EU data law HITS HOME

THAI BUSI­NESSES MUST COM­PLY WITH EUROPE’S RULES ABOUT SHAR­ING PER­SONAL IN­FOR­MA­TION

The Nation - - OPINION & ANALYSIS -

As Thai­land ush­ers in a new era of digital econ­omy and so­ci­ety, data pro­tec­tion, pri­vacy and data res­i­dency have be­come im­per­a­tive is­sues.

En­force­ment of the Euro­pean Union’s Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) law, which started on May 25 this year, has set a new bench­mark for Thai­land and other coun­tries around the world.

Over­all, the GDPR law is aimed at boost­ing trans­parency and the rights of data own­ers, who will be re­quired to give their spe­cific con­sent be­fore any of their per­sonal data can be used by other par­ties. PWC, an in­ter­na­tional con­sult­ing firm, sug­gests that com­pa­nies need to set up a data in­ven­tory to com­ply with the EU law with re­gard to their cus­tomers’ per­sonal data as well as any third-party use of that data.

Sec­ond, data con­trollers and pro­ces­sors are re­quired to no­tify the au­thor­i­ties and data own­ers of any data breach within 72 hours.

Third, in­di­vid­u­als have the rights to ac­cess, cor­rect and re­move their data as well as the right to be for­got­ten.

For ex­am­ple, a Google search may find pho­tos of yours that you want to delete, in which case the con­trollers/pro­ces­sors are obliged to do so at your re­quest.

Due to the grow­ing pop­u­lar­ity of fa­cial recog­ni­tion soft­ware and manda­tory com­pli­ance with the EU law, Face­book has in­tro­duced a data in­ven­tory man­age­ment fea­ture, al­low­ing users to re­move their third­party data shared by the so­cial me­dia site with other app de­vel­op­ers.

The GDPR law is said to be en­force­able be­yond the 28-coun­try EU, so ma­jor Thai com­pa­nies have al­ready taken steps to­ward com­pli­ance as vi­o­la­tors are sub­ject to hefty fines of up to 4 per cent of their global rev­enues.

Fi­nan­cial in­sti­tu­tions, banks, con­glom­er­ates, air­lines and multi­na­tional ho­tel chains are among those pre­par­ing to fol­low the new EU guide­lines. First, most large en­ter­prises have sought con­sent from their cus­tomers re­gard­ing per­sonal data col­lec­tion, stor­age and use, as well as con­sent on the shar­ing of data with third par­ties. This was pre­vi­ously done au­to­mat­i­cally via the bundling method with­out need for spe­cific con­sent by data own­ers.

En­ter­prises also have pre­pared for po­ten­tial litigation from data own­ers, as the new law es­tab­lishes spe­cific rights that could be vi­o­lated by data users.

For Thai en­ter­prises, the im­me­di­ate threat is prob­a­bly that of rep­u­ta­tional dam­age if there is a data breach of EU cus­tomers such as air­lines or ho­tels. Thai com­pa­nies that have oper­a­tions in­side the EU – such as those in the food, en­ergy and ser­vice sec­tors – are more vul­ner­a­ble since they are di­rectly un­der EU ju­ris­dic­tion.

Be­sides the im­pact on rep­u­ta­tion , Thai-owned en­ter­prises op­er­at­ing in­side the EU can also face se­ri­ous fi­nan­cial and op­er­a­tional im­pacts. Over­all, GDPR is not just an IT is­sue,

as some top ex­ec­u­tives mis­tak­enly be­lieve. The new law af­fects many key busi­ness as­pects, rang­ing from data pri­vacy and pro­tec­tion, le­gal, com­pli­ance and se­cu­rity, to cus­tomer ser­vice and mar­ket­ing as well as hu­man re­source man­age­ment.

As a re­sult, en­ter­prises need to make an over­all as­sess­ment and come up with a com­pli­ance pro­gramme as well as a con­tin­gency plan in the event there is a data breach.

Be­sides the GDPR law, Thai en­ter­prises with oper­a­tions in China should also pre­pare to cope with the ef­fects of China’s cy­ber­se­cu­rity reg­u­la­tions, which re­quire cus­tomers’ per­sonal data to re­side within China.

Newspapers in English

Newspapers from Thailand

© PressReader. All rights reserved.