Why it's time consumers ask tough questions about data privacy

They go to the shopping mall and they get a push message saying, "You're close to our shop and we have a special, exclusive discount for you. Come visit us." That makes them feel very special. It's almost like being famous. It's not perceived as "creepy."
I think this is going to change, though. There's a new story about identity theft or "phishing" every second day in the news. People are starting to hear more often about getting scammed or robbed online. They start to realise that their information is out there for anyone to see.
Certainly, at some point, the awareness levels will increase. A quick look at Pantip or blognone, reveals that they now have pop-ups asking for consent to use your data. That didn't exist last year. 
If you're ready to improve the safety of your data, know that there are two sides to data privacy: the side you control and the side you don't control. It's up to you whether you want to check into every single venue you visit and share every dish you eat, or even your photos of the toilets when they're particularly fancy. You can control that.
Then there's the personal data that you've handed over to companies because you needed to use their services. For example, your bank or mobile service provider has your ID number, address, and phone number. Your bank would also know all your transactions, while your mobile service provider would know who you've called and which websites you've visited.
That is a lot of data for them to hold and with it comes a great responsibility. And it begs the question: what is being done with that data? Are you confident it is safeguarded carefully? Is everything being done to protect it? Or are they just ticking off the boxes to meet bare legal requirements?
If you're counting on your data being |protected by legal requirements, know that the only requirement is "consent". That form you signed ages ago, or those boxes you ticked on a website - that's all the law requires.
Everything else depends on the commitment of individual organisations. I've worked in a number of them and I can tell you I'd say the average local company gets a two out of five rating on privacy, even the very big ones. The ones with a global footprint usually do better, even if their presence here is small. Size isn't what matters.
At DTAC, privacy is not just a principle and a policy posted on our corporate website. It goes beyond that. You have to look at the users, the people at the operations level. They are the most risk exposed. For the month of November, we trained 700 people across eight 2.5-hour sessions. And we're continuously producing internal campaigns online, on our in-house radio and on billboards.
Training is key because of the ambiguities surrounding privacy. If you just look at the code of conduct, well, how do you interpret it? The code of conduct says that our employees should not reveal, disclose, sell or distribute company secrets in any form. So if I go into a company's records and look at my girlfriend's file, I'm not revealing, disclosing or selling any information, am I? And yet, it's clearly not okay. These are the kind of scenarios we have to cover in training. I use real-world examples to show the risks that can come with consulting information other than for work-related reasons. And I remind our teams that there are better avenues to do this without infringing on privacy. Want to consult your elderly grandparents' phone bill? Ask them for their password and use the DTAC website. Don't do it using your employee privileges.
But training without a control system is not enough. Every access to information at DTAC has to be reconciled with a customer's request for that information. If we spot any unreconciled access, our managers will investigate it, and I randomly investigate the managers, too.
Finally, full data protection is actually a combination of data privacy plus data security. We've made big changes on who can access what. A single password won't get you access to everything anymore. And it's impossible to download staff records in bulk, which is what happened in a hacking attack on a competitor last year. You'd have access to one or two records at most.
I really hope consumers will demand more regarding their data protection. If someone steals your identity and commits a crime, you could get in serious trouble. There is no 100-per-cent protection, but do ask yourself: Is your data held by a company that is watching, a company that cares, and a company with systems in place to spot anomalies?

Montri Stapornkul is an assistant |vice president, policy governance culture department, DTAC.