dtac Welcomes PDPA enforcement on June 1, reaffirming its strong governance and human rights commitments for customers

May 30, 2022 – dtac is prepared and ready for the Personal Data Protection Act (PDPA) coming into force in Thailand on June 1, offering its services by taking proactive, investigative and corrective actions to protect data privacy. The move reaffirms its strong role in supporting its responsibility to respect human rights and strengthen good governance, while PDPA enforcement is a milestone for privacy protection in the nation in a manner aligned with global standards.

dtac has adopted a personal data policy which describes in a consumer-friendly way the rationale and the manner in which dtac collects, stores and manages their personal data in compliance with the PDPA. The policy also details the opportunities that clients have to monitor and manage their personal data.

From Human Rights to Privacy Policy

Stephen James Helwig, Interim Chief Corporate Affairs Officer at Total Access Communications Plc or dtac, said “As running our business responsibly is our core strategy, two human rights issues that are directly related to dtac are the right to information and freedom of expression. dtac welcomes and is pleased to apply its policy, offering the optimal benefit for consumers, business and society as a whole. The enforcement of PDPA on June 1 after a two-year postponement has marked a milestone for privacy protection and data security for customers in Thailand”

The PDPA ensures a high level of protection for consumers while allowing for consistent and flexible regulation that enables continued innovation. Trust in the protection of personal data is viewed as a new value prospect for our customers in the digital era.

“Our customers’ trust lies at the heart of our business. Technological advantages, such as artificial intelligence, the Internet of Things and 5G, will both generate and use large amounts of data to add value. And we view transparency as an undisputed value proposition to build customer trust,” said Mr.Helwig

Our digital society provides endless opportunities, but also creates a need for secure data handling. Privacy is one of dtac’s top priorities when we develop our services. In addition, our privacy policy reaffirms dtac’s strong principles in governance and human rights delivered through secured, inclusive and accessible connectivity. Here is how we conduct responsible business https://www.dtac.co.th/sustainability/en/rb

From Policy to Practice

Mr.Helwig added that dtac has implemented its privacy policy and conducted readiness projects since the General Data Protection Regulation (GDPR) came into effect in Europe in 2018 and when the PDPA was enacted in 2019. The company has mapped all activities, ensuring that good procedures are put in place every step of the way in its data processing called “privacy-by-design”, resulting in quality and secured services anywhere our staff members work from. dtac has a solid set of guidelines involved with data use, ranging from how it collects, processes and shares data.

  1. Collection – dtac collects a set of direct and indirect identifiable data that is useful for service improvements.
  2. Process – dtac processes personal data for specific, explicit, and legitimate purposes.
  3. Sharing – dtac is transparent on how it shares and discloses data based on a legal basis.

In addition, dtac also has a framework to mitigate risks of data breach, ensuring that is has privacy and security in place.

1. Proactive approach

dtac has developed a “Privacy Checkpoint” as a tool to control and reduce the risk of privacy breaches. Those involved with customer data (application developers, data analysis and business intelligence officers) who intend to use data in a new manner are required to give data-usage reasons to the appointed data privacy officer (DPO) to assess any restriction of fundamental rights, whether the use has a legal basis, and to give a necessity and proportionality analysis. Moreover, those involved with customer data are required to pass a data security assessment overseen by a technical team. If the matter passes the initial assessment, it will be reviewed, endorsed and approved under a Data Protection Impact Assessment (DPIA).

The DPO is an expert in data protection, adequately resourced, and directly reports to the highest management level to prevent any external-factor interference.  The DPO is expected to carry out his duties objectively and in accordance with PDPA requirements.

2.Investigative approach

To reduce the risk of personal-data breaches, frontline employees who deal with customers’ personal data must regularly conduct assessments, with the results  submitted to the DPO for review. Moreover, audits are done by internal and external committees on a quarterly basis as assurances that dtac’s privacy policy is properly enforced.

3. Corrective action

When a breach is detected, the DPO must alert the Office of Personal Data Committee and report corrective action. 
Data protection is a Purpose-Limitation mechanism. dtac has prepared its data protection in accordance with ISO 27001, Information Technology Infrastructure Library (ITIL) Framework, and various other international standards. As a result, access to, transfers of, and storage of personal data at dtac focuses on confidentiality, integrity, and availability.

“We’re ready to comply with PDPA, and we’ve developed and implemented internal processes for more than two years in preparation for its enforcement. All of our employees are trained and aware of our privacy policy, which is now part of our DNA,” said Mr.Helwig.

For customers and those interested in how we work with privacy, please click https://www.dtac.co.th/sustainability/en/privacy/how-we-work