GIRDING FOR GDPR
A European law and a Thai draft bill give local firms the chance to promote information protection. By Suchit Leesa-nguansuk
The EU’s new data protection rules start this week, raising the bar worldwide.
The EU’s General Data Protection Regulation (GDPR) comes into force on May 25, raising the bar for data protection and privacy practices and forcing Thailand to speed up passage of the Personal Data Protection Act.
GDPR and the Thai Personal Data Protection Bill (PDPB) will create an opportunity to increase customer confidence and change the perspective of business organisations in data management, including increasing cybersecurity spending.
Dhiraphol Suwanprateep, partner for technology, media and telecommunications at Baker McKenzie Ltd, said GDPR requires companies to report personal data breaches to the relevant supervisory authority within 72 hours of their becoming aware of the breach.
If the breach is likely to result in a high risk to the rights and freedom of individuals, those individuals must also be informed without undue delay.
The Thai government is attempting to pass the PDPB. The most recent draft released last month by the Digital Economy and Society Ministry also includes a personal data breach requirement, with data controllers compelled to notify data owners of a breach immediately.
If the breach affects more data owners than the number prescribed by the Data Protection Committee, the data controller must also notify the committee of the breach incident and take remedial measures without undue delay.
Mr Dhiraphol said the two laws are clear evidence that regulators are placing more weight on controlling data breaches.
Recent news also suggests that data breaches increasingly result in public outcry once individuals learn that their personal data may be compromised.
For example, Unicef Thailand recently suffered a cybersecurity attack against one of its servers. The agency announced on its website that the breach included the personal data of donors who made web donations via www.unicef.or.th, with information such as names, contact details, dates of birth and encoded credit card numbers.
“Although we praise Unicef for reporting the incident, and for directly notifying the affected individuals, we are still concerned by the ever-growing frequency of cyberattacks these days,” Mr Dhiraphol said.
Companies as well as government entities should be taking breaches and their risks seriously and planning accordingly, he said.
“Not only are there penalties imposed under GDPR and the draft PDPB, but an organisation’s public reputation is almost certain to be compromised if and when a security breach occurs,” he said. “Damage can occur in seconds following news of a breach that may take years to repair.”
Given these risks, technical measures to protect data must be steadily implemented, regularly updated and adhered to without exception.
Meanwhile, organisations and governments continue to use outdated security software that offers no protection against hackers, effectively inviting them into easily compromised systems, Mr Dhiraphol said.
PRIVACY POLICIES
Legal liability for data breaches cannot be overlooked. Not only must organisations and governments implement technical measures to prevent and minimise the effects of attacks, they must also prepare adequate privacy policies to explain how individuals’ personal data will be collected, used, processed, disclosed, transferred and protected.
Any disclaimer should also be carefully crafted to help limit liability of the data controllers to the extent that such limitations do not conflict with the liabilities imposed by the relevant laws, Mr Dhiraphol said.
OVERHAUL THE PDPB
Prinya Hom-anek, secretary of the Thailand Information Security Association (TISA) committee, said the enforcement of GDPR in real life is important because it will be a wakeup call for compliance. Many businesses are still unaware of the risks and remain in a “wait and see” stage.
“Without security, you cannot have data privacy,” he said.
Mr Prinya said data privacy protection should be increased to prevent data breaches as cross-border data flows become more prevalent thanks to the cloud, Internet of Things and artificial intelligence.
“Cloud security will be a prime target of hackers,” he said. “Investment in security technology should be a priority as businesses, especially banks, online firms and airline travel services, need to complete risk assessments to determine each level of impact from a breach.”
Mr Prinya said the government and business operators should turn GDPR compliance into an opportunity to show their commitment to data privacy and attract European users.
Moreover, the government should amend the PDPB to match GDPR guidelines, he said. The draft mandates that service operators ask data owners’ consent to record data, but the operators can use that data for any purpose without their consent.
EU TELECOMS READY FOR GDPR
Rajiv Bava, chief of corporate affairs and business development at Total Access Communication Plc (DTAC), majority-owned by Norwegian firm Telenor, said the company has dedicated GDPR compliance projects.
Documenting these processes is key to GDPR readiness, with DTAC building inventories of its processing activities through mapping exercises, he said.
The company held workshops both internally and across the industry to share experiences and insights on how to prepare for GDPR compliance. In January 2018, DTAC launched a mandatory e-learning programme for all employees.
The telecom plans to continue to work on technical solutions and services to support customers’ data privacy rights, such as easy-to-use solutions for customers to consent to processing, and better solutions for internal consent management.
DTAC’s GDPR projects and data protection officers are meant to ensure compliance and see that the right information and tools reach the right people in the company.
VISA PREPARES FOR GDPR
Ellen Richey, vice-chairman for risk and public policy at Visa Inc, said the company spent two years to comply with GDPR because it has sensitive personal data in its system.
The company implemented the Visa Data Privacy Request Manager through a set of application programming interfaces to support issuers and acquirers complying with GDPR requirements, whereby Visa holds the personal data as a “processor” on behalf of the controller.
Specifically, Visa enables client banks to submit DSR requests on any of the DSR types (access, rectification, erasure, restriction, portability, object, automated processing). Each request will prompt the creation of at least one “case” that can be used to track the progress of the request.
UNIFY DATA AND PRIVACY PROTECTION
“As the capacity to collect, store and analyse data for commercial purposes continues to grow exponentially, GDPR and country-specific data protection laws seek to strengthen and unify personal data privacy and protection, putting people in control of their data and ensuring businesses treat the data in a fair, transparent and secure manner,” said George Chang, vice-president for AsiaPacific at Forcepoint.
GDPR can issue penalties of up to €20 million or 4% of annual turnover, whichever is higher, for intentional or negligent violations. With the stakes that high, investing in compliance now is the only sustainable business model, Mr Chang said.
Pragmatic compliance need not be expensive, he said. Expenses are relatively low if implemented using common sense. Understanding the parameters of the applicable legislation is the key to getting it right.
Without security, you cannot have data privacy. Cloud security will be a prime target of hackers. PRINYA HOM-ANEK Secretary, Thailand Information Security Association