As of June 1, 2022, the long-awaited Personal Data Protection Act B.E. 2562 or PDPA has finally come into effect after a two-year delay. The Cabinet had postponed the PDPA’s enforcement twice when the outbreak of Covid-19 made it difficult for enterprises to make adequate preparations to comply with this new law.

Despite its postponement, dtac began internal preparations in 2018 to comply with the PDPA given the importance it places on customers’ privacy. dtac started its preparations by referring in part to the European Union’s General Data Protection Regulation (GDPR).

Privacy as Fundamental Right

Montri Stapornkul, an expert in personal-data management and dtac’s Data Privacy Officer (DPO), said dtac puts the principles of good governance and human rights at the heart of its business operations. Privacy, as a fundamental human right, has received a lot of attention from many countries because it underpins many other rights and freedoms.

PDPA is rooted in the idea of “restoring a fundamental right” of Thais. This right has to do with privacy, which is protected under the Thai constitution. Privacy is a broad concept, covering  bodily privacy, communication privacy, territorial privacy, and information privacy.

The three core elements of PDPA are:

1. Transparency: Enterprises generally must inform and seek consent from service users openly, transparently and directly for use of their personal data. After obtaining consent, enterprises must keep the personal data secure and available for review while maintaining records of processing activity in line with applicable regulations and required processes.
2. Lawful Use of Personal Data: Enterprises must be able to produce evidence that service user data is used for those purposes for which they have provided consent.
3. Accountability: All employees of enterprises, from executive level down to operational level, must be accountable for customer data and have knowledge/understanding of the enterprise’s privacy policies.

Implementation Challenges

Mr. Montri added that over the past few years, implementation of dtac’s privacy policy has been a major challenge, requiring continuous engagement on data privacy principles.

To ensure that its use of customer data is proper and in line with the intent behind privacy laws, dtac has laid down a three-pillar framework – Proactive Approach, Investigative Approach, and Corrective Action – to reduce breach risks during operations.

“Checks and balances are hugely important to the efficient implementation of dtac’s privacy policy, the reduction of breaches, and the fulfilment of desired goals. Our privacy checkpoint and security checkpoint not only complement the implementation, they also are designed to be aligned with the intention of PDPA,” Mr. Montri said.

Krit Prapatsakdi, Head of Enterprise Sales Division at dtac, said dtac’s Business group has huge data sets through its B2B customers – enterprises and small to medium size entities (SMEs). When GDPR went into effect in 2018, dtac gradually raised awareness about its tightened privacy policy. Every corporate customer is required to agree in writing to observe this new privacy policy in line with global standards. However, SMEs and small office/home office (SOHO) groups still lack adequate understanding around the new privacy regulations. dtac helps guide these parties and explain the benefits and losses they could face under the new law.

“Whether their business is small or large, dtac Business provides them services with the same principles and standards, especially when it comes to privacy,” said Mr. Krit

Bottom-Up Approach

Mr. Montri emphasized that customers’ privacy can only be completely protected when the bottom-up approach is observed. In other words, all data users in dtac must have full understanding of its privacy policy. Accessing personal data even in good faith constitutes a breach if the data is used for a purpose that has not been communicated to data owners.

While the foundational layer of data privacy (policy) is very important, other layers are just as critical. Checks-and-balances guidelines, in essence, have crucial significance. They must be upheld when training is provided to operational staff. During the past three years, dtac has provided regular training on privacy to its employees.

In addition to corporate preparation for privacy protection, data owners or data subjects should also be aware of their right to privacy, and what they stand to lose if they do not understand their rights.

Since the launch of dtac’s privacy policy three years ago, the company has noticed a significant rise in privacy awareness among its employees. In the past, dtac’s DPO received more than 1,000 privacy-related counseling requests each year. These days, the number has been reduced to only a few hundred. The decrease reflects employees’ growing understanding of privacy and a better ability to interpret and apply the regulations to their own context. Privacy awareness is now a part of dtac’s corporate DNA.