Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
Deloitte PDPA The Series: The Complete Roadmap for Your PDPA Compliance JourneyEpisode 5: Are you REALLY ready for the upcoming full PDPA enforcement?
August 11, 2021
Speakers
Sutthika Ruchupan Counsel, Tax & Legal
Deloitte Thailand
Monai SupanitManager, Risk Advisory
Deloitte Thailand
Prateep Puengwattanapong Director, Risk Advisory
Deloitte Thailand
Duties and Liabilities of Data ControllersSutthika Ruchupan
PDPA Episode 5© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd. 4
Update on postponement
Notification issued during the postponement
Announcement of the Ministry of Digital Economy and Society on the Security of Personal Information B.E.2563
➢ Setting minimum standard for administrative, technical, physical safeguard and access control of Personal Data held by Data Controller.
GDPR came into force
Government Gazette published Thai PDPA
Thai PDPA to become effective
per the Act
Thai PDPA to become fully in force after 1 year
postponement
Thai PDPA to become fully in force after 2 years postponement
2018 2019 2020 20222021
PDPA Episode 5© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd. 5
What you need to consider when processing Personal Data – From legal lens
Duties and liabilities of Data Controllers
What are the purposes of collecting/using personal data?
What are security measures you put in place?
Are those data really necessary to fulfill the purposes?
What are legal bases you are applying?
Are you recognizing Data Subject’s right?
PurposesNecessity
Legal basis
Security measures
Rights of Data
Subject
PDPA Episode 5© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd. 6
Are your legal documents ready for PDPA compliance?
Privacy Notice(Section 23)
Duties and liabilities of Data Controllers
Purpose and its legality
Necessity of providing personal data for
entering into contract and consequence
Retention period
To whom the data will be disclosed
Contact detail of Data Controller & DPO
Data Subject’s rights
Upon or before collection of personal data
PDPA Episode 5© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd. 7
Are your legal documents ready for PDPA compliance?
Duties and liabilities of Data Controllers
Clearly distinguishably
Easily accessible
Informed purposes
Not misleading
Consent(Section 19)
❑ Explicit❑ In written form or
electronically❑ Freely given❑ Not conditional upon
entering into contract❑ Data Subject is of
capacities❑ Easy to withdraw
PDPA Episode 5© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd. 8
Liabilities
Duties and liabilities of Data Controllers
• Compensation for actual damage plus all expenses incurred to the Data Subject
• If the court sees fit, additional compensation of not more than 2 times of the compensation for actual damage
• Not more than 1 year in prison or a fine of not more than THB 1,000,000, or both, subject to offences
• Warning or a fine of not more than THB 5,000,000, subject to offences
Civil liabilities Criminal liabilities Administrative liabilities
PDPA Episode 5© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd. 9
Public Perception
• Only big companies are required to comply with PDPA
Top 5 Businesses being claimed under GDPR
• Social Media Platforms
• Financial Services• Ecommerce• Technology Sector• Healthcare and
Medical
Readiness of Industries
• Some industries are more attentive to PDPA i.e., financial industry, telecommunication
• Benefit of having parent company in EU
Common Practical Issues
Our Initial Observation
Lack of Awareness within
Organization
• PDPA compliance is a responsibility of one person
• PDPA is a one time project
PDPA Episode 5© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd. 10
Our Initial Observation
Common Practical Issues
Excessive Data Collection
• What are the purposes and legal
basis for collection?
• Is the data really necessary to
fulfill the purpose?
Who is Data Controller/Processor?
• Employees are data processor
while employers are data
controller?
• Can the company be both data
controller and data processor?
Retention Period
• What is an appropriate retention
period?
• Can we keep the data forever?
Consent is a must?
• Perception is that consent is
needed in collecting Personal
Data in any cases / rely heavily on
consent
• Why would that be a concern?
Marketing Activity
• Can we still do marketing
activities when PDPA come into
effect?
• Consent vs Legitimate Interest?
Privacy is burden
• Cost related : personnel and
financial
• Changing current business
process
Regulatory and Operational RiskMonai Supanit
PDPA 12© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd.
Effect that Thai PDPA has on your Organization
The company shall adjust various business process to align with the legal requirement; including the aspect of technology, employee, governance structure, policy, process, or regulations.
Policy
Process
RegulationsGovernance Structure
Employee
Technology
The company shall announce policy and procedure regarding personal data protection
All business units in the company shall revise and adjust business process to encourage awareness of personal data protection.
The company shall comply with Thai PDPA legal requirements.
Technology shall be developed to comply with the Thai PDPA.
All employees shall be aware, understand, and can adopt Thai PDPA practices.
The company shall appoint Data Protection Officer (DPO)
PDPA 13© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd.
Compliance with Thai PDPA Requirements
How can you identify what is considered personal data?
Personal Data: In identifying what is personal data, you shall consider if that data can be used to identify a specific person and may
be data such as name, last name, phone number, address, or bank account number, etc.For example, only phone number without name or last name is still considered personal data since it can be used to identify the owner.You can find more details regarding scope and category of personal data in the company’s Privacy Notice.
What do you have to do when there is a processing of personal data?
CollectionStorage
Use
Transfer
Archival
TextDestruction
Data Life Cycle: Prior to collection, use, or disclosure of any personal data, other than consider legal basis of processing, you shall understand the idea of data life cycle to specify the step in personal data processing and appropriately comply with Personal Data Protection Procedure.
PDPA 14© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd.
DeletionDiscloseUseStorage
Compliance with Thai PDPA Requirements
What is Record of Processing Activities (ROPA)?
Record of Processing Activities (ROPA): It is to document personal data processing activities of each business unit and it is each
business unit’s responsibility to maintain and update if changes arise. The details of the ROPA are arranged according to the data life cycle starting from a collection stage to the deletion stage.
Collection
Personal Data and Information Technology Prateep Puengwattanapong
© 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 16
Administrative• IT Security Policy, Procedure, Guideline, Acceptable use policy
• Security and Privacy awareness and training
• KPI
Technical• Access Control (least privilege) , logging and disposal
• Application, Databases
• Operating System
• Network
• Processing Devices (PC, Mobile, IoT, BYOD)
• Data Discovery and Inventory
• Data Leakage Prevention System
• Encryption
• Anonymizing or Pseudonymizing
• Penetration Testing and Vulnerability Assessment
• Shadow IT Management
Physical
• Physical Access Control
• Data Storage
• Work area
• Processing Devices (PC, Mobile, IoT, BYOD)
• CCTV Surveillance
• Processing Environmental Control
Data Privacy Security Measures
PDPA 17© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd.
COLLECT STORE ACCESSUSAGE &
TRANSFERDELETE
COLLECT
Confidentiality : the property that information is not made available or disclosed to unauthorized individuals, entities, orprocesses
Integrity : the property of safeguarding the accuracy and completeness of assets
Availability : the property of being accessible and usable upon demand by an authorized entity
Information Security
Consent Management / Cookies Consent
Data Subject Access Right Handling
Privacy Management System
Personal Data and Information Technology
PDPA Episode 5© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd. 18
Already have a GRC platform or looking at managing privacy risks in a structured and centralized manner? And manage complaints/issues?
Choose a GRC solution like ServiceNow, RSA Archer, MetricStream, that offer a simple privacy assessment workflow, risk management process and issues/complaint management use case.
Looking to improve data security?Implement tools that not only give you visibility of the whereabout of your confidential data so to allow good security controls to prevent breaches but also the ability to dynamically authorize the usage as well as revoking the right of use if required.
Looking for an end-to-end solution to automate your privacy operations?
Choose privacy focused software like OneTrust, Securiti.ai etc., which can help you with consent management, cookie management, data inventory, privacy assessments, automated discovery, data subject rights handling etc.
The deciding factor would be which processes you want to automate for a variety of reasons e.g. resource constraints, efficiency, transparency etc.
Which technology to choose?
PDPA Episode 5© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd. 19
Data Securityand Protection
You can transition from written policies to programmatic policy enforcement and implementationOperationalizing Data Privacy and Protection Policies – through automation
1. Discover, Define and
Classify
2. Assign and Enforce Security
Controls
3. Analyse user behaviour and
Report
4. Monitor Compliance
5. Remediate
Consent Management
Cookie Management
Individual Rights
Management
DataInventory
DPIARoPA
ComplaintsHandling
Incident Response
Data Discoveryand Correlation
PDPA 20© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd.
There are several considerations to factor in approaching data protection/security.
Data Centric Security Approach
Know your data and
application
Protect data at the
source
Protect data on the
move and shared
Monitor, audit, and
report
Secure
Information
Sharing
Visibility and
Control
Centralised Policy
Management
Dynamic
Authorisation
Reduced Risk and
Fraud
Improved
Compliance
SaaS | Hybrid Cloud | Private Cloud | On-Premise
PDPA Episode 5© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd. 21
• Data Encryption, Tokenization, and
Obfuscation
• Data Retention and Destruction
• Data Loss Prevention
• Data Access Governance
• Database Security
• Privileged Access Management
• Data Discovery and Inventory
• Data Classification
Fundamentally, data protection from the inside out focuses on three important principles:
Data Protection from the inside out principles
Inventorying and classifyingsensitive data and assets, as well asmaintaining the inventory, isfoundational, and incrediblyimportant to data protection.
Implementing data-layer protectioncapabilities can help to bothprevent and detect data breaches atan organization’s “last line ofdefense”.
1
2
Reducing the value of sensitive datais perhaps the most importantprinciple and is based on thepremise that it’s not “if”, but“when” adversaries will get to yourdata.
3
Aligned Data Protection
Technologies
How we can help you
© 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 23
Deloitte equipped with Forcepoint technology to provide services to assist organisations in understanding the exposure of confidential data within organization’s assets, including storage and access activities, as well as data outflows, to enforce privacy policy.Forcepoint is recognized by Gartner as “Leader” in Magic Quadrant for Enterprise Data Loss Prevention (DLP).
Our Data Protection/Security Offerings
Sensitive Data Discovery Assessment
This assessment service typically lasts 4 – 6 weeks and provides a holistic data loss risk view through discovering of sensitive data residing in user endpoints or storage where the organization may not be aware of.
This assessment leverages Forcepoint’s industry leading Data Protection Endpoint & Network Discover technology to discover the following:• Structured & unstructured data in file repositories• O365 mailboxes & traditional Exchange• Sharepoint on premise and online• Sensitive data on end-user devices
Cloud SaaS Security Assessment
This assessment service typically lasts 3 – 4 weeks, targeting data loss risk in organisations’ cloud environments.
This service provides an insight to data usage and storage in the cloud, and leverages Forcepoint’s cloud data protection to :• Identify shadow IT usage• Have visibility of cloud application data
retention and compliance policies per sanctioned applications
• Scan for sensitive data within Microsoft OneDrive, Google Drive, Box, Salesforce, and other cloud platforms
User Behavioural Assessment
This assessment services typically lasts 6 – 8 weeks and provides an analysis of data loss through collection of “suspicious” user behaviour rather than through discovery of predefined sensitive data.
This assessment leverages Forcepoint’s rich history of user analytics and industry leading data protection to:• Detect highly suspicious behaviour• Surface indicators of risk
PDPA Episode 5© 2021 Deloitte Touche Tohmatsu Jaiyos Co., Ltd. 24
Deloitte servicesOne Stop Service for your PDPA Compliance journey
Initiation and Gap Assessment Implementation Post-implementation
Gap Assessment PDPA Policy and Procedure PDPA Readiness Assessment
Advisory and Legal Framework PDPA Legal Documents DPO Advisory Services
Records of Processing Activities PDPA Governance DPO Training and Helpdesk
PDPA and Data Protection Technology Implementation
DPO Structure
Awareness Training
Thank you