Bluebik revealed that the Personal Data Protection Act (PDPA) will disrupt the data analytics world as data, the “heart” of today’s competition, will be subject to more complicated processes and become increasingly sensitive. Hence, local businesses are expeditiously planning and preparing themselves for this change. Bluebik suggested that the quicker businesses can embrace changes, the faster they can make progress without losing business opportunities.
Bluebik has come at the right time to help businesses adjust themselves to the new regulation. At the initial stage, business potential and readiness are assessed; work plans are then formulated to ensure alignment with the Act; and at the final stage, projects to support the Act are managed.
Mr. Pochara Arayakarnkul, CEO of Bluebik Group Co., Ltd., a leading consultant specializing in strategy development and technology and innovation management, disclosed that the Personal Data Protection Act B.E. 2562 (A.D.2019), which will come into force on 28 May 2020, will be a game changer and a key factor affecting the data analytics process ranging from data collection through data utilization.
Data is considered an asset for organizations which can be used to develop insights about their businesses and customers for further development of products and services to meet customer needs. Personal data is considered the “heart” of big data analytics; as it can be used for identifying common data links, market trends and customer wants, as well as other useful information for the business. Once the Act becomes effective, organizations must start collecting and using personal data in a proper and strict manner.
However, businesses preparing for the adoption of the PDPA must study and understand the following 4 key principles:
- Requesting the data owner’s consent: Written consent must be received prior to the collection, use and disclosure of data. The data must only be used for requested purpose;
Notifying the data owner of content usage objectives: The notification must be clear and easy to understand. The period of data collection must be clearly specified.;
Data security: Data security must meet standards; and
The data owner’s right: Access rights must be specified. Organizations are required to set up a system that accommodates the data owner’s rights. For example, if the data owner wants an organization to delete his/her personal data from the system, the organization has to ensure they are able to comply with the request. This may pose a problem for businesses if data is stored by individual business units on a silo basis and cannot be easily deleted from the whole system.
It is also well noted that the Act stipulates definitions and roles of people involved in the handling of data such as data controller, data processor, data protection officer, etc. Therefore, many organizations are looking for experts to assist in devising effective plans. Such organizations view that moving quickly to adapt themselves to the Act will enable them to remain competitive in the industry and not miss out on business opportunities.
In getting revved up for the PDPA, Bluebik Group has formulated suggested preparation guidelines and supporting measures to help businesses comply with requirements of the PDPA through the following 3 stages:
- At the upstream stage: Organizations should assess the capacity and readiness of their internal systems such as IT infrastructure in order to identify gaps to be filled. Work processes should be assessed, from the requesting of consent from the data owner to collecting and managing data, including solutions for secure data storage.
At the midstream stage: Organizations should devise a plan on data governance covering data classification, determination of data protection measures, and planning and selecting data protection tools such as data masking and data encryption tools. In addition, there should be a plan to ensure its IT system is compliant with the requirements of the Act.
At the downstream stage: Organizations should set up a dedicated team responsible for planning and managing the implementation of the new law to ensure it is carried out in a proper and efficient manner. This team should consist of suitable representatives from relevant functions to ensure that data management is aligned with the Act and meets organizational strategic goals.
“Businesses must be ready to embrace and handle the PDPA. They must conduct assessments on their organizational policies, work processes, and technologies to see the extent of their compliance with the Act. This will allow them to identify areas for improvement to ensure conformity with the provisions of the law. Non-compliance could subject the organization to legal action and undermine its credibility and brand” said Mr. Pochara.