Personal data protection compliance assessment: A privacy policy scoring approach and empirical evidence from Thailand's SMEs

Privacy policies, intended to provide information to individuals regarding how their personal data is processed, are often complex and challenging for users to understand. Businesses often demonstrate non-compliance with personal data protection laws, ranging from the absence of privacy policies to...

Descripción completa

Detalles Bibliográficos
Autores principales: Chatsuwan, Panchapawn, Phromma, Tanawat, Surasvadi, Navaporn, Thajchayapong, Suttipong
Formato: Online Artículo Texto
Lenguaje:English
Publicado: Elsevier 2023
Materias:
Research Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10597812/
https://www.ncbi.nlm.nih.gov/pubmed/37886776
http://dx.doi.org/10.1016/j.heliyon.2023.e20648
_version_ 1785125426671124480
author Chatsuwan, Panchapawn
Phromma, Tanawat
Surasvadi, Navaporn
Thajchayapong, Suttipong
author_facet Chatsuwan, Panchapawn
Phromma, Tanawat
Surasvadi, Navaporn
Thajchayapong, Suttipong
author_sort Chatsuwan, Panchapawn
collection PubMed
description Privacy policies, intended to provide information to individuals regarding how their personal data is processed, are often complex and challenging for users to understand. Businesses often demonstrate non-compliance with personal data protection laws, ranging from the absence of privacy policies to the existence of policies that do not adhere to legal requirements. This paper aims to (1) develop a quantitative and systematic tool for evaluating privacy policies' compliance with the Personal Data Protection Act (PDPA), (2) assess compliance among Small and Medium Enterprises (SMEs) in Thailand, and (3) provide recommendations for enhancing compliance practices. To achieve this, we proposed a multi-criteria privacy policy scoring model integrated with comprehensive statistical data analyses. The privacy policy scoring model consists of ten privacy principles and 31 privacy criteria, providing a structured framework for evaluating privacy policies. During a two-year postponement period for enforcing the PDPA law, we conducted a stratified random-sampling survey of 384 SMEs to evaluate their privacy policies using the proposed scoring model. The accomplished results revealed significantly lower scores than anticipated, with the nationwide average score of SMEs reaching only 6.1909 out of 100 points. More than half of the SMEs collected personal data without announcing privacy policies, and those with privacy policies adhered to an average of only 12.15 out of 31 privacy criteria. These findings highlight the pressing need to improve compliance practices among SMEs in Thailand. The proposed methodology can be customized and applied to align with the requirements of personal data protection laws in other countries. Additionally, our findings indicate that compliance with the PDPA is influenced by the Thailand Standard Industrial Classification (TSIC) sections, suggesting the adoption of tailored approaches by policymakers to address the specific needs of different TSIC sections.
format Online
Article
Text
id pubmed-10597812
institution National Center for Biotechnology Information
language English
publishDate 2023
publisher Elsevier
record_format MEDLINE/PubMed
spelling pubmed-105978122023-10-26 Personal data protection compliance assessment: A privacy policy scoring approach and empirical evidence from Thailand's SMEs Chatsuwan, Panchapawn Phromma, Tanawat Surasvadi, Navaporn Thajchayapong, Suttipong Heliyon Research Article Privacy policies, intended to provide information to individuals regarding how their personal data is processed, are often complex and challenging for users to understand. Businesses often demonstrate non-compliance with personal data protection laws, ranging from the absence of privacy policies to the existence of policies that do not adhere to legal requirements. This paper aims to (1) develop a quantitative and systematic tool for evaluating privacy policies' compliance with the Personal Data Protection Act (PDPA), (2) assess compliance among Small and Medium Enterprises (SMEs) in Thailand, and (3) provide recommendations for enhancing compliance practices. To achieve this, we proposed a multi-criteria privacy policy scoring model integrated with comprehensive statistical data analyses. The privacy policy scoring model consists of ten privacy principles and 31 privacy criteria, providing a structured framework for evaluating privacy policies. During a two-year postponement period for enforcing the PDPA law, we conducted a stratified random-sampling survey of 384 SMEs to evaluate their privacy policies using the proposed scoring model. The accomplished results revealed significantly lower scores than anticipated, with the nationwide average score of SMEs reaching only 6.1909 out of 100 points. More than half of the SMEs collected personal data without announcing privacy policies, and those with privacy policies adhered to an average of only 12.15 out of 31 privacy criteria. These findings highlight the pressing need to improve compliance practices among SMEs in Thailand. The proposed methodology can be customized and applied to align with the requirements of personal data protection laws in other countries. Additionally, our findings indicate that compliance with the PDPA is influenced by the Thailand Standard Industrial Classification (TSIC) sections, suggesting the adoption of tailored approaches by policymakers to address the specific needs of different TSIC sections. Elsevier 2023-10-17 /pmc/articles/PMC10597812/ /pubmed/37886776 http://dx.doi.org/10.1016/j.heliyon.2023.e20648 Text en © 2023 The Author(s) https://creativecommons.org/licenses/by/4.0/This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).
spellingShingle Research Article
Chatsuwan, Panchapawn
Phromma, Tanawat
Surasvadi, Navaporn
Thajchayapong, Suttipong
Personal data protection compliance assessment: A privacy policy scoring approach and empirical evidence from Thailand's SMEs
title Personal data protection compliance assessment: A privacy policy scoring approach and empirical evidence from Thailand's SMEs
title_full Personal data protection compliance assessment: A privacy policy scoring approach and empirical evidence from Thailand's SMEs
title_fullStr Personal data protection compliance assessment: A privacy policy scoring approach and empirical evidence from Thailand's SMEs
title_full_unstemmed Personal data protection compliance assessment: A privacy policy scoring approach and empirical evidence from Thailand's SMEs
title_short Personal data protection compliance assessment: A privacy policy scoring approach and empirical evidence from Thailand's SMEs
title_sort personal data protection compliance assessment: a privacy policy scoring approach and empirical evidence from thailand's smes
topic Research Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10597812/
https://www.ncbi.nlm.nih.gov/pubmed/37886776
http://dx.doi.org/10.1016/j.heliyon.2023.e20648
work_keys_str_mv AT chatsuwanpanchapawn personaldataprotectioncomplianceassessmentaprivacypolicyscoringapproachandempiricalevidencefromthailandssmes
AT phrommatanawat personaldataprotectioncomplianceassessmentaprivacypolicyscoringapproachandempiricalevidencefromthailandssmes
AT surasvadinavaporn personaldataprotectioncomplianceassessmentaprivacypolicyscoringapproachandempiricalevidencefromthailandssmes
AT thajchayapongsuttipong personaldataprotectioncomplianceassessmentaprivacypolicyscoringapproachandempiricalevidencefromthailandssmes

Ejemplares similares