May 30, 2022 – dtac is prepared and ready for the Personal Data Protection Act (PDPA) coming into force in Thailand on June 1, offering its services by taking proactive, investigative and corrective actions to protect data privacy. The move reaffirms its strong role in supporting its responsibility to respect human rights and strengthen good governance, while PDPA enforcement is a milestone for privacy protection in the nation in a manner aligned with global standards.
dtac has adopted a personal data policy which describes in a consumer-friendly way the rationale and the manner in which dtac collects, stores and manages their personal data in compliance with the PDPA. The policy also details the opportunities that clients have to monitor and manage their personal data.
Stephen James Helwig, Interim Chief Corporate Affairs Officer at Total Access Communications Plc or dtac, said “As running our business responsibly is our core strategy, two human rights issues that are directly related to dtac are the right to information and freedom of expression. dtac welcomes and is pleased to apply its policy, offering the optimal benefit for consumers, business and society as a whole. The enforcement of PDPA on June 1 after a two-year postponement has marked a milestone for privacy protection and data security for customers in Thailand”
The PDPA ensures a high level of protection for consumers while allowing for consistent and flexible regulation that enables continued innovation. Trust in the protection of personal data is viewed as a new value prospect for our customers in the digital era.
“Our customers’ trust lies at the heart of our business. Technological advantages, such as artificial intelligence, the Internet of Things and 5G, will both generate and use large amounts of data to add value. And we view transparency as an undisputed value proposition to build customer trust,” said Mr.Helwig
From Policy to Practice
- Collection – dtac collects a set of direct and indirect identifiable data that is useful for service improvements.
- Process – dtac processes personal data for specific, explicit, and legitimate purposes.
- Sharing – dtac is transparent on how it shares and discloses data based on a legal basis.
In addition, dtac also has a framework to mitigate risks of data breach, ensuring that is has privacy and security in place.
1. Proactive approach
dtac has developed a “Privacy Checkpoint” as a tool to control and reduce the risk of privacy breaches. Those involved with customer data (application developers, data analysis and business intelligence officers) who intend to use data in a new manner are required to give data-usage reasons to the appointed data privacy officer (DPO) to assess any restriction of fundamental rights, whether the use has a legal basis, and to give a necessity and proportionality analysis. Moreover, those involved with customer data are required to pass a data security assessment overseen by a technical team. If the matter passes the initial assessment, it will be reviewed, endorsed and approved under a Data Protection Impact Assessment (DPIA).
The DPO is an expert in data protection, adequately resourced, and directly reports to the highest management level to prevent any external-factor interference. The DPO is expected to carry out his duties objectively and in accordance with PDPA requirements.
3. Corrective action
When a breach is detected, the DPO must alert the Office of Personal Data Committee and report corrective action. Data protection is a Purpose-Limitation mechanism. dtac has prepared its data protection in accordance with ISO 27001, Information Technology Infrastructure Library (ITIL) Framework, and various other international standards. As a result, access to, transfers of, and storage of personal data at dtac focuses on confidentiality, integrity, and availability.
For customers and those interested in how we work with privacy, please click https://www.dtac.co.th/sustainability/en/privacy/how-we-work