Perspectives
Thailand's PDPA and the Shifting Landscape for CFOs
Author: Somkrit Krishnamra
Partner | Strategy, Risk & Transactions
The Rise of Data Privacy Regulations
Thailand's Personal Data Protection Act B.E2562 (Thai PDPA) was put into full effect in June 2022, after a two-year delay. Governments recognise the need for data privacy regulations, mirroring a shift in the business world, and companies increasingly value data-driven decision-making. The PDPA regulations signify the convergence of these trends, placing data privacy at the forefront of government and corporate strategies and decision-making, particularly for chief financial officers.
In October 2021, Deloitte Thailand conducted a Thai PDPA readiness survey across a sample of organisations and industries in Thailand. This survey aimed to understand how organisations were preparing for Thailand's PDPA compliance before the full enforcement date. After a full year of enforcement, another survey was conducted to understand how companies were adjusting to the enforcement, what challenges they had faced, and what internal process changes had taken place.
With organisations increasingly relying on data-driven strategies, data privacy and PDPA compliance investments are no longer optional expenses. CFOs must now navigate the financial landscape of technology investments to bolster data security while mitigating the significant financial risks associated with reputational damage from data breaches. Data privacy has become an economic imperative for CFOs in the PDPA era.
Shifting Priorities: Reputation and Trust Take Centre Stage
Since the enforcement in 2022, the majority of organisations surveyed have already implemented processes for PDPA compliance, at 89%, compared to just 30% leading up to the enforcement date. For many organisations, managing PDPA's monetary and operational impacts has been an ongoing balancing act for CFOs. While concerns about the financial costs of non-compliance, data leaks, and breaches persist, the most recent survey results reveal a shift in priorities. The threat of regulatory fines or lawsuits, previously the top driver at 73%, has dipped to 59%. Reputation damage and consumer trust have become the top concerns, reflecting a growing understanding that data breaches can inflict significant financial harm beyond regulatory penalties.
Beyond Compliance: Untapping the Value of Data Privacy
Organisations are now recognising the boarder value of data privacy beyond just regulatory compliance. Pre-implementation results showed that 23% of respondents saw no additional benefits. This number has shrunk to just 4% post-enforcement, with a notable 58% recognising significant advantages. This is particularly evident in the consumer industry, where the perception has significantly transformed. Previously, 28% of businesses viewed PDPA solely as a compliance activity. However, with a growing emphasis on data-driven strategies, there's been a clear shift toward recognising the broader benefits of PDPA compliance. Strong data governance practices can translate into a competitive advantage by fostering trust with consumers, a key consideration for CFOs navigating the evolving data landscape.
Investing in Resilience: Budget Allocation, Training, and Building a Compliant Workforce
The PDPA enforcement has presented the need to shift areas of budget allocation previously set aside for data privacy. Compared to the results of the pre-enforcement survey, there was a noticeable increase in investment in data leakage prevention, governance, risk and compliance (GRC), and employee training. These investments are crucial to mitigate the heightened risk of penalties and reputational damage from data breaches, a top concern for CFOs in the PDPA landscape.
Human resources remain a critical yet increasingly complex area for CFOs navigating the Thai PDPA. While training has always been necessary, the post-enforcement environment demands more investment in this domain. This ensures that employees grasp all the angles of the PDPA, data security protocols, data subject rights, and proper information handling. Staff knowledge remains a top challenge. On top of this, there is a growing difficulty in securing sufficient staff. CFOs must navigate these human resource hurdles to ensure a well-trained and compliant workforce, a crucial element in mitigating the financial risks associated with data leaks and breaches.
Thailand's PDPA has fundamentally reshaped the decision-making landscape for CFOs. Data privacy is no longer a peripheral concern; it's a core financial imperative demanding strategic investment. While navigating the challenges of budgetary allocation, technology upgrades, and employee training, CFOs also have a unique opportunity. By championing strong data governance practices, they can build consumer trust, mitigate financial risks, and ultimately position their organisations for a competitive advantage in the data-driven era.