By SPECIAL TO THE NATION
The two issues that lie at the heart of personal data processing are trust and protection. The disclosure, use or transfer of personal data must be handled safely and only for the agreed and intended purpose. We, as the data owners, have the right to see our personal data protected. It is a fundamental right everyone has, whether they are individuals, customers or employees, and many countries have already put this issue into the national agenda.
The design and development of concrete personal data protection mechanisms need to include a data protection framework that’s backed by strong law enforcement. Thailand’s Personal Data Protection bill is now closer to becoming reality after it was approved by the National Legislative Assembly at the end of February.
After it’s been signed and endorsed by the monarch, it will be published in the Royal Gazette and passed into law. Its provisions relating to the collection, use, and disclosure of personal data will take effect in the year following its enactment so we won’t see any enforceable changes until 2020. This means that we still have time to prepare and adjust to the new law setting.
Data owner consent is a key element of the bill. Consent will be needed for processing personal data and the processing must be directly relevant to the agreed and lawful purposes. The bill says that consent must not impose unnecessary conditions on the data owner, must be freely given, and must be specific, informed and unambiguous.
Data controllers, whether they are an individual or an entity, have the power to make decisions regarding the collection, use and disclosure of personal data. And they must be able to demonstrate that the data owner has voluntarily given consent and must ensure that the interests, fundamental rights and freedom of the data owner are not overridden. In conclusion, getting the correct type of legitimate consent at the outset is recommended.
The bill requires that data controllers as well as processors, and individuals or entities, who process personal data on behalf of or under the instruction of data controllers, implement appropriate technical and organisational measures and policies to help safeguard and protect the data from any risks. For example, there should be an effective system to safeguard data and prevent data leaks and misuse, and a clear policy on the documents needed to support any use of the data collected, and the keeping and destruction of the data.
The bill also sets out the rights of data owners and the obligations of data controllers and processors, as well as how compliance will be monitored. The penalties for violations are also there and include administrative fines, imprisonment and other impositions.
Discussion around the bill has increased public awareness of data protection issues. Because of this, as well as preparing for the new legislation, companies, organisations and other parties should be aware of the changes and make sure they communicate clearly with their customers and other data owners.
The year following the bill’s enactment will be a testing time. Those companies still unsure of what action to take should seek professional advice so they are in compliance with the new law by the time it takes effect.
Companies need to recognise that the law is not simply aimed at compliance monitoring. This means there is much more to do when it comes to issues surrounding data protection and the handling of personal data.
Contributed by VUNNIPA RUAMRANGSRI, partner and NOPPARAT LALITKOMON, manager for legal and tax services, PwC Thailand.