- Consumers in Thailand have a right to have their personal data kept private and safe from unauthorized access.
- Organizations must design effective gatekeeping that limits access to personal data from the outside but also internally.
- This “privacy by design” approach is even more critical as AI and IoT transform how personal data is collected and used.
In a report titled, “Digital Lives Decoded,” Telenor Asia revealed that 75% of respondents in Thailand are concerned about privacy and security. While that may seem high, the figure is well below the average in Asia, which stands at 93%.
True Blog sat down with Montri Stapornkul, Head of Data Protection at True Corporation, to understand why it is important to keep consumers’ data safe and private. And how True achieves this despite the rapid adoption of new technologies, such as artificial intelligence and the internet of things.
The Great Powers and Great Responsibilities of Data
“Privacy is about respecting the limits set by the original owner of the data. If you share something personal with someone, that person doesn’t have your permission to tell anyone else. The same goes for digital data. You, as the owner of your personal data, have rights. And the business that processes that data has responsibilities to protect your data. At True, we take this very seriously, as part of our ambition to be a telecom-tech leader,” Mr. Montri said.
True not only serves 51 million mobile customers, but also provides cloud storage, content, fixed broadband internet, IoT solutions and more. This makes it one of the largest actors in Thailand’s data space.
“When a True customer turns on their phone, we receive and send data to their device. That data isn’t just content, such as text messages or video, but also the personal identifiers needed to establish who is sending the data and from where,” Mr. Montri noted.
This puts a double burden of data protection on internet service providers. They must ensure the data is transmitted securely so that hackers cannot access it. But they must also guarantee that the data is processed internally with respect for the rights of the original owner of the data.
“Big data can be a powerful tool to design better services and make them more accessible. However, we never compromise on our customers’ right to data protection and privacy. We keep their data safe with advanced cybersecurity measures. We only access data with our customers’ permission. And we access only what is strictly necessary,” Mr. Montri explained.
we never compromise on our customers’ right to data protection and privacy. We keep their data safe with advanced cybersecurity measures. We only access data with our customers’ permission. And we access only what is strictly necessary
Consent: The Key to Privacy in the Digital Age
According to True’s privacy standards and the legal requirements of Thailand’s Personal Data Protection Act (PDPA), there are two levels of consent which customers can grant their mobile operator. The first level of consent is needed to provide them with mobile services. It limits the use of customers’ personal data purely to execute the requirements of a mobile service provider.
The second level of consent is optional. It allows customers to opt in to the use of their personal data for more personalized benefits and offers. For example, the dtac or True app might alert a customer to a freebie they are entitled to based on their customer loyalty tier and location.
“We look at two things: whether we have the customers’ explicit consent, and whether the use of their data is to their benefit. To make sure that data is only accessed when it meets both those requirements, we have control points in place. We track every time customer data is accessed and then make sure that access is reconciled with a legitimate use,” he said.
Gatekeeping the Data Fortress
To gain access to True’s data warehouse, internal users must therefore justify that their request is legitimate, and relevant. This applies to all internal users, even those performing audits and quality assurance. It is also true of requests emanating from government organizations.
“Government authorities don’t have direct access to customer data. They must make a request justified by national interest or national security. We evaluate every request to ensure it is from a legitimate authority and meets all requirements. Only then will we provide any data,” Mr. Montri said.
Mr. Montri recognizes that Thai consumers were previously more concerned with security than privacy. But the catalyst of artificial intelligence, the internet of things and big data is now bringing more attention to the need for effective data governance to protect consumers.
“True’s ambition is to be a telecom-tech leader, meaning not just a provider of core connectivity but also of digital services. This requires that customers trust us. And that’s why we’re taking a leadership position on privacy. We are ensuring customers are properly informed of their rights, that we obtain their consent for the use of their data, and that we only access the data we need to provide them with the best possible service and benefits,” he said.
Being ahead of the changes in data privacy, Mr. Montri is already looking to the impact of emerging technologies. TrueX, for example, provides smart home solutions, while Mordee is for telemedicine—both intimate spaces in the lives of consumers.
“When it comes to artificial intelligence or the internet of things, the same core principles of data privacy are still relevant. We need to ensure our use of personal data is relevant, limited to what is needed to provide our services, and that it benefits the customers,” Mr. Montri said. “If we stick to these standards, then we can be confident that new technologies don’t threaten our customers’ personal data rights.”