News,
Views and
Information

For Further Information Contact:

thailand@transatlanticlaw.com

Bank of Thailand Issues Data Governance Guidance for Financial Institutions

In September 2021, the Bank of Thailand (BOT) issued its Guidelines on Data Governance to provide financial institutions with recommendations on how to ensure that their data governance will be in compliance with accepted international principles. While there are no penalties for noncompliance, financial institutions should view the recommendations as minimum standard expectations for their data governance in Thailand.

The BOT guidelines set forth five main data governance principles:

Data Governance Policy

Financial institutions should set forth their data governance policy in writing in accordance with their business size, business operations, business complexity, and data risk. The policy should cover all types of data, including data related to services from third parties or business partners, and provide information on the data governance structure, data lifecycle management, protection of data security and data privacy, and incident management.

Data Governance Structure

Financial institutions should establish a data governance structure with three lines of defense, supervised by an oversight committee. The first line of defense comprises data management personnel, a data approver, and data users; the second comprises a risk management unit and a compliance unit; and the third is an audit unit. While the chosen data governance structure can be tailored to the characteristics of the institution, the structure should cover all of these roles and duties, and must not contravene the principle of checks and balances. 

The data governance structure should also be supported by sufficient personnel and equipment, as well as a clear plan—reviewed and revised as necessary—for building awareness at all levels of the financial institution and among third parties.

Data Lifecycle Management

A diagram or other record covering all data pathways within an organization should show every step in the data lifecycle, including creation or acquisition, use or disclosure, retention, and deletion or destruction. Metadata management standards and rules should also be set and updated as necessary. Finally, additional standards and rules should ensure the quality, reliability, and usability of data.

Protection of Data Security and Data Privacy

Data security measures should cover the sending and receiving of data via communication networks, retention or use of data on the working systems and recording materials, and deletion of data—including data related to third-party service providers or other links to third parties.

The BOT guidelines direct financial institutions to develop security measures in accordance with the BOT’s 2019 notification on information technology risk and other relevant guidelines, as may be amended from time to time. As for data privacy, financial institutions are to comply with the Personal Data Protection Act B.E. 2562 (2019). In addition, financial institutions are to follow market conduct prescribed by the BOT in managing and administering customer data.

Incident Management

Financial institutions should inform their employees and other relevant parties of the policy to ensure their compliance. In addition, the data governance policy must be approved by the designated board or committee of the financial institution, and be reviewed and revised in response to significant changes.

While the BOT guidelines are directed toward financial institutions, business operators in other industries may also adopt the guidelines for their data governance.

With a focus on preventing incidents that might cause damage, the guidelines advise financial institutions to implement processes for monitoring and managing data incidents. These processes should cover areas such as readiness for a data breach, identification of a data issue, analysis of the cause, evidence gathering, and so on. If an incident affects business continuity, financial institutions may follow their own business continuity plan.

By Tilleke & Gibbins, Thailand, a Transatlantic Law International Affiliated Firm. 

For more information on this development, to discuss how your company can prepare for these provisions, or for any other queries about Thai employment law, please contact thailand@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.