News & Activities 2 March 2020

Bluebik stands ready to provide end-to-end consultancy as Thai organizations are going full steam to be in line with the PDPA

Bluebik revealed that the Personal Data Protection Act (PDPA) is coming to disrupt the data analytics world as data, the “heart” of today’s competition, will be subject to more complicated processes and become increasingly sensitive. Hence, local businesses are expeditiously planning and preparing themselves to get ready. Bluebik suggested that the quicker businesses can embrace changes, the faster they can make progress without losing business opportunities. Bluebik has come at the right time to help businesses adjust themselves to the new rules. At the upstream stage, business potential and readiness are assessed; at the midstream stage, work plans are formulated to ensure alignment with the new act; and at the downstream stage, projects to support the new act are managed.

Mr. Pochara Arayakarnkul, CEO of Bluebik Group disclosed that the Personal Data Protection Act B.E. 2562 (A.D.2019), which will come into effect on 28 May 2020, will be a game changer and a key factor that affects the data analytics process ranging from data collection step through data utilization step. Data is considered as an asset of an organization which can be used to develop insights about its own businesses and customers for further development of products and services to meet customer needs. Personal data is considered as the “heart” of big data analytics; as it can be used for identifying common data links, market trends and customer wants, as well as other useful information for the business. Once the Act becomes effective, organizations must start collecting and using personal data in a proper and strict manner.

Mr. Pochara Arayakarnkul, CEO of Bluebik Group

However, businesses preparing for the adoption of the PDPA must study and understand the following 4 key principles:

  1. Requesting the data owner’s consent: Collecting data, using it, or disclosing it to others must receive prior consent in writing and must not exceed the requested scope of consent.
  2. Notifying the data owner of content usage objectives: The notification must be clear and easy to understand. The period of data collection must be clearly specified.
  3. Data security: Data security must meet standards.
  4. The data owner’s right: Access rights must be specified. Thus, organizations are required to set up a system that accommodates the data owner’s right.

For example, if the data owner wants an organization to delete his/her personal data from the system, the organization has to delete such data from the “whole system.” This poses a problem for a business, especially if data is stored by individual business units on a solo basis and so data cannot be deleted from the whole system. It is also well noted that the new Act stipulates definitions and roles of people involved in the handling of data such as data controller, data processor, data protection officer, etc. Therefore, many organizations are looking for experts to assist in devising effective plans. Such organizations view that moving quickly to adapt themselves to the new Act will enable them to compete in the industry without missing business opportunities.

In getting revved up for the PDPA, we could consider some preparation guidelines for businesses and propose supporting measures for them to comply with the new regulations of the PDPA through the following 3 stages:

  1. At the upstream stage: Organizations should assess their capacity and the readiness of internal systems such as IT infrastructure in order to identify gaps to be filled so as to accommodate the compliance with the new Act. Work processes should be assessed, including a step of requesting consent from the data owner through a step of collecting and managing data. Moreover, there should be a plan as on how to store data in the future.
  2. At the midstream stage: Organizations should devise a plan on data governance covering data classification, determination of data protection measures, and planning and selecting data protection tools such as data masking and data encryption tools. In addition, there should be a plan on developing an IT system that is in line with the new Act.
  3. At the downstream stage: Organizations should set up an ad hoc working group to take care of planning and management to ensure proper and efficient implementation of the new law. This working group should consist of suitable representatives from relevant functions to ensure that data management is aligned with the new Act and meets organizational strategic goals.

Businesses must be ready to embrace and handle the PDPA. They must conduct assessments on organizational policies, work processes, and technologies to see the extent of the compliance with the new Act. This allows them to identify areas for improvement to ensure conformity with the provisions of the law. Violating the law could subject an organization to legal actions and jeopardize its brand image and trustworthiness.