In September 2021, the Bank of Thailand (BOT) issued its Guidelines on Data Governance to provide financial institutions with recommendations on how to ensure that their data governance will be in compliance with accepted international principles. While there are no penalties for noncompliance, financial institutions should view the recommendations as minimum standard expectations for their data governance in Thailand.
The BOT guidelines set forth five main data governance principles:
- Data Governance Policy
Financial institutions should set forth their data governance policy in writing in accordance with their business size, business operations, business complexity, and data risk. The policy should cover all types of data, including data related to services from third parties or business partners, as well as provide information on the data governance structure, data lifecycle management, protection of data security and data privacy, and incident management.
Financial institutions should inform their employees and other relevant parties of the policy to ensure their compliance. In addition, the data governance policy must be approved by the designated board or committee of the financial institution, and be reviewed and revised in response to significant changes.
- Data Governance Structure
Financial institutions should establish a data governance structure with three lines of defense, supervised by an oversight committee. The first line of defense comprises data management personnel, a data approver, and data users; the second comprises a risk management unit and a compliance unit; and the third is an audit unit. While the chosen data governance structure can be tailored to the characteristics of the institution, the structure should cover all of these roles and duties, and must not contravene the principle of checks and balances.
The data governance structure should also be supported by sufficient personnel and equipment, as well as a clear plan—reviewed and revised as necessary—for building awareness at all levels of the financial institution and among third parties.
- Data Lifecycle Management
A diagram or other record covering all data pathways within an organization should show every step in the data lifecycle, including creation or acquisition, use or disclosure, retention, and deletion or destruction. Metadata management standards and rules should also be set and updated as necessary. Finally, additional standards and rules should ensure the quality, reliability, and usability of data.
- Protection of Data Security and Data Privacy
Data security measures should cover the sending and receiving of data via communication networks, retention or use of data on the working systems and recording materials, and deletion of data—including data related to third-party service providers or other links to third parties.
The BOT guidelines direct financial institutions to develop security measures in accordance with the BOT’s 2019 notification on information technology risk and other relevant guidelines, as may be amended from time to time. As for data privacy, financial institutions are to comply with the Personal Data Protection Act B.E. 2562 (2019). In addition, financial institutions are to follow market conduct prescribed by the BOT in managing and administering customer data.
- Incident Management
With a focus on preventing incidents that might cause damage, the guidelines advise financial institutions to implement processes for monitoring and managing data incidents. These processes should cover areas such as readiness for a data breach, identification of a data issue, analysis of the cause, evidence gathering, and so on. If an incident affects business continuity, financial institutions may follow their own business continuity plan.
While the BOT guidelines are directed toward financial institutions, business operators in other industries may also adopt the guidelines for their data governance.
For more information on these guidelines, or on any aspect of data protection or financial services provision in Thailand, please contact Tilleke & Gibbins at [email protected].