In June 2022, after two years of delay, the Thailand Personal Data Protection Act B.E.2562 came into effect. The act aims to create greater transparency and accountability whilst handling personal data, bringing changes to the privacy landscape for businesses.
Thailand is following other markets in Asia that have seen governments finally come to terms with the importance and necessity of formalising data privacy protection and regulation. And it comes at a time when companies have realized the importance of making decisions based on data, as opposed to tradition, gut feel, culture, or a combination of these.
As companies continue to push the envelope of their data-driven ambitions, it is natural to conclude that the management and privacy of data is a concern not just for the privacy officer or the legal department, but the rest of the leadership including the CFO.
Anna Russell, worldwide VP of sales and strategy for Voltage at Micro Focus, opined that many principles in existing privacy regulations and laws advance during the pandemic. She added that many data regulations have rules that accommodate emergency measures such as the pandemic.
“For example, the GDPR – one of the world’s strictest privacy regulations – is backed by principles such as data minimisation and purpose limitation. This means that as little personal data as necessary should be collected and used for a specific emergent purpose.”Anna Russell
She also pointed out that transparency and protection principles also advanced. “Affected individuals must be informed clearly about the usage of their data, and the data must be sufficiently protected against cyber risk and unauthorised sharing across the organisation,” she continued.
She believed that in comparison to the pre-pandemic landscape, the amplified reliance on these principles will likely pave the way for security advancements that ultimately improve privacy.
What are the role of Chief Financial Officers (CFO) and senior finance leaders when it comes to data privacy and compliance?
Anna Russell: The CFO’s role has evolved significantly over the past decade to accommodate more than just financial stewardship. CFOs today need to have a strong understanding of technology-driven issues such as information security, data management, and data privacy and compliance.
With data breaches on the rise, data protection and privacy are at the top of the agenda for many organisations. At the end of the day, the damage that unprotected or unsecured data can cause – from strategic losses, and regulatory penalties, to reputational damage – will make a dent in a company’s finances.
Not to mention, budget provisions for ensuring data privacy and protection will fall on the CFO’s table. From anticipating the cost of a data breach to supporting the design and implementation of a privacy framework across the organisation, CFOs today have a greater responsibility that encompasses data privacy and compliance.
What makes sense to delegate and are any proven approaches to stay aware, and involved in data privacy and compliance measures?
Anna Russell: Depending on the size and needs of the organisation, there are multiple ways to stay on top of data privacy and compliance measures. One way, for example, is to appoint a dedicated policy owner within the company itself. This team member’s job will be to monitor upcoming changes and identify solutions for the organisation to remain compliant.
Another option is to outsource this to an external partner with the right expertise. Privacy laws vary across geographies, and changes may often come with nuances that are challenging to navigate. An external partner that focuses on compliance can lower the impact on your internal teams, as they will not need to scramble when new changes to privacy laws are made.
Today, many technology-driven organisations offer tools and services that reduce compliance burden and quickly solve difficult data privacy challenges. For example, there are security data platforms that can protect the information in compliance with global data privacy regulations throughout the entire lifecycle of data – from the point the data is captured and throughout its movement across the enterprise.
As organisations move to become more data-driven, how will data-driven strategy impact an organisation’s commitment to data privacy and compliance?
Anna Russell: Organisations are finding the explosion of data an insurmountable task to manage, especially with the pressure of security frameworks and data privacy regulations. For customers and enterprises to get the most value out of their data, organisations must design an end-to-end framework to deliver insight and control, data protection, and usability, across the entire data life cycle. When it comes to data privacy and compliance, this framework must encompass:
Data privacy readiness – Enterprises need to first discover, classify, and analyse data based on a contextual understanding of the data elements, which will enable further actions such as protection, retention, and disposal
Test data management – Organisations can no longer use real production data for testing, development, quality assurance, or education, due to data privacy laws. Hence, it is vital to have effective tools that generate anonymised and protected data that will deliver the required outcomes
PII/Personal Data Encryption – Organisations must identify and assess personally identifiable data to understand risk exposure and apply technology to quickly and cost-effectively encrypt this data for secure use
What steps should a CFO take to ensure the enterprise adheres to its data privacy commitments even as the business itself moves to become more data-driven?
Anna Russell: The first and most crucial step is to create a strong data privacy and protection strategy, as part of the company’s wider data-driven strategy. This ensures that data privacy is embedded throughout the lifecycle of the data, beginning at the moment it enters the enterprise environment.
CFOs should also keep in mind that customers and consumers require companies to operate under privacy laws and frameworks. While ensuring internal stakeholders are fully aware of the financial implications of non-compliance or breaches, they must put the interests of the customers first.
This means writing privacy policies in simple language that all stakeholders across the organisation, beyond lawyers, can understand and ensuring that policies place the customers’ interest at heart.
Lastly, as organisations increasingly digitalise, CFOs must also understand and finance innovations within the data privacy space. To fully ensure regulatory compliance and protect data, CFOs must embrace and support the implementation of the latest innovations in Privacy-Enhancing Technology (PET). Especially as companies seek to store sensitive data to leverage it for future commercial gain.
PET enables businesses to leverage insights from third-party private data without violating any laws by ensuring confidential information that cannot be shared is not revealed.
Any thoughts on what to expect in 2023?
Gartner predicts that by 2024, 75% of the world’s Sensitive Personal Identifiable Information (SPII) will be covered by one of the many (and ever-growing) Modern Global Privacy Regulations. In 2023, in preparation for this prediction, enterprises processing or wanting to do more with SPII covered under regulations will need to be investing in PET.
We will see higher numbers of Data Privacy Officers being appointed, and the responsibility being shifted to incorporate legal, compliance and security so they can work much closer together.
With this being brought into force now with a lot of enterprises, we expect to see PET projects being associated with Privacy-by-Design and not as an afterthought to tick the box for compliance or regulatory obligation.
This will be extremely important for companies who face global multi-privacy regulations to ensure approaches and standardisation of techniques are globally transferrable.