Since the Personal Data Protection Act B.E. 2562 (PDPA) took effect in June, one of the Board’s consequential roles is to ensure the company has measures to oversee that the collection, use, and handling of personal data is in accordance with the law.

In the legal context, data privacy seems to be mainly a compliance issue for the company to mitigate the risk of using personal data against the rights and intention of data owners. This is particularly true for highly regulated industries such as the financial sector. However, in the business context, data privacy goes beyond legal compliance and risk mitigation. Robust data privacy can create confidence among stakeholders that the company manage personal data accurately, transparently, and fairly. Stringent measures also allow the company to effectively use personal data to create value that accommodate strategic purposes within legal and ethical framework. In this regard, data privacy is considered matter that could generate long-term value and business opportunities.

However, having policy and implementation guideline as well as improving technology, system, and internal structure concerning data privacy to comply with the law may not be sufficient to protect personal data.  Apparently, numerous companies made front pages on data privacy issues. For instances, personal data of over 70 million Target’s customers were leaked despite the company’s hefty cybersecurity investment.  This incident occurred because the Board, management, and relevant personnel failed to ensure effective implementation of existing measures. Despite existence of data privacy policy, Meta’s (then Facebook) poor governance in personal data management led to illegitimate usage of 87 million Facebook users’ personal data by Cambridge Analytica. Both cases shook public confidence and led to lawsuits as well as enormous fines. They clearly demonstrate that data privacy is not just putting in place policy and procedures in accordance with the law. It is about ensuring that personnel of all levels recognize the significance of having data privacy policy and procedures, and turning them into adhering value, attitudes, and eventually corporate culture.

The IOD’s Guideline on Board’s Role in IT and Data Governance indicated that corporate culture emphasizing on data security and data privacy is among key success factors in business value creation. Since the Board is the most important persons to drive corporate culture, ensuring such corporate culture is another crucial role of the Board that follows PDPA. Although it takes time to foster corporate culture but it is not too difficult to do so if the Board drives the following four elements:

1. Understanding of personal data and data privacy’s importance toward the company’s success

“Tone at the Top” is essential for driving any corporate culture and it relies on the leader’s beliefs in the significance of personal data and data privacy toward the company’s success. Therefore, the Board should ensure the management can pinpoint how personal data benefits the business and accommodates the company’s strategy, what are the data, how the company collect, use, keep, and manage such personal data, and who are internal and external stakeholders and relevant parties. The Board should also ensure the governance and management structures, relevant policies, systems and technologies, and procedures are evaluated against legal principles and standards. This is meant to create common understanding toward the purpose of personal data usage and the significance of data privacy in achieving both risk mitigation and value creation goals. This is also important for laying guidelines for data privacy improvement in accordance with the law to ensure the company can effectively collect, use, store, and manage such personal data for business purposes by taking into account the rights of data owners.

2. Adhering to the value of data privacy

Prudent data privacy policies and guidelines should link the necessity of data privacy with business goals to clearly demonstrate value of data privacy in creating business benefits and accommodating the company toward its success. The Board should ensure the management indicates the significance and linkage between data privacy and business goals in the preparation process of policy and guideline. This will ensure compliance derives from comprehension of significance rather than mere necessity to comply.

3. Recognition of data privacy’s importance among all levels of personnel

To ensure data privacy turns into corporate value at all levels, the Board should ensure management establishes communication channels and various forms for awareness building to make personnel understand the significance of data privacy toward the company’s success, recognize which behavior concerning handling of personal data is desirable or against prudent guideline, and acknowledge that the leaders value and emphasize the significance of data privacy. For instances:

·      Include the significance of personal data and data privacy as well as best practices in personal data handling in employee’s handbook, new employee’s orientation, and the company’s Code of Conduct.

·      Put data privacy training as part of personnel development plan for all levels, including the Board and senior management.

·      Appoint data privacy “Champion” for each department, particularly those concerning personal data.  Champions are personnel who believe in corporate culture and ready to help drive such culture. They can help communicate the significance of data privacy and instill related good value and behaviors in operation level.

·      Regularly communicate about data privacy, whether through messages from Chairman and CEO, commemoration of employees with outstanding data privacy behaviors, or organizing annual Data Privacy Day.

4. Continuous monitoring and improvement

To embed data privacy into corporate culture sustainably, the Board should ensure performance indicators are established along with regular data privacy performance report, so that the Board and the management can continuously take parts in supporting the culture, evaluating the culture’s efficiency, staying alert for potential corporate culture issues, and reviewing improvement. Such indicators could cover the following aspects:

·      Financial: Key indicator is ROI from data privacy investment. It can be measured by customer’s confidence index that is a result from data privacy policy and measures. Higher confidence could reflect in an increase in e-commerce website usages, online transactions, or application downloads. Financial benefits can be measured by avoided fines from improvement made to internal process to comply with the laws and costs of data privacy projects against industry peers which indicates the company’s efficiency in budget management.

·      Customers and stakeholders: Positive reactions from customers and stakeholders are indicators of reputation and value of the company. They are reflected in credit rating, business goodwill, and stock prices. They can also be measured from confidences of customers and stakeholders as well as comparative sales and profit before and after implementation of data privacy policy and measures. Robust data privacy policy and measures could lead to stakeholders having more confidence in engaging with the company. 

·      Innovation: The company’s innovation in process and IT system should align with data privacy policy to effectively accommodate business activities. Therefore, innovation indicators should cover numbers of IT systems that have been enhanced and align with the policy. They should also cover the level of integration between cybersecurity and data privacy tools as it indicates the company’s readiness to tackle cyber threats that could affect personal data.

·      Internal process: Besides the number of policies that matches legal requirements, proportion of personnel with data privacy knowledge and skills is also another indicator that helps reflect the company’s readiness in data privacy. This can be considered from the number of staff receiving data privacy trainings. Changes in corporate risk profile is another important indicator as strengthened data privacy controls could improve risk profile. This also indicates the efficiency of company’s risk management.

Many readers may have heard that using IT for business success is not a matter that concerns only the IT department but every department within the organization. The same goes with data privacy – it is not a matter that concerns only the compliance or legal department. After all, a key success factor in using any technology and data for business value creation is the “people” side of the company. Thai IOD hopes that in the preparation and implementation toward PDPA compliance, your Board will bring corporate culture into boardroom discussion as well.

References:

• Aaron Weller and Emily Leach, “How to Build a 'Culture of Privacy',” The International Association of Privacy Professionals, 25 February 2020.
• Deloitte Thailand, Deloitte Thailand’s PDPA Readiness Survey, January 2022.
• Muhammad Asif Qureshi, “Building a Privacy Culture,” ISACA Journal, 2 September 2020.
• Thai Institute of Directors, Guideline on Board’s Role in IT and Data Governance, 2022.

Charawi Chiramakara
Senior CG Analyst – Curriculum and Facilitators
Thai Institute of Directors (IOD)