Perspectives

The role of the CFO in PDPA compliance

The introduction of the Thailand Personal Data Protection Act B.E.2562 (PDPA) will officially come into effect in June 2022, bringing about changes to the privacy landscape for businesses.

With the increased collection and use of personal data, management and privacy of data is a growing concern for businesses across all sectors. More importantly, after two years of postponements, the introduction of the Thailand Personal Data Protection Act B.E.2562, “Thai PDPA”, will officially come into effect in June 2022. The act aims to create greater transparency and accountability whilst handling personal data, bringing changes to the privacy landscape for businesses.

This has come at a crucial time in light of data leaks and security threats from a number of high-profile companies in recent months, including highly sensitive data from a number of health care institutions. The stakes are high and as we enter the third year of the pandemic, continue to increase. Since the start of the pandemic, we have seen accelerated prioritisation of digital investments as well as adoption of a whole range of digital infrastructures; sparking an increased interest in the amount of data that has now been created because of this.

According to a recent Thai PDPA benchmarking survey conducted by Deloitte Thailand, 91% of respondents indicated that they plan to or have already appointed a Data Protection Officer (DPO), with 75% appointing internally rather than outsourcing. Even with a position designed to specifically look after the protection of personal data, it is not effective for the DPO alone to oversee data and the entire PDPA compliance process.

One of the most important aspects associated with managing, and more so the mismanagement of data, are the potential costs associated with not investing in the right tools and technologies for personal data management compliance. Any slipups involving personal data, especially highly sensitive or large magnitudes, can have drastic implications, both financially and non-financially. Apart from financial implications that could be in terms of monetary fines or lawsuits, other non-financial implications can also directly affect the bottom-line. These include ability to build and maintain trust, customer loyalty and brand equity. The average cost of a data breach in the ASEAN region was USD $2.71 million in 2021.1 In addition, survey results showed that the top 3 drivers for PDPA compliance activities were also driven by similar negative consequences of non-compliance, being threat of regulatory lawsuits or fines, potential for reputational damage and improving consumer trust. Studies have shown that around 81% of consumers lose trust in a brand after a breach, and 25% may completely stop interacting with it all together.2

A key role of the CFO is to ensure the organization’s compliance efforts are adequately funded. To be able to do this successfully, the CFO must have a thorough understanding of the Thai PDPA regulations and requirements, and the implications of non-compliance. However, two of the top three challenges faced during Thai PDPA compliance activities, according to the PDPA survey, were interpreting the requirements of the Thai PDPA (68%) followed by staff knowledge (63%). Here, it is important for the CFO to gain a full understanding not only from a financial point of view, but to approach data protection and privacy in a holistic manner, covering all levels and departments in the organisation, with an end-to-end interdisciplinary mindset.

The results from the survey showed that the top areas for budget allocation was reviewing internal policies, agreements and practices related to personal data, including updating existing privacy notices and creating legal documents. However, employee training ranked 5th, with only 31% of respondents selecting it as one of the top three areas of their PDPA compliance budget allocation. To ensure that an organisation is fully complaint in all areas and that all departments are working towards the same goal, this is an important topic that in the coming months leading up to the full enforcement date, may be given a higher priority. This is especially the case for industries that are highly data driven and have front line employees directly dealing with consumers such as Financial Services, Telco and the Consumer industry.

With increased use of technology to collect and analyse data, this means a greater focus from the finance function on budget allocation for technological tools that will facilitate and enhance the use of these new technologies and ensure its safety and compliance with PDPA regulations. The top two areas from the survey were consent and preference management tools, followed by data privacy assessment tools. These were closely followed by data encryption and data leakage prevention tools to ensure the privacy and safety of the data collected.

With the enforcement date quickly approaching, there are still a large number of organizations across a broad range of industries who are still working on their compliance activities, and with some survey respondents (8%) even indicating that they may not be fully compliant by June 2022, and possibly not until a few months after. Certain industries are leading the way overall compared to others, such as Financial Services and Technology, Media and Telecom, as these industries have been highly regulated for a very long time.

Regardless, it is important to consider that across all organizations and industries, addressing the Thai PDPA and integrating these new policies and processes into business operations requires budget allocation for transformation across all workstreams. This means bringing together all functions including the CFO, to allocate a balance of funds to ensure regulatory compliance, ensuring data protection and minimising cyber risks, approaching data protection and privacy in the best interest to serve customers and fuel future growth of the business.

The views and opinions expressed are those of Somkrit Krishnamra, Partner, Risk Advisory, Deloitte Thailand, and do not necessarily reflect Deloitte’s view.

Did you find this useful?