Data Privacy Protection
EGCO Group places great importance on data protection and privacy of employees, customers, suppliers, and every stakeholder. The Company stipulated strict internal data abuse prevention guidelines as well as established and announced the data privacy protection policy publicly. This is to ensure that any operation handling personal information is secure, stable, reliable, in full compliance with related laws, and is trusted by the data owner. EGCO Group has established mechanisms to ensure effective compliance with the policy as follow:
Cybersecurity and Data Risk Management
Data security is a corporate risk that requires management and monitoring. Cybersecurity and privacy policy systems are embedded in group-wide key risk factors and management.
- Risk management is a responsibility shared by management and employees across all levels. It requires continuous implementation even if the risks cannot be eliminated. Effective risk management enables the company to maintain control over risks at an acceptable level while fostering appropriate benefits to the company simultaneously.
- Information security risks refer to potential incidents that may occur in the future that affect the confidentiality, integrity, or availability of the organization’s information management system.
- Cyber security risks refer to potential incidents that may occur in the future as a result of cyber threats exploiting weaknesses and security gaps to attack the system, technology, equipment, and internal network systems, thereby causing damages to the company’s service and information management systems.
The risk management process comprises the following key steps:
- Identification of risk and potential impacts on data security
- Risk assessment
- Risk management
- Risk monitoring and reporting
Privacy Policy Compliance
EGCO Group has developed a personal data protection procedure to serve as a guide for safeguarding the privacy data of partners, suppliers, business partners, employees, and stakeholders. This procedure is established in compliance with the Corporate Personal Data Protection Policy and Personal Data Protection Act B.E.2562, while also aligning with EGCO Group’s risk management approaches. Parties responsible for managing privacy data are equipped with relevant regulations, case studies, and guidelines on actions to be taken in various situations to enable them to collect, utilize, manage, disclose, or dispose of the data set forth by the legislative framework. Such practice ensures the security, safety, and reliability of the company while maintaining the privacy rights of data owners.
Personal Data Protection Procedure
To ensure the reliability of privacy protection programs and alignment with the company’s privacy policy, EGCO Group assigned the Internal Audit Division and commissioned an External Auditor to conduct data privacy audits.
Internal Audits of the Privacy Policy Compliance. The Internal Audit Division conducts reviews to assess the sufficiency and appropriateness of the internal auditing system and regularly monitors privacy policy compliance to ensure alignment with the Personal Data Protection Act (PDPA). Findings of the audit will be reported to the Audit Committee for approval prior to being presented to the Board of Directors.
In 2023, the Internal Audit Division conducted the PDPA compliance internal audits across the group’s companies including Khanom Power Plant Co., Ltd. (KEGCO), EGCO Engineering Service Co., Ltd. (ESCO), Power Plant Business 1 (PB1), Power Plant Business 2 (PB2), Power Plant Business 3 (PB3), Klongluang Utility Co., Ltd. (KLU), Banpong Utility Co., Ltd. (BPU), EGCO Cogeneration Co., Ltd. (EGCO Cogen), and Roi-Et Green Co., Ltd. (RG). These audits encompassed personal data management, information security management, and monitoring the corrective actions recommended in the 2022 PDPA Management Process Auditing Report conducted by EY Corporate Services Limited.
Summary of the internal audit observations for internal control system improvement.
- Monitoring the corrective actions recommended by the consultant.
- Compliance audit against EGCO Group Policy and supplier’s compliance with Data Processing Agreement (DPA).
- Guidance to grievance reporting according to regulatory requirements.
- Personal data storage as per the guidance
- Employees’ acknowledgment and experience regarding EGCO Group’s PDPA policy and guidance was at a good level.
Third-party Audits of the Privacy Policy Compliance: EGCO Group ensures that its operations are audited by third-party experts. In 2022, EGCO Group commissioned a third party (EY Corporate Services Limited: “EY”) to conduct a personal data protection management audit, covering personal data governance, personal data processing, personal data subject rights management, personal data breach management, personal data disclosures, and information security. Stakeholder interviews and document reviews enable the consultant to understand EGCO Group’s actual personal data management practices and compare them against the requirements of the PDPA and relevant regulations enforced in 2019. The consultant then provided observations and recommendations aimed at enhancing the efficiency of the company’s personal data management. Furthermore, EGCO Group conducts an annual data security review as part of External Independent Assurance of GRI 418-1 (Substantiated complaints concerning breaches of customer privacy and losses of customer data) to monitor compliance with the company’s requirements.
Summary of the external audit observations for improvement.
- Personal data processing activities should be recorded thoroughly and kept up-to-date.