiness, we can help you raise awareness, understanding, and commitment on this data management journey. Our compliance management survey solutions can benchmark how well your organization is currently performing. We can also customize and facilitate workshops based on these results in order to align all teams in the right direction. Use this upcoming Thailand PDPA deadline to assess your readiness and take the right actions to minimize your data management risks. For a free consultation about what to do next, please contact us to discuss further.