Why it’s time consumers ask tough questions about data privacy

Today in Thailand, the word privacy doesn’t exist in people’s minds. On the contrary, people feel almost flattered by their data being leaked. They go to the shopping mall and they get a push message saying, “You’re close to our shop and we have a special, exclusive discount for you. Come visit us.” That makes them feel very special. It’s almost like being famous. It’s not perceived as “creepy.”

I think this is going to change, though. There’s a new story about identity theft or phishing every other day in the news. People are starting to hear about getting scammed or robbed online more often. They start realizing that their information is out there for anyone to see. At one point, the awareness levels will increase. If you look at Pantip and blognone, they now have pop-ups asking for consent on using your data. That didn’t exist last year.

If you’re ready to improve the safety of your data, know that there are two sides to data privacy: the side you control and the side you don’t. It’s up to you whether you want to check into every single venue you visit and share every dish you eat, or even pictures of the toilets when they’re particularly fancy. You control that.success-2917048_1920Then there’s the personal data that you’ve handed over to companies because you needed to use their services. For example, your bank or mobile service provider has your ID number, your address, and your phone number. Your bank would also know all your transactions, while your mobile service provider would know who you’ve called and which websites you’ve visited.

That is a lot of data and a great responsibility. And it begs the question: what is being done with that data? Are you confident it is safeguarded carefully? Is everything being done to protect it? Or just the legal requirements?

If you’re counting on your data being protected by legal requirements, know that the only requirement is “consent.” That form you signed ages, or those boxes you ticked on a website, that’s all the law requires.

Everything else depends on the individual organizations. I’ve worked in a number of them and I can tell you I’d say the average local company gets a two out of five rating on privacy, even the very big ones. The ones with a global footprint usually do better, even if their presence here is small. Size isn’t what matters.


At dtac, privacy is not just a principle and a policy posted on our corporate website. It goes beyond that. You have to look at the users, the people at operations level. They are the most risk exposed. For the month of November, we trained 700 people across eight 2.5-hour sessions. And we’re continuously producing internal campaigns online, on our in-house radio and on billboards.

Training is key because of the ambiguities surrounding privacy. If you just look at the code of conduct, well, how do you interpret it? The code of conduct says that our employees should not reveal disclose, or sell or distribute company secrets in any form. So if I go into a company’s records and look at my girlfriend’s file, I’m not revealing, disclosing or selling any information, am I? And yet, it’s clearly not OK.24312451_302378893589525_8286134110325375012_nThese are the kind of scenarios we have to cover in training. I use real-world examples to show the risks that can come with consulting information other than for work-related reasons. And I remind our teams that there are better avenues to do this without infringing on privacy. Want to consult your elderly grandparents’ phone bill? Ask them for their password and use the dtac website. Don’t do it using your employee privileges.

But training without a control system is not enough. Every access to information at dtac has to be reconciled with a customer’s request for that information. If we spot any unreconciled access, our managers will investigate it, and I randomly investigate the managers, too.castle-979597_1280Finally, full data protection is actually a combination of data privacy plus data security. We’ve made big changes on who can access what. A single password won’t get you access to everything anymore. And it’s impossible to download staff records in bulk, which is what happened in a hacking attack on a competitor last year. You’d have access to one or two records at most.

I really hope consumers will demand more regarding their data protection. If someone steals your identity and commits a crime, you could get in serious trouble. There is no 100 percent protection but do ask yourself, is your data held by a company that is watching, a company that cares, and a company with systems in place to spot anomalies?

Montri Stapornkul is Data privacy Officer at dtac.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s