EGCO Group places great importance on data protection and privacy of employees, customers, suppliers, and every stakeholder. The Company stipulated strict internal data abuse prevention guidelines as well as established and announced the data privacy protection policy publicly. This is to ensure that any operation handling personal information is secure, stable, reliable, in full compliance with related laws, and is trusted by the data owner. EGCO Group has established mechanisms to ensure effective compliance with the policy as follow:
- Risk management is the shared responsibility of management and employees at all levels. And this needs to be continued even if the risks cannot be eradicated. But effective risk management benefits the organization. To manage and control risks to an acceptable level and appropriate to the benefit derived from the control.
- Information security risks refer to any future incident and affected to Confidentiality Integrity or Availability of the organization’s information system.
- Cyber security risks refer to any event that may happen in the future. Due to cyber threats relying on various weaknesses and gaps. Attack the system Technology equipment and the network system affects the service system and the organization’s information system.
The risk management process must consist of the following main steps:
- Identifying potential risks and impacts on information security.
- Risk assessment
- Risk management
- Risk monitoring and reporting
EGCO has issued Personal Data Protection Procedure to act as a guidance for securing personal data of Company’s partners, suppliers, business alliances, officers, and stakeholders that are complied to the company’s Personal Data Protection Policy and Personal Data Protection Act B.E.2562, which aligned with the company’s group-wide risk assessment. Any personnels related to handling personal data will be provided with introduction to related laws with case examples, and courses of action based on different situations to be able to collect, utilize, manage, disclose or dispose the data while being aligned with the standard impose under the law to ensure that the operation of the company will be secure, safe, reliable while maintaining safety to personal data subject.
Personal Data Protection Procedure
For the external audit, EGCO engaged third party (EY Corporate Services Limited: “EY”) to conduct an audit on personal data protection management with scope of the audit of: Personal data governance, personal data processing, personal data subject rights management, personal data breach management, personal data disclosures, and information security. EY gathered information from the interview of relevant stakeholders and reviewed related documents to understand EGCO’s current personal data protection management and then compare with the Personal Data Protection Act B.E. 2562 and applicable laws to identify observations and recommendations to improve the effectiveness of personal data protection management. In addition, information security practices are audited on a yearly basis as part of External Independent Assurance of GRI 418-1 (Substantiated complaints concerning breaches of customer privacy and losses of customer data) to monitor the level of compliance to EGCO’s measures and regulatory requirements.