In September 2021, the Bank of Thailand (BOT) released its Data Governance Guidelines to provide financial institutions with recommendations on how to ensure that their data governance will comply with accepted international principles. While there are no penalties for non-compliance, financial institutions should consider the recommendations as minimum standard expectations for their data governance in Thailand.
The BOT guidelines set out five main principles of data governance:
Financial institutions should define their data governance policy in writing based on their company size, business operations, complexity, and data risk. The policy should cover all types of data, including data related to the services of third parties or business partners, and provide information on data governance structure, data lifecycle management, security protection and data confidentiality and incident management.
Financial institutions must inform their employees and other affected parties of the policy to ensure their compliance. In addition, the data governance policy must be approved by the board or designated committee of the financial institution, and be reviewed and revised in response to material changes.
- Data governance structure
Financial institutions should establish a data governance structure with three lines of defense, overseen by an oversight committee. The first line of defense includes data management staff, a data approver, and data users; the second includes a risk management unit and a compliance unit; and the third is an audit unit. Although the chosen data governance structure can be adapted to the characteristics of the institution, the structure must cover all of these roles and functions and must not contravene the principle of checks and balances.
The data governance structure should also be supported by sufficient staff and equipment, as well as a clear plan, reviewed and revised as necessary, to raise awareness at all levels of the financial institution and among third parties.
- Data lifecycle management
A diagram or other record spanning all data paths within an organization should show every stage of the data lifecycle, including creation or acquisition, use or disclosure, retention and deletion or destruction. Standards and rules for the management of metadata should also be defined and updated if necessary. Finally, additional standards and rules should guarantee the quality, reliability and user-friendliness of the data.
- Data security and privacy protection
Data security measures should cover the sending and receiving of data via communication networks, the retention or use of data on work systems and recording media, and the deletion of data, including data related to third party service providers or other links to third parties.
The BOT Guidelines direct financial institutions to develop security measures in accordance with the 2019 BOT Information Technology Risk Notice and other relevant guidelines, which may be amended from time to time. When it comes to data privacy, financial institutions must comply with the Personal Data Protection Act BE 2562 (2019). In addition, financial institutions must follow the market conduct prescribed by the BOT in the management and administration of customer data.
With a focus on preventing incidents that can cause damage, the guidelines advise financial institutions to implement processes for monitoring and managing data incidents. These processes should cover areas such as preparing for a data breach, identifying a data problem, analyzing the cause, gathering evidence, etc. If an incident affects business continuity, financial institutions can follow their own business continuity plan.
While the BOT guidelines are aimed at financial institutions, business operators in other sectors can also adopt the guidelines for their data governance.