pdpa webinar series - fujitsu
TRANSCRIPT
1
PDPA Webinar Series
copy 2020 Fujitsu Thailand Co Ltd
DateTue 21st April 2020 at 1030ndash1100 am
TopicWhatrsquos PDPA and impact in summary
DateTue 28th April 2020 at 1030-1100 am
TopicStep by step to go on track with PDPArsquos solution by Fujitsu Thailand
Speaker Profile
Pisek Bootta
Experience
Business Consultant [Fujitsu (Thailand) Co Ltd 2019-Present]
Solution Manager [nForce Secure 2017-2019]
Technical Consultant [SCM Technologies 2016-2017]
Security Engineer [The Communication Solution (TCS) 2012-2016]
Security Analyst [e-COP Thailand 2011-2012]
Knowledges amp Skills Cybersecurity Data security amp data privacy Cloud amp virtualization security Identity and Access Management
Certificates ComTIA Security+ Check Point Certified Security Expert Palo Alto Networks Certified Network Security Engineer Radware Certified Security Specialist VMware Certified Professional 6 ndash Network Virtualization Symantec Sale Expert Plus
What is PDPA amp impact in summary
Pisek Bootta
Business Consultant - Security Consultant
Copyright 2020 Fujitsu (Thailand) Co Ltd
6
Agenda
What is Personal Data
Thailandrsquos Personal Data Protection Act (PDPA)
Business Impact
Benefits
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
7
What is Personal Data
Copyright 2020 Fujitsu (Thailand) Co Ltd
8
What is Personal Information
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Data or Personal Information (PI) ndash GDPR definition
any information relating to an identified or identifiable natural person (lsquodata subjectrsquo) an identifiable natural person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name an identification number location data an online identifier or to one or more factors specific to the physical physiological genetic mental economic cultural or social identity of that natural person
Reference httpsgdpr-infoeuart-4-gdpr
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
EU ndash General Data Protection Regulation (GDPR)
TH ndash Personal Data Protection Act (PDPA) พรบ คมครองขอมลสวนบคคล
9
Example of personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Name and surname
bull Home address
bull Email address such as namesurnamecompanycom
bull Identification card number bank account number social security number
bull Location data (for example the location data function on a mobile phone)
bull Internet Protocol (IP) address
bull Cookie ID
bull Biometric data
bull Sensitive Data
10
Examples of data not considered personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Company registration number
bull Email address such as infocompanycom
bull Anonymous data
bull Information of the deceased persons
11
Personal data risks
Copyright 2020 Fujitsu (Thailand) Co Ltd
Social Engineering Identity Theft Tracking Stalking
Misuse ProfilingRISK
12
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
13
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
pound992m
pound183m $5bnReference httpswwwtheguardiancom
14
Thailandrsquos Personal Data Protection Act (PDPA)
พระราชบญญตคมครองขอมลสวนบคคล พศ ๒๕๖๒
Copyright 2020 Fujitsu (Thailand) Co Ltd
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Speaker Profile
Pisek Bootta
Experience
Business Consultant [Fujitsu (Thailand) Co Ltd 2019-Present]
Solution Manager [nForce Secure 2017-2019]
Technical Consultant [SCM Technologies 2016-2017]
Security Engineer [The Communication Solution (TCS) 2012-2016]
Security Analyst [e-COP Thailand 2011-2012]
Knowledges amp Skills Cybersecurity Data security amp data privacy Cloud amp virtualization security Identity and Access Management
Certificates ComTIA Security+ Check Point Certified Security Expert Palo Alto Networks Certified Network Security Engineer Radware Certified Security Specialist VMware Certified Professional 6 ndash Network Virtualization Symantec Sale Expert Plus
What is PDPA amp impact in summary
Pisek Bootta
Business Consultant - Security Consultant
Copyright 2020 Fujitsu (Thailand) Co Ltd
6
Agenda
What is Personal Data
Thailandrsquos Personal Data Protection Act (PDPA)
Business Impact
Benefits
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
7
What is Personal Data
Copyright 2020 Fujitsu (Thailand) Co Ltd
8
What is Personal Information
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Data or Personal Information (PI) ndash GDPR definition
any information relating to an identified or identifiable natural person (lsquodata subjectrsquo) an identifiable natural person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name an identification number location data an online identifier or to one or more factors specific to the physical physiological genetic mental economic cultural or social identity of that natural person
Reference httpsgdpr-infoeuart-4-gdpr
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
EU ndash General Data Protection Regulation (GDPR)
TH ndash Personal Data Protection Act (PDPA) พรบ คมครองขอมลสวนบคคล
9
Example of personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Name and surname
bull Home address
bull Email address such as namesurnamecompanycom
bull Identification card number bank account number social security number
bull Location data (for example the location data function on a mobile phone)
bull Internet Protocol (IP) address
bull Cookie ID
bull Biometric data
bull Sensitive Data
10
Examples of data not considered personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Company registration number
bull Email address such as infocompanycom
bull Anonymous data
bull Information of the deceased persons
11
Personal data risks
Copyright 2020 Fujitsu (Thailand) Co Ltd
Social Engineering Identity Theft Tracking Stalking
Misuse ProfilingRISK
12
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
13
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
pound992m
pound183m $5bnReference httpswwwtheguardiancom
14
Thailandrsquos Personal Data Protection Act (PDPA)
พระราชบญญตคมครองขอมลสวนบคคล พศ ๒๕๖๒
Copyright 2020 Fujitsu (Thailand) Co Ltd
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
What is PDPA amp impact in summary
Pisek Bootta
Business Consultant - Security Consultant
Copyright 2020 Fujitsu (Thailand) Co Ltd
6
Agenda
What is Personal Data
Thailandrsquos Personal Data Protection Act (PDPA)
Business Impact
Benefits
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
7
What is Personal Data
Copyright 2020 Fujitsu (Thailand) Co Ltd
8
What is Personal Information
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Data or Personal Information (PI) ndash GDPR definition
any information relating to an identified or identifiable natural person (lsquodata subjectrsquo) an identifiable natural person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name an identification number location data an online identifier or to one or more factors specific to the physical physiological genetic mental economic cultural or social identity of that natural person
Reference httpsgdpr-infoeuart-4-gdpr
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
EU ndash General Data Protection Regulation (GDPR)
TH ndash Personal Data Protection Act (PDPA) พรบ คมครองขอมลสวนบคคล
9
Example of personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Name and surname
bull Home address
bull Email address such as namesurnamecompanycom
bull Identification card number bank account number social security number
bull Location data (for example the location data function on a mobile phone)
bull Internet Protocol (IP) address
bull Cookie ID
bull Biometric data
bull Sensitive Data
10
Examples of data not considered personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Company registration number
bull Email address such as infocompanycom
bull Anonymous data
bull Information of the deceased persons
11
Personal data risks
Copyright 2020 Fujitsu (Thailand) Co Ltd
Social Engineering Identity Theft Tracking Stalking
Misuse ProfilingRISK
12
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
13
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
pound992m
pound183m $5bnReference httpswwwtheguardiancom
14
Thailandrsquos Personal Data Protection Act (PDPA)
พระราชบญญตคมครองขอมลสวนบคคล พศ ๒๕๖๒
Copyright 2020 Fujitsu (Thailand) Co Ltd
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
6
Agenda
What is Personal Data
Thailandrsquos Personal Data Protection Act (PDPA)
Business Impact
Benefits
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
7
What is Personal Data
Copyright 2020 Fujitsu (Thailand) Co Ltd
8
What is Personal Information
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Data or Personal Information (PI) ndash GDPR definition
any information relating to an identified or identifiable natural person (lsquodata subjectrsquo) an identifiable natural person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name an identification number location data an online identifier or to one or more factors specific to the physical physiological genetic mental economic cultural or social identity of that natural person
Reference httpsgdpr-infoeuart-4-gdpr
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
EU ndash General Data Protection Regulation (GDPR)
TH ndash Personal Data Protection Act (PDPA) พรบ คมครองขอมลสวนบคคล
9
Example of personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Name and surname
bull Home address
bull Email address such as namesurnamecompanycom
bull Identification card number bank account number social security number
bull Location data (for example the location data function on a mobile phone)
bull Internet Protocol (IP) address
bull Cookie ID
bull Biometric data
bull Sensitive Data
10
Examples of data not considered personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Company registration number
bull Email address such as infocompanycom
bull Anonymous data
bull Information of the deceased persons
11
Personal data risks
Copyright 2020 Fujitsu (Thailand) Co Ltd
Social Engineering Identity Theft Tracking Stalking
Misuse ProfilingRISK
12
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
13
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
pound992m
pound183m $5bnReference httpswwwtheguardiancom
14
Thailandrsquos Personal Data Protection Act (PDPA)
พระราชบญญตคมครองขอมลสวนบคคล พศ ๒๕๖๒
Copyright 2020 Fujitsu (Thailand) Co Ltd
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
7
What is Personal Data
Copyright 2020 Fujitsu (Thailand) Co Ltd
8
What is Personal Information
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Data or Personal Information (PI) ndash GDPR definition
any information relating to an identified or identifiable natural person (lsquodata subjectrsquo) an identifiable natural person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name an identification number location data an online identifier or to one or more factors specific to the physical physiological genetic mental economic cultural or social identity of that natural person
Reference httpsgdpr-infoeuart-4-gdpr
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
EU ndash General Data Protection Regulation (GDPR)
TH ndash Personal Data Protection Act (PDPA) พรบ คมครองขอมลสวนบคคล
9
Example of personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Name and surname
bull Home address
bull Email address such as namesurnamecompanycom
bull Identification card number bank account number social security number
bull Location data (for example the location data function on a mobile phone)
bull Internet Protocol (IP) address
bull Cookie ID
bull Biometric data
bull Sensitive Data
10
Examples of data not considered personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Company registration number
bull Email address such as infocompanycom
bull Anonymous data
bull Information of the deceased persons
11
Personal data risks
Copyright 2020 Fujitsu (Thailand) Co Ltd
Social Engineering Identity Theft Tracking Stalking
Misuse ProfilingRISK
12
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
13
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
pound992m
pound183m $5bnReference httpswwwtheguardiancom
14
Thailandrsquos Personal Data Protection Act (PDPA)
พระราชบญญตคมครองขอมลสวนบคคล พศ ๒๕๖๒
Copyright 2020 Fujitsu (Thailand) Co Ltd
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
8
What is Personal Information
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Data or Personal Information (PI) ndash GDPR definition
any information relating to an identified or identifiable natural person (lsquodata subjectrsquo) an identifiable natural person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name an identification number location data an online identifier or to one or more factors specific to the physical physiological genetic mental economic cultural or social identity of that natural person
Reference httpsgdpr-infoeuart-4-gdpr
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
EU ndash General Data Protection Regulation (GDPR)
TH ndash Personal Data Protection Act (PDPA) พรบ คมครองขอมลสวนบคคล
9
Example of personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Name and surname
bull Home address
bull Email address such as namesurnamecompanycom
bull Identification card number bank account number social security number
bull Location data (for example the location data function on a mobile phone)
bull Internet Protocol (IP) address
bull Cookie ID
bull Biometric data
bull Sensitive Data
10
Examples of data not considered personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Company registration number
bull Email address such as infocompanycom
bull Anonymous data
bull Information of the deceased persons
11
Personal data risks
Copyright 2020 Fujitsu (Thailand) Co Ltd
Social Engineering Identity Theft Tracking Stalking
Misuse ProfilingRISK
12
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
13
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
pound992m
pound183m $5bnReference httpswwwtheguardiancom
14
Thailandrsquos Personal Data Protection Act (PDPA)
พระราชบญญตคมครองขอมลสวนบคคล พศ ๒๕๖๒
Copyright 2020 Fujitsu (Thailand) Co Ltd
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
9
Example of personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Name and surname
bull Home address
bull Email address such as namesurnamecompanycom
bull Identification card number bank account number social security number
bull Location data (for example the location data function on a mobile phone)
bull Internet Protocol (IP) address
bull Cookie ID
bull Biometric data
bull Sensitive Data
10
Examples of data not considered personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Company registration number
bull Email address such as infocompanycom
bull Anonymous data
bull Information of the deceased persons
11
Personal data risks
Copyright 2020 Fujitsu (Thailand) Co Ltd
Social Engineering Identity Theft Tracking Stalking
Misuse ProfilingRISK
12
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
13
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
pound992m
pound183m $5bnReference httpswwwtheguardiancom
14
Thailandrsquos Personal Data Protection Act (PDPA)
พระราชบญญตคมครองขอมลสวนบคคล พศ ๒๕๖๒
Copyright 2020 Fujitsu (Thailand) Co Ltd
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
10
Examples of data not considered personal data
Copyright 2020 Fujitsu (Thailand) Co Ltd
bull Company registration number
bull Email address such as infocompanycom
bull Anonymous data
bull Information of the deceased persons
11
Personal data risks
Copyright 2020 Fujitsu (Thailand) Co Ltd
Social Engineering Identity Theft Tracking Stalking
Misuse ProfilingRISK
12
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
13
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
pound992m
pound183m $5bnReference httpswwwtheguardiancom
14
Thailandrsquos Personal Data Protection Act (PDPA)
พระราชบญญตคมครองขอมลสวนบคคล พศ ๒๕๖๒
Copyright 2020 Fujitsu (Thailand) Co Ltd
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
11
Personal data risks
Copyright 2020 Fujitsu (Thailand) Co Ltd
Social Engineering Identity Theft Tracking Stalking
Misuse ProfilingRISK
12
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
13
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
pound992m
pound183m $5bnReference httpswwwtheguardiancom
14
Thailandrsquos Personal Data Protection Act (PDPA)
พระราชบญญตคมครองขอมลสวนบคคล พศ ๒๕๖๒
Copyright 2020 Fujitsu (Thailand) Co Ltd
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
12
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
13
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
pound992m
pound183m $5bnReference httpswwwtheguardiancom
14
Thailandrsquos Personal Data Protection Act (PDPA)
พระราชบญญตคมครองขอมลสวนบคคล พศ ๒๕๖๒
Copyright 2020 Fujitsu (Thailand) Co Ltd
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
13
Data breach incidents
Copyright 2020 Fujitsu (Thailand) Co Ltd
pound992m
pound183m $5bnReference httpswwwtheguardiancom
14
Thailandrsquos Personal Data Protection Act (PDPA)
พระราชบญญตคมครองขอมลสวนบคคล พศ ๒๕๖๒
Copyright 2020 Fujitsu (Thailand) Co Ltd
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
14
Thailandrsquos Personal Data Protection Act (PDPA)
พระราชบญญตคมครองขอมลสวนบคคล พศ ๒๕๖๒
Copyright 2020 Fujitsu (Thailand) Co Ltd
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
15
The gazette of PDPA
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
16
PDPA Summary
Copyright 2020 Fujitsu (Thailand) Co Ltd
Personal Information
Including sensitive information
- Directly- Indirectly
PDPArsquos Players
Data Subject Data Controller amp Data Processor
Committee
Legal Basis
Consent or Other Legal Exceptions
Applicability
Extraterritorial Applicability
Entities in and outside of Thailand
Penalties
- Criminal- Administrative- Civil
500000 ndash 5M Bahtandor
Imprisonment
Data Subjectrsquos Right
(30) Right to Access (31) Right to data portability
(32) Right to object (33) Right to be forgotten
(34) Right to restriction of processing
(35 36) Right to rectification
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
17
Imprisonment
Copyright 2020 Fujitsu (Thailand) Co Ltd
มาตรา ๘๑ ในกรณทผกระท าความผดตามพระราชบญญตนเปนนตบคคล ถาการกระท าความผดของนตบคคลนนเกดจากการสงการหรอการกระท าของกรรมการหรอผจดการ หรอบคคลใด ซงรบผดชอบในการด าเนนงานของนตบคคลนน หรอในกรณทบคคลดงกลาวมหนาทตองสงการหรอกระท าการและละเวนไมสงการหรอไมกระท าการจนเปนเหตใหนตบคคลนนกระท าความผด ผนนตองรบโทษ ตามทบญญตไวส าหรบความผดนน ๆ ดวย
Section 81 In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director manager or person who shall be responsible for such act of the juristic person or in the case where such person has a duty to instruct or perform any act but omits to instruct or perform such act until the juristic person commits such offense such person shall also be punished with the punishment as prescribed for such offense
Reference httpwwwratchakitchasocgothDATAPDF2562A069T_0052PDF
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
18
Data Controller amp Data Processor Responsibilities
Copyright 2020 Fujitsu (Thailand) Co Ltd
Data Controller Data Processor
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective
Inform the Office of the Personal Data Protection Board of any violation of the personal data within 72 hours
Prepare and maintain a list of the data processing activities
Appoint data controller representative and Data Protection Officer (DPO)
Respond to data ownerrsquos requests
Strictly follow the instructions of the data controller
Provide appropriate security measures to prevent loss access use change correction or disclosure of personal data
Inform the data controller of any violation of the personal data that occurs
Prepare and maintain a list of the data processing activities
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
19
Business Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
20
Positive Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Improved Cybersecurity
Standardization of Data Security amp Data Privacy
Brand Safety
Loyal Customer Following
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
21
Negative Impact
Copyright 2020 Fujitsu (Thailand) Co Ltd
Non-Compliance Penalties
The Cost of Compliance
Overregulation Hampering Innovation
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
22
Benefits
Copyright 2020 Fujitsu (Thailand) Co Ltd
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
23
Confident to use the productsservices
Personal
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reduce personal data violation and
privacy infringement
Have the rights of their own personal
data
File a complaint and Claim for damages
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
24
Business
Copyright 2020 Fujitsu (Thailand) Co Ltd
Customer Loyalty And Trust
Better data security
Reduced maintenance costs
Better alignment with evolving technology
Greater decision-making
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
25
What happen after the GDPR enforcement
Copyright 2020 Fujitsu (Thailand) Co Ltd
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
26
What happen after the GDPR enforcement
18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it
54 percent ndash said GDPR implementation took longer than it expected
45 percent - said they had an average of two reportable data breaches since GDPR came into effect
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
27
The biggest causes of the breaches
Copyright 2020 Fujitsu (Thailand) Co Ltd
Reference httpsdigitalguardiancomblogsurvey-gdpr-compliance-still-lagging
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
28
Conclusion
Copyright 2020 Fujitsu (Thailand) Co Ltd
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
29
Conclusion
copy 2020 Fujitsu Thailand Co Ltd
This law was issued to protect personal information both IT and non-IT
Any organization that ignores or does not comply with this law is likely to be punished by law
Every organization who collect use process transfer and disclose personal data need to comply with this law
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
30
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Step by step to go on track with PDPArsquos solution by Fujitsu
copy 2020 Fujitsu (Thailand) Co Ltd
Pisek Bootta
Business Consultant - Security Consultant
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
32
Term of data processing
copy 2020 Fujitsu (Thailand) Co Ltd
Data Processing
The collective set of data actions
Data Action
A data life cycle operation including but not limited to collection retention
logging generation transformation use disclosure sharing transmission and
disposal
httpswwwnistgovprivacy-framework
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
33
10 Steps to Preparing for PDPA
copy 2020 Fujitsu (Thailand) Co Ltd
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
34
1 Teaming up
copy 2020 Fujitsu (Thailand) Co Ltd
In most organizations enterprise architects amp IT department do not have final responsibility for ensuring regulatory compliance
This responsibility may lie with hellip
Legal department
Risk Management
Compliance
Information Security
Data Protection Officer
HR Marketing etc
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
35 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
36
Data Privacy amp Protection Implementation Guideline
copy 2020 Fujitsu (Thailand) Co Ltd
ส ำนกงำนพฒนำธรกรรมทำงอเลกทรอนกส (สพธอ) - httpswwwetdaorthcontentpersonal-data-protection-by-etda
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
37
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
httpswwwnistgovprivacy-framework
Cybersecurity and Privacy Risk Relationship
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
38
Example NIST Privacy Framework V10
copy 2020 Fujitsu (Thailand) Co Ltd
Using Functions to Manage Cybersecurity and Privacy Risks
httpswwwnistgovprivacy-framework
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
39 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Business
ITIS
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
40
2 Privacy inventory
copy 2020 Fujitsu (Thailand) Co Ltd
Identify all data that counts as lsquopersonalrsquo according to the PDPA
Data Discovery Logical and physical
What do you store
bull How old is it
bull How much is there
Classification
What third parties
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
41 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Business
ITIS
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
42
3 Analyze amp data cleanup
copy 2020 Fujitsu (Thailand) Co Ltd
Map data flows
Be selective ndash work from high risk ndash low risk
Delete all the data you donrsquot need
bull Duplicate copies
bull ldquoJust-in-caserdquo backups
bull Excess fields in systems
bull Records the business has decided is no longer required
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
43 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Business
ITIS
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
44
4 Risk Assessment
copy 2020 Fujitsu (Thailand) Co Ltd
Privacy risk assessment
Conduct security risk assessment
bull Effects of breach of CIA and R on data subject rights
Third party risks
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
45 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Business
ITIS
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
46
5 Understand technically how to respond to hellip
copy 2020 Fujitsu (Thailand) Co Ltd
hellip Right to Access
(Article 30)
hellip Right to data portability
(Article 31)
hellip Right to object
(Article 32)
hellip Right to be forgotten
(Article 33)
hellip Right to restriction of processing
(Article 34)
hellip Right to rectification
(Article 35 36)
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
47 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Business
ITIS
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
48
6 Prioritize risks
copy 2020 Fujitsu (Thailand) Co Ltd
List risks to Data Subjects
bull Prioritized
List regulatory risks
bull Prioritized
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
49 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
Business
ITIS
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
50
7 Risk reduction and remediation
copy 2020 Fujitsu (Thailand) Co Ltd
Do we need to do this with that data
Confidentiality
bull Pseudonymization
bull Encryption
Access control ndash does everyone need access
What security posture based on data subject risk
bull Will you create different security zones
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
51 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Business
ITIS
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
52
8 DPIA for in-flight projects
copy 2020 Fujitsu (Thailand) Co Ltd
DPIAs required for lsquohigh riskrsquo processing and in specified circumstances
Needs to contain
bull Systematic description and basis of processing
bull Assessment of necessity and proportionality
bull Risks to Data Subjects
bull Risk reduction
Good practice
Think of any InfoSec projects (DLP monitoring) especially
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
53 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Business
ITIS
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
54
9 Records of processing
copy 2020 Fujitsu (Thailand) Co Ltd
Essential for accountability principle (Article 39)
bull the collected Personal Data
bull the purpose of the collection of the Personal Data in each category
bull details of the Data Controller
bull the retention period of the Personal Data
bull rights and methods for access to the Personal Data
bull the use or disclosure
bull the rejection of request or objection
bull explanation of the appropriate security measures
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
55 copy 2020 Fujitsu (Thailand) Co Ltd
Creategovernanceframework
Where isyour data
Check allprocessing
isfair lawful
and allowed
Updatepolicies andcomms to
datasubjects
AppointData
ProtectionOfficer
Deleteunwanted
data
Risk Assessment
Processingoutside the
TH
Work outhow to
respond toData
Subjectrequests
Createrisk register
Prioritizerisk register
Risk reduction
and remediation
DPIA for in-flight projects
Create and maintain records of processing
Createincidentresponse
plans
Business
ITIS
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
56
10 Incident response
copy 2020 Fujitsu (Thailand) Co Ltd
Whatrsquos a personal data breach
lsquopersonal data breachrsquo means a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted stored or otherwise processed
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
57
10 Incident response (Article 37 (4))
copy 2020 Fujitsu (Thailand) Co Ltd
Notification of a breach to supervisory authority within 72 hours
Notification to Data Subject
Plan test the plan
Make sure legal are involved (because they will want to handle the notification)
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
58
How Fujitsu Thailand can help you
copy 2020 Fujitsu (Thailand) Co Ltd
Data Protection Advisory Service
Privacy amp Cybersecurity Solutions
People Policy Processes Technology
Business
ITIS
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
59
Consulting Service
copy 2020 Fujitsu (Thailand) Co Ltd
Phase 1
Establishment
Phase 2
Implementation and operation
Phase 3
Monitoring Measuring
Phase 4
Optimize and Improvement
Data Protection Advisory Service
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
60
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Establishment
Phase 1 Top Management commitment
Appoint Data Privacy committee
Appoint Data Privacy Officer (DPO)
Consent Manager Working group
Establish Data Privacy Policy and The Objective Define framework for
protecting PII
Increase employee awareness by training and communication scheme
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
61
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Implementation and operation
Phase 2 Collect consent implement single contact point for supporting
ldquoIndividual Rightrdquo management
PII Inventory Conduct PII Life Cycle
Perform DPIA Risk Assessment Treatment
Define procedure work instruction standard process as risk level
Monitoring and evaluate the result of risk treatment plan
Make sure report major incident (with Resolution plan) to DPA in 72 Hrs
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
62
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Monitoring Measuring
Phase 3 Monitoring by measurement
Process audit Internal audit
Check an Update regulation of DPA Thailand
Cyber security assessment (VA Penetration test)
Regularly evaluate feedback from ldquoIndividualrdquo
Regularly report the level of compliance to top management
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
63
Data Protection Advisory Service
copy 2020 Fujitsu (Thailand) Co Ltd
Optimize and Improvement
Phase 4 Tuning standard process for fully compliance
Improve process by IT and Cyber Security enhancement
Looking for International Standard such as ISO 27001 for systematic
approach framework
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
64
Privacy Management Solutions
copy 2020 Fujitsu (Thailand) Co Ltd
Assessment Automation Cookie Compliance Consent Management Data Discovery amp Deletion Data Mapping Data Subject Rights Management Privacy Incident Response Privacy Policy amp Notice Vendor Risk Management
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
65
End to End Security Solution Areas
copy 2020 Fujitsu (Thailand) Co Ltd
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
66
Summary
copy 2020 Fujitsu (Thailand) Co Ltd
People policy and processes and technology that deliver lsquoprivacy by naturelsquo
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
67
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
68
Contact
Pisek Bootta
Business Consultant
pisekfujitsucom
097-298-2153
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Light ndash abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucircuuml
yacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-=[]rsquo~ltgt|
copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacuteucirc
uumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl
Fujitsu Sans Medium ndash abcdefghijklmnopqrstuvwxyz 0123456789 notrdquopound$^amp()_+-
=[]rsquo~ltgt| copyuml~iexclcentcurrenyenbrvbarsectumlordflaquoraquonot-
regmacrdegplusmnsup2sup3microparamiddotcedilsup1ordmfrac14frac12frac34iquestAgraveAacuteAcircAtildeAumlAringCcedilEgraveAEligEacuteEcircEumlIgraveIacuteIcircIumlETHNtildeOgraveOacuteOcircOtildeOumltimesOslashUgraveUacuteUcircUumlYacuteTHORNszligagraveaacuteacircatildeaumlaringaeligccedilegraveeacuteecirceumligraveiacuteicirciumlethntildeograveoacuteocircotildeoumldivideoslashugraveuacute
ucircuumlyacutethornyumlĐıŒœŠšŸŽžƒʼˆˇˉ˙˚˛˜˝-‒ndashmdash
―lsquorsquosbquoldquordquobdquodaggerDaggerbullhellippermillsaquorsaquoolinefrasl⁰⁴⁵⁶⁷⁸⁹₀₁₂₃₄₅₆₇₈₉eurotradeΩrarrpart∆prodsumminusradicinfinintasympnelegesdotlozfifl