Last updated: 25 Oct 2019 | 11491 Views |
After many revisions to the draft bill regarding digital consumer data collection, finally on May 27, 2019, it was officially announced on the Government Gazette's website regarding Personal Information Act 2019 (Personal Data Protection Act), which will be effective on May 28, 2020, which today I will summarize all the essentials to be read. While also going to see what brand and business practices are being prepared for
1. Have 1 year to prepare
For data protection Will give the data controller time to prepare the system to be ready and completed within 1 year from the date of announcement That means that it will really work on May 28, 2020.
2. Who is the "personal data controller"?
Data controller means an individual or a juristic person with the power to make decisions regarding the collection, use or disclosure of personal information. Therefore, a brand or business that has a membership system or registration Whether the website, application, or other digital media, whether online or offline Is considered a controller of personal information as well
3. What does "personal information" mean?
"Personal information" means information about a person that makes it possible to identify that person Whether directly or indirectly, such as name, address, phone number, email
4. "Data Processor" is not "Data Controller"
Who is the data processor? Data Processor means an individual or a juristic person who processes, collects, uses or discloses personal information in accordance with an order or on behalf of a personal data controller. But not the data controller itself. Therefore, Agency and Hosting Server service providers that collect data Considered as a processor, not a controller
5. All information Must obtain consent from the owner of the information first
Personal data controllers must not collect, use or disclose without the consent of the data owner.
6. Clear and easy to understand how to collect and use personal information.
When requesting consent from the data owner The data controller must inform the purpose of the collection, use or disclosure of such information. And the message of consent Must separate clearly from other messages Easily accessible and written in easy to understand language Not deceptive or misleading the data owner
7. The data owner can request to view and request a copy of the said information.
If the data owner wants to access and request a copy of personal information about him The data controller must comply with the request.
8. The data owner can request to cancel the consent
If the data owner wishes to cancel the consent Can inform the data controller to follow as well
9. Violation of rights is punishable by both fines.
If the controller of personal information uses or discloses the data without the consent of the data owner Will be punished with imprisonment of 6 months to 1 year or a fine of not more than 500,000 baht (Section 27 and Section 79)
What brands and businesses should prepare
From knowing the essence of The Personal Data Protection Act is one thing that needs to be adapted accordingly, that is, brands and businesses that collect personal information from consumers. Regardless of the website, Application, Social Media or other digital media, there should be preparation and starting as follows:
• There should be pages on the website, application, or other digital media that must specify the purpose of collecting, using or disclosing personal information. In a language that is easy to understand and straightforward For people who already have a website, may be familiar with the page The 'Privacy Policy' that contains some similar content Can be adapted for use but requires shorter, more understandable text
• Every time for users to register or fill out personal information There should be a checkbox option for the user to click to confirm the consent of the data owner and there is a link to click to view the details page of the purpose of collecting, using or revealing that personal information.
• There should be a contact method and a detail page stating that If the user wants to contact to request a review or request a copy of personal information about him How to contact brands and businesses? Which may add buttons "Contact for personal information verification" on Footer or the Contact Us page of that website or application.
• There should be a way for users to inform their request to cancel their consent and delete personal data from their storage systems of brands and businesses, which may be a link 'cancel consent. Collecting and using personal information 'to access a webpage that details the method of reporting such requirements.
Article by: Narong Yotsamahitmanicha
Chief Digital Officer & Co-Founder at The Flight 19 Agency
22 Oct 2019