Businesses handling EU citizen data must prepare data protection systems and policies to prevent penalties or business termination if they violate the upcoming General Data Protection Regulation (GDPR), legal experts warn.
E-commerce, online services, airline, and mobile operators, hosting, job recruitment, internet service providers (ISPs) and banks are the top sectors affected by the GDPR, which will go into force on May 25.
Dhiraphol Suwanprateep, partner for technology, media and telecommunications at Baker & McKenzie, said Thai firms are subject to comply with the GDPR, even if they have no established entity in the EU.
"If goods or services of Thai companies are available in the EU or Thai companies track the behaviour or location of individuals in the EU, the firms could be subject to compliance with the GDPR," said Mr Dhiraphol.
This includes scenarios that Thai companies' websites contain the option for users to select the language or currency of EU member states. Any Thai companies that have individuals in the EU who are customers should be aware of and become familiar with the GDPR, especially those which offer cross-border services such as e-commerce providers, online services, airlines and mobile operators.
Failure to comply with the GDPR can lead to fines of up to €20 million (762 million baht) or 4% of global revenue of the preceding financial year -- whichever is higher.
Mr Dhiraphol said the territorial reach of the GDPR is determined based on the nature of the business, irrespective of whether Thai companies would receive any fees from individuals in the EU.
Data controllers or processors outside of the EU will thus be subject to the GDPR, where their processing activities are related to the offering of goods or services to data subjects within the EU (even for free) and those businesses monitoring data subjects' actions in the EU, so long as their actions take place within the EU.
"ISPs, mobile operators, job recruitment agencies, hosting and e-commerce providers and banks are the top sectors impacted by the EU's GDPR," said Paiboon Amornpinyokiat, founder of P & P law firm.
According to the new regulation, businesses that have EU customers data online and offline must set a "corporate data policy".
Those businesses must also inform data owners within 72 hours if data breaches or leakages have occurred. Otherwise the firms will be fined up to €10 million or 2% of their annual turnover.
In addition, if data processors or data controllers conduct a data breach, they will be fined 4% of their annual turnover, or up to €20 million.
Service operators also need to erase data of individuals if they have requested it under the right to be forgotten.
"US global online services such as Google, Facebook and others have already complied with the GDPR but Thailand still has not acknowledged this matter," said Mr Paiboon.
The government further needs to push compliance with the EU regulation, otherwise the EU might terminate its business with Thais.
Morakot Kulthamyothin, managing director of Internet Thailand, said ISPs do not carry personal data, but online business and content providers do. The company will notify its corporate customers to prepare for GDPR compliance, he said.
Nakrop Niamnamtham managing director of nForce Secure, said major and international banks have already invested more in cybersecurity systems.
Cloud encryption and data loss prevention will help those businesses strengthen data protection, while the new regulation will create more demand for IT security professionals, he said.
.png?w=600)
