Deloitte Thailand's PDPA Readiness Survey - How organisations across industries have responded to the upcoming enforcement of the Thailand ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Deloitte Thailand’s PDPA Readiness Survey How organisations across industries have responded to the upcoming enforcement of the Thailand Personal Data Protection Act B.E. 2562
Deloitte Thailand’s PDPA Readiness Survey
With the increased collection and use of personal data, management
and privacy of data is a growing concern for businesses across all
sectors. More importantly, the introduction of the Thailand Personal
Data Protection Act B.E.2562, “Thai PDPA”, will officially come into
affect in June 2022 after being postponed. This will change the privacy
landscape for businesses dramatically.
In October 2021, Deloitte Thailand conducted a Thai PDPA readiness
survey across a sample of organizations and industries in Thailand.
The aim of this survey was to understand how organizations are
preparing for Thailand’s PDPA compliance, how far along their
implementation plans are and what challenges they may be facing
along the way.
The results of the survey indicate that industries are differing in their
implementation speed and timeline of compliance activities, with
Financial Services leading the way to be ready in time for June 2022.
The top motivators for Thai PDPA compliance activities were driven
by PDPA regulations and negative consequences of not adopting these
regulations, rather than associated benefits. Integrating new policies
and processes into business operations was the top challenge across
all industries.
Deloitte Thailand’s PDPA Readiness Survey Report 2022 2
Survey respondent profile
40% of the survey respondents came from the Consumer industry, followed by Financial Services, accounting for 27%. The majority of
respondents came from larger sized companies, with a head count of 500 employees and above.
Industry of respondents Organization size (by headcount)
(% of respondents, n=136) (% of respondents, n=136)
50 - 99
Consumer 40% 7%
1 - 49
Financial Services 27% 15%
1000+
38%
Energy, Resources
14%
& Industrials
Technology, Media 7%
and Telecom 17%
500- 999
Life Sciences and 4%
Healthcare
Others 8% 23%
100 - 499
Deloitte Thailand’s PDPA Readiness Survey Report 2022 3
PDPA implementation status varies across industries
72% of respondents have started or already implemented Thai PDPA requirements, whereas 24% have plans but have not started the
implementation process yet. By Industry, Financial Services had the largest percentage of respondents who have already started, or
implemented Thai PDPA requirements already, followed by Life Sciences and Health care. The industry with the highest percentage of
those who have not stated the implementation process is Energy, Resources & Industrials.
Thai PDPA implementation status Thai PDPA implementation status by industry
(% of respondents, n=136) (% of respondents, n=120, excluding ‘Others’)
Financial Services 14% 87%
42%
Life Sciences 20% 80%
30% and Healthcare
24%
Consumer 31% 69%
Technology, Media
33% 67%
4% and Telecom
Energy, Resources
Do not plan Have plans but Have started Already 50% 50%
& Industrials
to implement not started implementing implemented
implementing Not Started Started
yet
Deloitte Thailand’s PDPA Readiness Survey Report 2022 4
Thai PDPA implementation status varies depending upon company size
Survey response indicates that the majority of organizations that have started or already implemented Thailand’s PDPA
requirements, are larger with at least 100 employees, whereas more than half of the respondents from smaller
organizations with less than 50 employees stated that they have plans but have not started implementing yet.
Thai PDPA implementation status by organization size
(% of respondents, n=136)
1 - 49 70% 30%
50 - 99 40% 60%
100 - 499 26% 74%
500 - 999 17% 83%
1000+ 15% 85%
Not Started Started
Deloitte Thailand’s PDPA Readiness Survey Report 2022 5Most organizations plan to, or have already performed a Thai PDPA readiness assessment
Of the 45% of respondents who had already conducted a Thai PDPA readiness assessment, 98% of the assessments included readiness of
IT systems as well as business processes and operations. Both Financial Services and Life Sciences and Healthcare had a higher
percentage of respondents who have already performed a Thai PDPA readiness assessment.
Conducting Thai PDPA readiness assessment
(% of respondents, n=136) (% of respondents, n=120, excluding ‘Others’)
5% 6%
20% 16%
No, and not planning to 11% 30%
20% 56%
39%
78% No, and not
No, but planning to 44% planning to
No, but planning to
65% 60% Yes
45% 44%
Yes 45%
17%
Financial Life Sciences Consumer Technology, Energy,
Services and Healthcare Media and Resources &
Telecom Industrials
Deloitte Thailand’s PDPA Readiness Survey Report 2022 6Compliance timeline
Only 29% of the respondents indicated that they may not be fully compliant around the enforcement deadline of June 2022, with 8% of
those expecting to be fully compliant much later in the year. Results show that most of the respondents in the Consumer, Financial
Services and Technology, Media and Telecom industries will be fully compliant by June 2022, whereas the Energy, Resources and
Industrials, and Life Sciences and Healthcare sector seem to be lagging.
Timeline of expected compliance Timeline of expected compliance by industry
(% of respondents, n=136) (% of respondents, n=120, excluding ‘Others’)
33%
Financial Services 81% 14% 5%
Technology, Media
78% 22%
20% 21% and Telecom
18%
Consumer 71% 22% 8%
8%
Energy, Resources
& Industrials 50% 39% 11%
Life Sciences
Already fully Oct-Dec Jan - Mar Apr - Sep Later than
40% 40% 20%
compliant 2021 2022 2022 Sep 2022 and Healthcare
Fully compliant, or by Mar 22
June, 2022 Compliant by Apr-Sept 22
Later than Sept 22
Deloitte Thailand’s PDPA Readiness Survey Report 2022 7Key drivers for Thailand’s PDPA compliance activities
The top 3 key drivers for compliance activities were consistent across all sectors, being threat of regulatory fines or lawsuits, potential for
reputational damage and improving customer trust
Importance of Thai PDPA compliance activities
(% of respondents, n=136)
Threat of regulatory fines or lawsuits 73%
The top 3 drivers for
Thailand’s PDPA
Potential for reputational damage 66%
compliance activities
were mainly regulation
Improving customer trust 59%
driven, and if not
prioritized could have
Privacy as a strategic priority 37%
negative ramifications.
Whereas the bottom 4
Increase efficiency in processing data 36% drivers are lead by
positive motivations
Enable an insight driven organization 15% and benefits of PDPA
compliance.
Gaining a competitive advantage
10%
via privacy
Deloitte Thailand’s PDPA Readiness Survey Report 2022 8Almost half of the respondents expect significant benefits from Thai PDPA compliance
A higher proportion of Technology, Media and Telecom organizations and Energy, Resources & Industrial expect significant benefits from
Thai PDPA compliance activities compared to other industries. Financial Services and Life Sciences and Health Care expect more limited
or no benefits outside regulatory compliance, as these industries are highly regulated and the nature of the data they are dealing with is
more sensitive.
Thai PDPA Compliance Benefits Benefits by Industry
(% of respondents, n=136) (% of respondents, n=120, excluding ‘Others’)
11% 11%
No benefits outside 28% 32%
regulatory compliance
23% 40%
28%
26%
Limited benefits 32% 89% 49%
40%
61%
47%
Significant benefits
(eg competitive advantage)
45% 20% 19%
No benefits outside of regulatory compliance
Technology, Energy, Consumer Life Sciences Financial
Limited benefits Media and Resources & and Healthcare Services
Significant benefits Telecom Industrials
Deloitte Thailand’s PDPA Readiness Survey Report 2022 9Main areas of budget allocation for Thai PDPA compliance activities
(% of respondents, n=136)
Reviewing internal policies, agreements, 46%
and practices related to personal data
Implementing data management processes 43%
and operating systems
Updating existing privacy notices and
33%
creating legal documents
Conducting a gap assessment to identify
33%
the current levels of compliance
Employee training 31%
Governance, Risk and Compliance 31%
Data Leakage Prevention 30%
Record of processing activities (ROPA)/
30%
Data mapping and management
Consent/Preference Management 18%
Deloitte Thailand’s PDPA Readiness Survey Report 2022 10Areas of budget allocation by industry
(% of respondents, n=120, excluding ‘Others’)
Employee training 43%
Consumer Governance, Risk, Compliance 41%
Reviewing Internal policies, agreements
Energy, 72%
and practices related to personal data
Resources &
Conducting a gap assessment to identify the
Industrials 44%
current levels of compliance
Implementing data management
54%
Financial processes and operating systems
Services Conducting a gap assessment to identify the 49%
current levels of compliance
Employee Training 60%
Life Sciences
and Healthcare Governance, Risk, Compliance /
40%
Data Leakage Prevention
Reviewing Internal policies, agreements
Technology, Media and practices related to personal data 56%
and Telecom
Governance, Risk, Compliance / Data
44%
Leakage Prevention
Deloitte Thailand’s PDPA Readiness Survey Report 2022 11Leading function in Thai PDPA programs and compliance activities
Compliance was the leading function for Thai PDPA activities for all industries apart from Energy, Resources & Industrials, where HR was
the leading function. The chosen function overseeing PDPA compliance activities suggests a link to the nature of business activities of
the organization, and whether they are primarily dealing with internal data (B2B) or external data (B2C).
Leading function Leading function by industry
(% of respondents, n=136) (% of respondents, n=120, excluding ‘Others’)
Compliance 39%
Consumer
Legal 26%
Compliance 35.3%
Energy, Resources HR 39%
& Industrials Legal 28%
Legal 24.3%
Compliance 41%
Financial Services
HR 19.1% Risk 27%
Risk 12.5% Life Sciences Compliance 40%
and Healthcare Legal 40%
IT 8.8%
Technology, Media Compliance 44%
and Telecom HR/IT 22%
Deloitte Thailand’s PDPA Readiness Survey Report 2022 12Appointing a Data Protection Officer (DPO)
Majority of respondents indicated that a Data Protection Officer (DPO) will be or already has been appointed internally, compared to
outsourcing.
(% of respondents, n=136) (% of respondents, n=120, excluding ‘Others’)
Internal Outsourced
Financial Services 95% 5%
56%
Life Science and
Healthcare 80% 20%
Technology, Media
and Telecom 78% 11% 11%
19%
Energy, Resources
72% 28%
& Industrials
8% 8% 9%
Consumer 65% 22% 14%
Yes, No, but Yes, No, but No, and
appointed planning outsourced planning to don’t
internally to appoint outsource plan to Internal
internally Outsourced
Don’t plan to appoint
Deloitte Thailand’s PDPA Readiness Survey Report 2022 13Investment in tools and technologies
The top 3 tools and technologies that organizations have invested in for Thai PDPA compliance activities include consent/preference
management, data privacy assessments, and data encryption.
(% of respondents, n=136)
Consent/ Preference Management 19.9%
Technology type Data Privacy Assessment 16.4%
PDPA Technology
Data Encryption 14.0%
Protection/Security
Data Leakage Prevention 13.7%
Access Control
Data Discovery and Inventory 10.3%
Response
Cookie Management 8.8%
Privilege Access Management 8.6%
Privacy Incident Response 8.3%
Deloitte Thailand’s PDPA Readiness Survey Report 2022 14Investment in tools and technologies by industry
(% of respondents, n=120, excluding ‘Others’)
For all industries, the top investment was in tools for consent and preference management. For Consumer, Energy, Resources &
Industrials, and Financial Services, the second was for data leakage prevention tools. Top investment priorities were aligned with the
core Thai PDPA requirements.
Consent/Preference Management 100%
Consumer Data Leakage Prevention 49%
Consent/Preference Management 100%
Energy, Resources &
Industrials Data Leakage Prevention 72%
Consent/Preference Management 100%
Financial Services Data Leakage Prevention/
51%
Data Privacy Assessment
PDPA Technology
Consent/Preference Management 100%
Life Sciences and Protection/Security
Healthcare Cookie Management 100%
Access Control
Technology, Media Consent/Preference Management 100%
Response
and Telecom Privacy Incident Response 67%
Deloitte Thailand’s PDPA Readiness Survey Report 2022 15Implementation Challenges
Top challenges faced during Thai PDPA implementation
(% of respondents, n=136)
75% 68% 63%
Integrating new policies Interpreting PDPA Staff knowledge
and processes into business requirements
operations
60% 16% 13%
Implementing new Budget allocation Staff availability
technology
Deloitte Thailand’s PDPA Readiness Survey Report 2022 16Top Challenges by Industry
Integrating new policies and processes into business operations was one of the top challenges for almost all industries. For Life
Sciences and Healthcare, the top challenge was interpretation of Thai PDPA requirements.
(% of respondents, n=120, excluding ‘Others’)
Integrating new policies and processes
into business operations 73%
Consumer
Staff Knowledge 67%
Energy, Integrating new policies and processes
into business operations 83%
Resources &
Industrials Staff knowledge/
67%
Implementing new technology
Integrating new policies and processes
Financial 76%
into business operations
Services
Implementing new technology 68%
Life Sciences and Interpreting PDPA requirements 80%
Healthcare Implementing new technology 80%
Technology, Interpreting PDPA requirements 100%
Media and
Telecom Integrating new policies and processes 89%
into business operations
Deloitte Thailand’s PDPA Readiness Survey Report 2022 17Our Holistic PDPA Approach
Deloitte encompasses an integrated approach for the Thai PDPA compliance journey. With a holistic point of view, Deloitte is able to
combine Technology, Legal, Compliance and Organization workstreams to offer deeper insights and provide an end-to-end service
from initiation and gap assessment, through to the implementation and post-implementation processes.
Policy and Governance
Appointment of DPO
Developing or embedding PDPA policies into the policy of the organization, for
example Personal Data Protection Policy, Security Policy, PDPA Incident
Management Framework, as well as necessary legal documents.
Process
Technology Policy
Working processes being revised and communicated throughout the
organization on the awareness of personal data protection.
Procedure
People Process Procedures being developed under the privacy principle and ensuring control
throughout the organization.
People
Procedure
All employees need to have an awareness and sufficient understanding on the
Thai PDPA and data privacy regulations.
Technology
Technology needs to be developed and implemented to align with the
requirements of the Thai PDPA, enhanced security, privacy, and control processes.
Deloitte Thailand’s PDPA Readiness Survey Report 2022 18Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more. Deloitte Asia Pacific Limited is a company limited by guarantee and a member firm of DTTL. Members of Deloitte Asia Pacific Limited and their related entities, each of which are separate and independent legal entities, provide services from more than 100 cities across the region, including Auckland, Bangkok, Beijing, Hanoi, Hong Kong, Jakarta, Kuala Lumpur, Manila, Melbourne, Osaka, Seoul, Shanghai, Singapore, Sydney, Taipei and Tokyo. About Deloitte Thailand In Thailand, services are provided by Deloitte Touche Tohmatsu Jaiyos Co., Ltd. and its subsidiaries and affiliates. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities. © 2022 Deloitte Touche Tohmatsu Jaiyos Co., Ltd.
You can also read
