As of June 1, 2022, the long-awaited Personal Data Protection Act B.E. 2562 or PDPA has finally come into effect after a two-year delay. The Cabinet had postponed the PDPA’s enforcement twice when the outbreak of Covid-19 made it difficult for enterprises to make adequate preparations to comply with this new law.
Despite its postponement, dtac began internal preparations in 2018 to comply with the PDPA given the importance it places on customers’ privacy. dtac started its preparations by referring in part to the European Union’s General Data Protection Regulation (GDPR).
Privacy as Fundamental Right
Montri Stapornkul, an expert in personal-data management and dtac’s Data Privacy Officer (DPO), said dtac puts the principles of good governance and human rights at the heart of its business operations. Privacy, as a fundamental human right, has received a lot of attention from many countries because it underpins many other rights and freedoms.
PDPA is rooted in the idea of “restoring a fundamental right” of Thais. This right has to do with privacy, which is protected under the Thai constitution. Privacy is a broad concept, covering bodily privacy, communication privacy, territorial privacy, and information privacy.
The three core elements of PDPA are:
- Transparency: Enterprises generally must inform and seek consent from service users openly, transparently and directly for use of their personal data. After obtaining consent, enterprises must keep the personal data secure and available for review while maintaining records of processing activity in line with applicable regulations and required processes.
- Lawful Use of Personal Data: Enterprises must be able to produce evidence that service user data is used for those purposes for which they have provided consent.
- Accountability: All employees of enterprises, from executive level down to operational level, must be accountable for customer data and have knowledge/understanding of the enterprise’s privacy policies.
To ensure that its use of customer data is proper and in line with the intent behind privacy laws, dtac has laid down a three-pillar framework – Proactive Approach, Investigative Approach, and Corrective Action – to reduce breach risks during operations.
“Whether their business is small or large, dtac Business provides them services with the same principles and standards, especially when it comes to privacy,” said Mr. Krit
While the foundational layer of data privacy (policy) is very important, other layers are just as critical. Checks-and-balances guidelines, in essence, have crucial significance. They must be upheld when training is provided to operational staff. During the past three years, dtac has provided regular training on privacy to its employees.
In addition to corporate preparation for privacy protection, data owners or data subjects should also be aware of their right to privacy, and what they stand to lose if they do not understand their rights.