- Find out more about our privacy policy here
- Although the PDPA act’s enforcement has been postponed, dtac stresses companies should get ready now.
- PDPA affects how businesses collect, use and disclose data.
- It is not simply a security issue but also requires using personal data in accordance with objectives notified to the data subject, making thorough training of employees necessary.
Although its enforcement is postponed to 2022, the Personal Data Protection Act (PDPA) remains a hot topic for Thai businesses, many of which are anxious about their ability to implement it and its potential impact on trade secrets.
To tackle the issue, Mr. Montri Stapornkul, dtac’s privacy expert, joined Thitirat Thipsamritkul, a law lecturer at Thammasat University and Rabkwan Choldamrongkul, the Chief Legal Officer at easyPDPA, to share their views in a talk held at the Intellectual Property and International Trade Court on the Personal Data Protection Act (PDPA).
The PDPA is designed to protect personal data both in government and private sectors. The act, which shares similar characteristics with the General Data Protection Regulation (GDPR) implemented by the European Union in 2018, was originally planned to be enforced in May 2020. But most chapters of the act were deferred until May 2022 to give the public and private sectors more time to prepare internal processes and reduce the financial burden from the COVID-19 outbreak.
“Companies should use the deferment to look into how they can translate the law into practice and put in place various policies and measures related to personal data protection,” dtac’s privacy expert explained. “Privacy is more complicated than just keeping sensitive information safe. For dtac, being a partner with Telenor, gave us a head start thanks to their GDPR experience. But it has been a long journey nonetheless.”
At the panel discussion, which also explores the impact of the new act on intellectual property, Mr. Montri stated that in general the implementation of the PDPA, which grants individuals the rights to access their personal data held by a company, shouldn’t affect a company’s safeguard of trade secrets.
“The challenges for businesses of almost any size is that the act helps define clearer consumer rights to personal data, meaning personal data must be used for solely for stated purposes, and consumers can seek remedies when their PDPA rights are violated,” he said.
In the digital economy, many businesses collect personal data in various forms and use it to tailor personalized seamless experience for individual customers. The pandemic outbreak prompted a surge in digital adoption in Thailand, and people spend more time working, playing, and shopping online. But it also poses a greater threat to privacy.
“Today Thais have a better understanding of privacy law. They are aware that Facebook isn’t free. We now have customers calling our call center with questions on privacy, and I have started training our call center on the issue of privacy and the PDPA,” Mr. Montri said.
He also pointed out that many people still confuse privacy with security. While the objective of security is to prevent data breaches, the new privacy act deals with how personal data is used and processed, and if the data collection is justified for intended purposes. Privacy awareness training programs are therefore necessary for employees who work in organizations that handle personal data.
At dtac, every employee is required to take mandatory security and privacy trainings every quarter. And in the case of data breaches, the company will immediately notify the data subject of the breach as soon as the case is reported and offer appropriate compensation to the affected individual.
“dtac is transparent in how data is being used and processed. Our measures already adhere to an international standard,” he said. “We have a team to constantly monitor and detect potential data breaches, so we can respond immediately to minimize damage. We believe privacy is a social responsibility issue.”
