GOLDEN OPPORTUNITY
Data protection can win customers’ trust
Accenture says firms should look at the Personal Data Protection Act as a chance to turn data into an asset.
Financial institutions and businesses should look at the Personal Data Protection Act (PDPA), scheduled to come into force next May, as an opportunity to transform into data-driven organisations, according to consulting firm Accenture Thailand.
They need to gravitate towards data protection organisations and handle the data in line with the PDPA, said Wichaya Chao, managing director for the company’s financial services.
The Bank of Thailand and financial regulators can set a minimum standard for data protection and consent by data owners as a guideline for financial institutions to follow.
“There are only seven months before the PDPA takes effect in May,” Mr Wichaya said. “At least three months are needed for organisations to prepare themselves.”
They need to be prepared in terms of data searching, collection and diagnosis and handling the process of seeking consent from customers, keeping data and erasing it, as well as ensuring access control and protection.
“Organisations should not see the law as a burden, but rather as an opportunity to treat the data as an asset and become a data-driven company that can gain better customer insights and usher in new business approaches in response to them,” Mr Wichaya said.
Ensuring data protection will engender customer trust in firms.
Having such data discipline in place, good governance and transparency will be ensured and the handling of data will become more efficient, Mr Wichaya said.
Accordingly, more data sharing among those across industries will be carried out.
“This can be a good opportunity where a new guideline for information sharing should be established among parties involved,” Mr Wichaya said.
Additionally, the law could encourage companies to reorganise their data storage, which would help reduce costs.
The PDPA gives data owners the right to have their data erased, and they can ask service providers to remove their data.
Businesses can stop keeping data whose owners don’t want them to retain it. This will enable companies to better optimise market opportunities for customers who are genuinely interested in products or services.
Mr Wichaya said businesses need to make data anonymous before processing it. They should make sure the data can’t be traced to identify owners through any tech devices, he said.
“To comply with the law, businesses need to assess themselves and ensure risk assessment in their whole work process,” he said. “Data-handling staff must be educated on how to deal with the matter.”
The PDPA mandates data protection officers (DPOs) to make sure organisations’ data handling is in line with the law.
Mr Wichaya said Accenture has tools that help organisations work in compliance with the law, including providing the DPO.
Tools cover data subject requests, data breaches, consent management and regulatory reporting, he said.
The PDPA was published in the Royal Gazette in May, but it provides a oneyear grace period for enforcement of its provisions to give stakeholders time to adjust.
The PDPA requires data controllers and data processors who use personal data to receive consent from data owners and use the data only for the expressed purpose.