Timelines of the Thailand’s PDPA establishment and news on ...

Deloitte PDPA The Series: The Complete Roadmap for Your PDPA Compliance JourneyEpisode 5: Are you REALLY ready for the upcoming full PDPA enforcement?

August 11, 2021

Speakers

Sutthika Ruchupan Counsel, Tax & Legal

Deloitte Thailand

Monai SupanitManager, Risk Advisory

Deloitte Thailand

Prateep Puengwattanapong Director, Risk Advisory

Deloitte Thailand

Duties and Liabilities of Data ControllersSutthika Ruchupan

PDPA Episode 5© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd. 4

Update on postponement

Notification issued during the postponement

Announcement of the Ministry of Digital Economy and Society on the Security of Personal Information B.E.2563

➢ Setting minimum standard for administrative, technical, physical safeguard and access control of Personal Data held by Data Controller.

GDPR came into force

Government Gazette published Thai PDPA

Thai PDPA to become effective

per the Act

Thai PDPA to become fully in force after 1 year

postponement

Thai PDPA to become fully in force after 2 years postponement

2018 2019 2020 20222021


What you need to consider when processing Personal Data – From legal lens

Duties and liabilities of Data Controllers

What are the purposes of collecting/using personal data?

What are security measures you put in place?

Are those data really necessary to fulfill the purposes?

What are legal bases you are applying?

Are you recognizing Data Subject’s right?

PurposesNecessity

Legal basis

Security measures

Rights of Data

Subject


Are your legal documents ready for PDPA compliance?

Privacy Notice(Section 23)


Purpose and its legality

Necessity of providing personal data for

entering into contract and consequence

Retention period

To whom the data will be disclosed

Contact detail of Data Controller & DPO

Data Subject’s rights

Upon or before collection of personal data


Are your legal documents ready for PDPA compliance?


Clearly distinguishably

Easily accessible

Informed purposes

Not misleading

Consent(Section 19)

❑ Explicit❑ In written form or

electronically❑ Freely given❑ Not conditional upon

entering into contract❑ Data Subject is of

capacities❑ Easy to withdraw


Liabilities


• Compensation for actual damage plus all expenses incurred to the Data Subject

• If the court sees fit, additional compensation of not more than 2 times of the compensation for actual damage

• Not more than 1 year in prison or a fine of not more than THB 1,000,000, or both, subject to offences

• Warning or a fine of not more than THB 5,000,000, subject to offences

Civil liabilities Criminal liabilities Administrative liabilities


Public Perception

• Only big companies are required to comply with PDPA

Top 5 Businesses being claimed under GDPR

• Social Media Platforms

• Financial Services• Ecommerce• Technology Sector• Healthcare and

Medical

Readiness of Industries

• Some industries are more attentive to PDPA i.e., financial industry, telecommunication

• Benefit of having parent company in EU

Common Practical Issues

Our Initial Observation

Lack of Awareness within

Organization

• PDPA compliance is a responsibility of one person

• PDPA is a one time project


Our Initial Observation

Common Practical Issues

Excessive Data Collection

• What are the purposes and legal

basis for collection?

• Is the data really necessary to

fulfill the purpose?

Who is Data Controller/Processor?

• Employees are data processor

while employers are data

controller?

• Can the company be both data

controller and data processor?

Retention Period

• What is an appropriate retention

period?

• Can we keep the data forever?

Consent is a must?

• Perception is that consent is

needed in collecting Personal

Data in any cases / rely heavily on

consent

• Why would that be a concern?

Marketing Activity

• Can we still do marketing

activities when PDPA come into

effect?

• Consent vs Legitimate Interest?

Privacy is burden

• Cost related : personnel and

financial

• Changing current business

process

Regulatory and Operational RiskMonai Supanit

PDPA 12© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd.

Effect that Thai PDPA has on your Organization

The company shall adjust various business process to align with the legal requirement; including the aspect of technology, employee, governance structure, policy, process, or regulations.

Policy

Process

RegulationsGovernance Structure

Employee

Technology

The company shall announce policy and procedure regarding personal data protection

All business units in the company shall revise and adjust business process to encourage awareness of personal data protection.

The company shall comply with Thai PDPA legal requirements.

Technology shall be developed to comply with the Thai PDPA.

All employees shall be aware, understand, and can adopt Thai PDPA practices.

The company shall appoint Data Protection Officer (DPO)


Compliance with Thai PDPA Requirements

How can you identify what is considered personal data?

Personal Data: In identifying what is personal data, you shall consider if that data can be used to identify a specific person and may

be data such as name, last name, phone number, address, or bank account number, etc.For example, only phone number without name or last name is still considered personal data since it can be used to identify the owner.You can find more details regarding scope and category of personal data in the company’s Privacy Notice.

What do you have to do when there is a processing of personal data?

CollectionStorage

Use

Transfer

Archival

TextDestruction

Data Life Cycle: Prior to collection, use, or disclosure of any personal data, other than consider legal basis of processing, you shall understand the idea of data life cycle to specify the step in personal data processing and appropriately comply with Personal Data Protection Procedure.


DeletionDiscloseUseStorage

Compliance with Thai PDPA Requirements

What is Record of Processing Activities (ROPA)?

Record of Processing Activities (ROPA): It is to document personal data processing activities of each business unit and it is each

business unit’s responsibility to maintain and update if changes arise. The details of the ROPA are arranged according to the data life cycle starting from a collection stage to the deletion stage.

Collection

Personal Data and Information Technology Prateep Puengwattanapong

© 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 16

Administrative• IT Security Policy, Procedure, Guideline, Acceptable use policy

• Security and Privacy awareness and training

• KPI

Technical• Access Control (least privilege) , logging and disposal

• Application, Databases

• Operating System

• Network

• Processing Devices (PC, Mobile, IoT, BYOD)

• Data Discovery and Inventory

• Data Leakage Prevention System

• Encryption

• Anonymizing or Pseudonymizing

• Penetration Testing and Vulnerability Assessment

• Shadow IT Management

Physical

• Physical Access Control

• Data Storage

• Work area

• Processing Devices (PC, Mobile, IoT, BYOD)

• CCTV Surveillance

• Processing Environmental Control

Data Privacy Security Measures


COLLECT STORE ACCESSUSAGE &

TRANSFERDELETE

COLLECT

Confidentiality : the property that information is not made available or disclosed to unauthorized individuals, entities, orprocesses

Integrity : the property of safeguarding the accuracy and completeness of assets

Availability : the property of being accessible and usable upon demand by an authorized entity

Information Security

Consent Management / Cookies Consent

Data Subject Access Right Handling

Privacy Management System

Personal Data and Information Technology


Already have a GRC platform or looking at managing privacy risks in a structured and centralized manner? And manage complaints/issues?

Choose a GRC solution like ServiceNow, RSA Archer, MetricStream, that offer a simple privacy assessment workflow, risk management process and issues/complaint management use case.

Looking to improve data security?Implement tools that not only give you visibility of the whereabout of your confidential data so to allow good security controls to prevent breaches but also the ability to dynamically authorize the usage as well as revoking the right of use if required.

Looking for an end-to-end solution to automate your privacy operations?

Choose privacy focused software like OneTrust, Securiti.ai etc., which can help you with consent management, cookie management, data inventory, privacy assessments, automated discovery, data subject rights handling etc.

The deciding factor would be which processes you want to automate for a variety of reasons e.g. resource constraints, efficiency, transparency etc.

Which technology to choose?


Data Securityand Protection

You can transition from written policies to programmatic policy enforcement and implementationOperationalizing Data Privacy and Protection Policies – through automation

1. Discover, Define and

Classify

2. Assign and Enforce Security

Controls

3. Analyse user behaviour and

Report

4. Monitor Compliance

5. Remediate

Consent Management

Cookie Management

Individual Rights

Management

DataInventory

DPIARoPA

ComplaintsHandling

Incident Response

Data Discoveryand Correlation


There are several considerations to factor in approaching data protection/security.

Data Centric Security Approach

Know your data and

application

Protect data at the

source

Protect data on the

move and shared

Monitor, audit, and

report

Secure

Information

Sharing

Visibility and

Control

Centralised Policy

Management

Dynamic

Authorisation

Reduced Risk and

Fraud

Improved

Compliance

SaaS | Hybrid Cloud | Private Cloud | On-Premise


• Data Encryption, Tokenization, and

Obfuscation

• Data Retention and Destruction

• Data Loss Prevention

• Data Access Governance

• Database Security

• Privileged Access Management

• Data Discovery and Inventory

• Data Classification

Fundamentally, data protection from the inside out focuses on three important principles:

Data Protection from the inside out principles

Inventorying and classifyingsensitive data and assets, as well asmaintaining the inventory, isfoundational, and incrediblyimportant to data protection.

Implementing data-layer protectioncapabilities can help to bothprevent and detect data breaches atan organization’s “last line ofdefense”.

1

2

Reducing the value of sensitive datais perhaps the most importantprinciple and is based on thepremise that it’s not “if”, but“when” adversaries will get to yourdata.

3

Aligned Data Protection

Technologies

How we can help you

© 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 23

Deloitte equipped with Forcepoint technology to provide services to assist organisations in understanding the exposure of confidential data within organization’s assets, including storage and access activities, as well as data outflows, to enforce privacy policy.Forcepoint is recognized by Gartner as “Leader” in Magic Quadrant for Enterprise Data Loss Prevention (DLP).

Our Data Protection/Security Offerings

Sensitive Data Discovery Assessment

This assessment service typically lasts 4 – 6 weeks and provides a holistic data loss risk view through discovering of sensitive data residing in user endpoints or storage where the organization may not be aware of.

This assessment leverages Forcepoint’s industry leading Data Protection Endpoint & Network Discover technology to discover the following:• Structured & unstructured data in file repositories• O365 mailboxes & traditional Exchange• Sharepoint on premise and online• Sensitive data on end-user devices

Cloud SaaS Security Assessment

This assessment service typically lasts 3 – 4 weeks, targeting data loss risk in organisations’ cloud environments.

This service provides an insight to data usage and storage in the cloud, and leverages Forcepoint’s cloud data protection to :• Identify shadow IT usage• Have visibility of cloud application data

retention and compliance policies per sanctioned applications

• Scan for sensitive data within Microsoft OneDrive, Google Drive, Box, Salesforce, and other cloud platforms

User Behavioural Assessment

This assessment services typically lasts 6 – 8 weeks and provides an analysis of data loss through collection of “suspicious” user behaviour rather than through discovery of predefined sensitive data.

This assessment leverages Forcepoint’s rich history of user analytics and industry leading data protection to:• Detect highly suspicious behaviour• Surface indicators of risk


Deloitte servicesOne Stop Service for your PDPA Compliance journey

Initiation and Gap Assessment Implementation Post-implementation

Gap Assessment PDPA Policy and Procedure PDPA Readiness Assessment

Advisory and Legal Framework PDPA Legal Documents DPO Advisory Services

Records of Processing Activities PDPA Governance DPO Training and Helpdesk

PDPA and Data Protection Technology Implementation

DPO Structure

Awareness Training

Thank you

Timelines of the Thailand’s PDPA establishment and news on ...

Documents

Transcript of Timelines of the Thailand’s PDPA establishment and news on ...