Our modern world runs on technology, and data is both its key and fuel. It lubricates the machinery of the financial sector, but humongous volumes of data can be very dangerous in the wrong hands, and the sector is worst hit when it comes to data theft or unlawful hacking on account of the sensitive nature of data in question.
Governments across the world have been painfully slow in bringing adequate data protection laws into play. In an attempt to tighten the rules and hold the right people accountable, Thailand has recently launched Personal Data Protection Act (PDPA), and the most striking differentiating feature about PDPA is that it makes data security lapse a criminal offence. PDPA has two key focus areas, the first being Data Security, and second addressing Consent Management. Every global financial organization is familiar with concept of data security, and hence it is easier to handle. To comply with data security norms, companies must have robust protocols in place to block hackers and prevent data leaks. They must ensure that customers’ personal data is well protected, and confidentiality is never breached.
Complying with Consent Management norms is, however, the larger challenge. As per PDPA norms, for every customer consent, the bank must have a valid reason. The bank cannot acquire any customer consent without a motive that is justifiable in a court of law. It is a rather complicated arena where the bank has to work with business units, retail marketing or other corporates. Thorough review of the purpose of seeking any data from customers needs to be maintained, and things can get further complicated as customers have different types of personalization.
For example, if the bank needs to access the location of a customer to offer better service, they need to capture customer consent on a system tracking evidence, so that it can be later be used as proof of consent if a dispute arises later. For every such personalization, the relevant consent needs to be collected in a manner that can be later produced as proof in a court.
PDPAs three golden rules of compliance are:
- The project head or the business leader should familiarize himself with the intricacies of PDPA and must be committed to implement the required measures
- Engagement with the compliance team to understand the legal requirements and prioritizing different tasks is essential
- Conduct a Privacy Impact Assessment, or PIA, as you need to focus on the larger impact first. For instance, if you add a retail banking wing, you need to focus on the data points that you need to acquire from customers. You need to review if it is necessary to get that information, as it is crucial to collect only the data that can be legally justified
Objectivity and teamwork coupled with thorough legal understanding is the key to win over PDPA. And since even a single dispute can harm the banks’ reputation incrementally, special care to comply with every intricacy is must.
This story has been compiled with key inputs from Surachai Chatchalermpun, CISO, Krung Thai Bank, Thailand