Cybersecurity

Thailand Drives Ongoing Corporate Governance Reform with Data Protection Law

Thailand Drives Ongoing Corporate Governance Reform with Data Protection Law

The latest Developments in Thailand’s ongoing reform of corporate governance Took place on February 28, 2019 with the passage by the National Legislative Assembly of the Personal Data Protection Act and the Cyber Security Law. Although the new laws have aroused controversy, they are part of the overall effort made by the Government to harmonize its regulatory structure with international standards. 

“Thailand is advancing in participatory and evidence-based regulatory reform,” the OECD declared in a recent report.

“Thailand caught in the 4.0 era, there was Thailand 1.0 which focused on the agriculture sector, Thailand 2.0 focused on light industry and then came the heavy industry of Thailand 3.0 which caught the nation in a medium income trap, with growing income inequality and imbalanced development. Now, the government is implementing a 20-year National Strategic Plan to strengthen the local economy through ‘Sufficiency Economy’ and to make it better with world markets, ” explains the Bangkok-based law firm Franks Legal & Tax.

Importance of Data Protection

There are a slew of regulatory reforms in the pipeline intended to improve business conditions, with particular reference to the digital economy.

The Cybersecurity Law defines “Cybersecurity” as ” measures and actions to protect, prevent and promote cyber attack incidents, in particular those commissioning the computer networking service, internet service, telecommunications networking service, satellite services public infrastructure services, and other important public services, which are networks at national level, for the purpose of preventing any impact to national security, military security, domestic peace, and economic security.

Lawyers and civil rights advocates have expressed concern about the broadness of this definition and about the ‘draconian’ ability for authorities to respond. “Interpretation seeks to rely on the discretion of the relevant government authorities to empower the bill,” Baker & Mackenzie warns .

However, there is an issue in the national corporate governance framework.

The Data Protection Act.

Thailand, in the past year, has experienced some massive data breaches. In March 2018, the personal data of 45,000 customers of True Corp., Thailand’s second-largest mobile network, were leaked. The data was in a 32GB data cache included 45,736 files, mainly JPG and PDF scans of identity documents including scanned ID cards, driving licenses and possibly passports.

True Corp. admitted there is no security on the files; anyone could have just found them and downloaded all the files at any time.

Telecoms regulator NBTC is investigating the incident and may

On August 1 of the same year, the central bank of Thailand confirmed that cyber-attacks that took place were 123,000 customers in a massive data breach at two major commercial banks, after Kasikornbank and Krung Thai Bank reported in the last week of July. The data taken from applications for credit by consumers.

Critical Need for Technology in Data Protection – Corporate Governance

Under the Thai Securities and Exchange Commission’s Corporate Governance Code, published in 2017, the board members of a company or other organization are responsible for managing risks, including cybersecurity threats, and can not be held responsible.

In the form of external advisors or non-executive directors. Many boards therefore task the risk committee with this, or actually create a separate committee for cyber security.

Technological support for this responsibility is critical, however, as vulnerability must be patched, and personal data must not be protected from theft, but it must be used. This means “the paperwork in a paper, which can be stolen or lost, should not be used at board meeting any longer – it is time to make the transition to paperless board meetings”.

Communications among board members, as well as among managers and among workers, must be secured. According to a report by Forrester Research , only the security is just required for boards of directors to do business safely in place.

Certainly compliance with the new Thai Data Protection Act unquestionably requires solid technological support, as it is modeled after the EU’s General Data Protection Regulation (with a few local variations, as Baker & Mackenzie’s office in Bangkok explains :

There are several key points in the PDPA that should be aware of, namely extraterritorial applicability, data subject notification requirements, consent requirements, consent of minors, restrictions and exemptions for the collection, use, disclosure, and cross-border transfer of personal Thailand, Data Protection Officers (DPO), Data Protection Officers (DPO), Data Protection Officers (DPO), Data Protection Officers (DPO) exemptions from cross-border transfer requirements for transfers within the same business group, prescribed criminal and administrative penalties, and actual and punitive damages for civil liability . “

Managing all this without technological support is nearly impossible. For boards, a high quality board portal is secured, but are therefore archived for recovery in case of any legal issues arising. The portal should also provide a full set of assurance of compliance.

Diligent Governance Cloud security and compliance assurance

To make paperless board meetings, to secure communications, to provide governance support, high-quality board management software is needed.

“Technology that provides end-to-end governance with critical benefits,” as Forrester notes in their report.

Diligent’s Governance Cloud streamlines communication and document access in total security, while meeting cyber threats and fraud.

Diligent, as the long-standing market leader for high-level corporate communications, is uniquely positioned to offer its clients the highest level of assurance around security measures. Diligent’s unique position in the marketplace allows for investment in best-in-class security practices at a level that is greater than most players’ annual revenue.

With ongoing investment and dedication to security technology, resources and infrastructure that can not match, diligent clients gain a strategic partner.

All members of Diligent’s Security Team are active participants in the information security community. These are all known to be the most sophisticated techniques of attack.

Diligent has established a security program based on industry standard frameworks that is dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our Information Security Management System (ISMS) is ISO 27001: 2013 certified and our cyber security framework is based on NIST standards.

Diligent Boards ™ data is housed in a world-class hosting infrastructure. Co-location data-hosting facilities are operated at Tier 3 equivalent or higher standards. Diligent owns and operates its own equipment. Data stored by customers in the Diligent Boards solution is not hosted by any third party cloud providers. Instead, it is stored on Diligent’s own secure servers and protected by strong physical security. Access to these data centers is limited to authorized personnel only and verified by two-factor authentication.

For more information on Diligent Boards or to speak on our Governance Experts, get in touch. 

Featured Blog