“Bluebik” Advises Organizations to Strategize Workforce-Adjust Data Usage for PDPA

Bluebik Group, a leading consultant on strategy and management through innovation and technological solutions, suggested that organizations, while waiting for the Personal Data Protection Act (PDPA) to be effective in another year, should prepare people and adjust work strategies and guidelines so as to be aware of the importance of the PDPA which involves all functions organization-wide. Businesses should not only draft a policy to meet the legal requirements, but also know the appropriate timing and use of data to help drive innovation growth and competitiveness. There are 4 key components in applying the PDPA as intended.

 

Mrs. Chantacha Suwannajitr, Chief Operation Officer (COO) of Bluebik Group, a leading consultant on strategy and management through innovation and technological solutions, revealed that an important role of PDPA is to protect personal data, and the Act will directly affect the data analytics process ranging from data collection to data application by different functions. With the postponement of the PDPA enforcement by a year from the original deadline on 28 May 2020, organizations should optimize this one-year opportunity by educating their employees, adjusting strategies, and developing work processes so that all functions realize the importance of the PDPA and do not view that it is only the legal function’s job to draft an operational guideline to meet the legal requirements. What the organizations should do is to adjust and improve their internal work processes and involve all functions in the processes to the greatest extent possible.

 

Thailand’s PDPA was enacted based on the European Union’s General Data Protection Regulation (EU GDPR), which had originated from an incident where a global leading firm’s customer data was compromised and misused. However, the Thai law contains less restricted punishments. In the past, Thai organizations were familiar with international standards for data security management systems such as ISO 27001 which was not compulsory while the PDPA is a law and must be strictly enforced. If there is a leak of personal data without any preventive or adequate and suitable handling measure, this shall be considered an offense and subject to a legal punishment.

 

“Most importantly, organizations must make people aware that the perception of ‘you can do anything to the obtained data’ is incorrect. In reality, the organizations do not own their customer data; their duty is only to maintain and keep the data safe, and to make best use of the data for the owner’s benefits. If an organization carelessly uses the right to the data, this may adversely affect its reputation and customer confidence in the organization as a data user who lacks awareness about the right to the data,” said Mrs. Chantacha.

 

Mrs. Chantacha added that a number of organizations would prepare themselves for the PDPA in order to meet the legal requirements to be enforced from 28 May onwards. However, in practicality, businesses should pay attention to substance over legal form as the law contains extensive details. If the organization does not attain an aligned understanding or tries to follow every part of the law, this could become a hindrance to the business as the marketing, PR, and product development functions may find it hard to make full use of the obtained data to develop strategies or innovations to drive business growth.

 

The answer to the effective implementation of this PDPA lies upon how well an organization can keep a balance of the following 4 key components prior to the implementation.

1) People: People should study and understand the PDPA and get ready for working on it. This is because the PDPA will involve data collections or uses of personal data for different purposes depending on functions such as marketing, IT, product development, etc.

2) Process: Policies and processes in terms of management must be clearly established. Also, consideration should be given to what would be a data management process, ranging from data collection to data removal, including a period of data retention. There should be a clear description of relevant rights, duties, and responsibilities, as well as steps to investigate any data leakage.

3) Data/Information: In the digital era, several organizations’ business processes are based on IT systems, with the data flow occurring across the organizations. Thus, one challenge with regard to data is the scattering of data and the failure to clearly identify its source or where it is kept. This issue is important because if there is a request to cancel data disclosure or a data leak, the organizations must be able to clearly identify what type the data is or at what step a relevant action should be taken.

4) Technology: Technology helps manage data security for a data privacy owner (DPO.) We must accept that systems or technologies required for operating business might be developed at different times or with different purposes according to specific functions. Some functions may have the centralized data center while some others may not. Or, certain functions use outdated technologies which may not support the integration of data security protection/maintenance measures. Without a tool or technology to assist DPO in managing or reviewing data security, the organization may find this matter hard to manage.

 

However, during 1 year before the PDPA official implementation, the organization may have difficulties or limits in evaluating readiness and properness of the 4 key components since the Act is a master law with broad details and must be further applied based on types of work or business.

 

Therefore, an organization may consider having an advisor to help plan and provide guidance as well as evaluate its readiness, what areas are already good or in need of further improvements, what things to add or reduce to ensure a balance, what steps to be planned in each phase, or the cost-effectiveness of each technology investment. The advice on these matters would help lay down practices to comply with the PDPA regulations, including ways to use personal data without breaching intended purposes or legal provisions. The advice would also help adjust strategies and work processes, enabling the organization to use data for innovation development or competitiveness enhancement.

 

“Striking a balance in applying the PDPA to avoid legal violations or losses of business opportunities or competitiveness is critical. Giving too much weight or importance to any particular aspect would hinder the organization’s ability to move forward and achieve growth as planned. For example, if too much attention is paid to the use of data for marketing, the organization’s creditability and loyalty towards the brand and products could be affected due to a high chance of data leakage. This is especially true in today’s world where consumers are more concerned about personal data with a growing number of lawsuits being filed. But, adhering to the law alone could limit marketing capabilities in developing new products or innovations and leave the business behind its rivals,” concluded Mrs. Chantacha.

 

Moreover, Bluebik suggested 4 guidelines for creating awareness of the role and duties of an organization as a data keeper as follows:

1) Preparation of Data Accountability Report: This report shows the number of those accessing and using the data as a way to ensure clarity and transparency in data accountability. This report also reflects how the business is responsible for data protection and maintenance.

2) Responsible Data Use and Analysis: Before the enactment of the Act, many people might not pay much attention to the retention or maintenance of personal data. As a result, anyone could have the right to access data. But, in reality, not all employees or functions are needed to access such data. Hence, it is now time for an organization to revisit their past practice and identify if any over-access was granted because with the higher number of people accessing the data, the higher chance there is of a data leak.

3) Granting Access to Key Data: To exhibit accountability for data usage, data access rights should be clearly specified, e.g. the number of people with the rights to access particular data. This allows the business to see any data access irregularity, for example, frequent visits by a particular person. This practice also leads to a check and balance process by ensuring that edits or updates are free of errors.

4) Establishment of Privacy Committee: A committee dedicated to privacy issues should be established at an organization level and consist of members from all stakeholder groups. The committee should support making decisions at important levels, with the members being executives from various fields or departments of the business to provide different perspectives with regard to responsible data use.