09 - Data Ethics, Security, and Privacy in a Global Context.pdf
NattapongKongprasert2
1 views
44 slides
Oct 09, 2025
Slide 1 of 44
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
About This Presentation
Data Ethics, Security, and Privacy in a Global Context
Slide Content
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Assistant Professor Dr. Nattapong Kongprasert
Data Ethics, Security, and Privacy in a Global Context
Assistant Professor Dr. Nattapong Kongprasert
Data Ethics, Security, and Privacy in a Global Context
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Content
•Data Ethics
•Data Security
•Data Privacy
Content
•Data Ethics
•Data Security
•Data Privacy
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
The Ethics of Data: Legal vs. Right
Key Question for Leaders: Not “Can we do this?” but “Should we do this?”
The Pattaya Context: "A hotel in Pattaya could legally use publicly available social media data to
profile incoming guests, offering better service to those who appear wealthy and standard service to
others. It might be legal under your terms, but is it ethical? Does it build the long-term trust your
brand needs?“
Just because your terms and conditions allow something, it doesn't mean your customers will be happy about it. Operating in
the 'creepy zone' is a significant business risk. The goal is to operate where 'legal' and 'right' overlap.
What is Right?What is legal?
The creepy
zone
(Defined by laws like PDPA) (Defined by societal norms and ethics)
The Ethics of Data: Legal vs. Right
Key Question for Leaders: Not “Can we do this?” but “Should we do this?”
The Pattaya Context: "A hotel in Pattaya could legally use publicly available social media data to
profile incoming guests, offering better service to those who appear wealthy and standard service to
others. It might be legal under your terms, but is it ethical? Does it build the long-term trust your
brand needs?“
Just because your terms and conditions allow something, it doesn't mean your customers will be happy about it. Operating in
the 'creepy zone' is a significant business risk. The goal is to operate where 'legal' and 'right' overlap.
What is Right?What is legal?
The creepy
zone
(Defined by laws like PDPA) (Defined by societal norms and ethics)
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
What is data ethics?
Data ethics refers to the moral principles that govern the responsible collection,
processing, and use of data. It focuses on ensuring data practices are fair, transparent,
and respectful of individual rights and societal values, while also considering potential
negative impacts. Essentially, it's about asking not just what can be done with data, but
what should be done with it.
What is data ethics?
Data ethics refers to the moral principles that govern the responsible collection,
processing, and use of data. It focuses on ensuring data practices are fair, transparent,
and respectful of individual rights and societal values, while also considering potential
negative impacts. Essentially, it's about asking not just what can be done with data, but
what should be done with it.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Core Principles
•Privacy: Protecting the confidentiality and security of personal information.
•Transparency: Being open and honest about how data is collected, used, and shared.
•Fairness: Avoiding bias and discrimination in data collection and use.
•Accountability: Taking responsibility for the ethical implications of data practices.
•Informed Consent: Ensuring individuals are aware of and agree to how their data is being
used.
Core Principles
•Privacy: Protecting the confidentiality and security of personal information.
•Transparency: Being open and honest about how data is collected, used, and shared.
•Fairness: Avoiding bias and discrimination in data collection and use.
•Accountability: Taking responsibility for the ethical implications of data practices.
•Informed Consent: Ensuring individuals are aware of and agree to how their data is being
used.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Key Considerations
•Data Collection: Ethical considerations include what data is collected, why it's collected,
and how it's obtained.
•Data Processing: Ensuring data is processed fairly, accurately, and without bias.
•Data Use: Considering the potential impacts of data use on individuals and society, including
potential harms and benefits.
•Data Security: Protecting data from unauthorized access and misuse.
•Data Governance: Establishing clear rules and guidelines for data management and ethical
practices.
Key Considerations
•Data Collection: Ethical considerations include what data is collected, why it's collected,
and how it's obtained.
•Data Processing: Ensuring data is processed fairly, accurately, and without bias.
•Data Use: Considering the potential impacts of data use on individuals and society, including
potential harms and benefits.
•Data Security: Protecting data from unauthorized access and misuse.
•Data Governance: Establishing clear rules and guidelines for data management and ethical
practices.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
What are the business benefits of data ethics?
•Trust: Businesses that apply the key ethics principles of fairness, privacy, transparency and
accountability to their AI models and output can retain trust in how they use their data—
and thus build greater goodwill and loyalty, which enhances their reputation and brand
value.
•Fair practices: Unintended bias can creep in from anywhere and negatively impact business
decisions. Companies that adhere to data ethics principles and standards can demonstrate
their fairness in decision- making.
•Data privacy compliance: Existing data privacy regulations like the General Data Protection
Regulation (GDPR) and the California Consumer Privacy Act (CCPA) do not directly address
ethics, but there is a significant overlap between key privacy requirements, such as
lawfulness and accountability, and the principles of AI ethics. Thus, ensuring ethical AI helps
ensure data privacy compliance.
What are the business benefits of data ethics?
•Trust: Businesses that apply the key ethics principles of fairness, privacy, transparency and
accountability to their AI models and output can retain trust in how they use their data—
and thus build greater goodwill and loyalty, which enhances their reputation and brand
value.
•Fair practices: Unintended bias can creep in from anywhere and negatively impact business
decisions. Companies that adhere to data ethics principles and standards can demonstrate
their fairness in decision- making.
•Data privacy compliance: Existing data privacy regulations like the General Data Protection
Regulation (GDPR) and the California Consumer Privacy Act (CCPA) do not directly address
ethics, but there is a significant overlap between key privacy requirements, such as
lawfulness and accountability, and the principles of AI ethics. Thus, ensuring ethical AI helps
ensure data privacy compliance.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Why is data ethics important?
•Building Trust: Ethical data practices build trust with individuals and stakeholders.
•Avoiding Harm: Minimizing the potential for negative impacts on individuals and society.
•Maintaining Reputation: Protecting the organization's reputation and avoiding legal
repercussions.
•Promoting Innovation: Ensuring that data is used responsibly and ethically to drive
innovation and progress.
Why is data ethics important?
•Building Trust: Ethical data practices build trust with individuals and stakeholders.
•Avoiding Harm: Minimizing the potential for negative impacts on individuals and society.
•Maintaining Reputation: Protecting the organization's reputation and avoiding legal
repercussions.
•Promoting Innovation: Ensuring that data is used responsibly and ethically to drive
innovation and progress.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Bias In, Bias Out
•The Principle: If your historical data reflects societal biases, your algorithms will learn,
automate, and amplify those biases at an incredible scale.
•The Business Impact:
•You alienate entire customer segments.
•You make flawed, discriminatory decisions in hiring, credit, and marketing.
•You face significant reputational damage and legal challenges.
An algorithm is not inherently objective. It's a reflection of the data it was trained on. As managers, you are responsible for
questioning the data sources used to build predictive models to ensure they are fair and representative
"Biased Historical Data" (e.g., past hiring data that favored
men for management roles) is fed into an "AI/ML Algorithm."
The output is a "Biased Decision" (e.g., the AI
automatically ranks male candidates higher).
Bias In, Bias Out
•The Principle: If your historical data reflects societal biases, your algorithms will learn,
automate, and amplify those biases at an incredible scale.
•The Business Impact:
•You alienate entire customer segments.
•You make flawed, discriminatory decisions in hiring, credit, and marketing.
•You face significant reputational damage and legal challenges.
An algorithm is not inherently objective. It's a reflection of the data it was trained on. As managers, you are responsible for
questioning the data sources used to build predictive models to ensure they are fair and representative
"Biased Historical Data" (e.g., past hiring data that favored
men for management roles) is fed into an "AI/ML Algorithm."
The output is a "Biased Decision" (e.g., the AI
automatically ranks male candidates higher).
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Data ethics example: Exploring real-world scenarios
Facebook and Cambridge Analytica scandal
Situation: In 2018, it was revealed that the political consulting firm Cambridge Analytica had harvested the
personal data of millions of Facebook profiles without consent and used it for political advertising.
Ethical concern:
•The primary ethical concern here was the unauthorized access and use of personal data.
•Users did not know, nor did they consent to, their data being used for political profiling and targeted
advertising.
•This scandal raised questions about consent, transparency, and the responsibility of platforms in
protecting user data.
Outcome: The scandal led to a significant outcry, with Facebook facing heavy scrutiny and criticism.
It underlined the need for stringent data protection measures and the ethical use of user data, prompting
many organizations to reassess their data handling practices.
Data ethics example: Exploring real-world scenarios
Facebook and Cambridge Analytica scandal
Situation: In 2018, it was revealed that the political consulting firm Cambridge Analytica had harvested the
personal data of millions of Facebook profiles without consent and used it for political advertising.
Ethical concern:
•The primary ethical concern here was the unauthorized access and use of personal data.
•Users did not know, nor did they consent to, their data being used for political profiling and targeted
advertising.
•This scandal raised questions about consent, transparency, and the responsibility of platforms in
protecting user data.
Outcome: The scandal led to a significant outcry, with Facebook facing heavy scrutiny and criticism.
It underlined the need for stringent data protection measures and the ethical use of user data, prompting
many organizations to reassess their data handling practices.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Data ethics example: Exploring real-world scenarios
Google street view data collection
Situation: Between 2008 and 2010, Google Street View vehicles, while capturing images, inadvertently
collected data from unencrypted Wi-Fi networks, including emails and passwords.
Ethical concern:
•Google did not have permission to collect personal data from these networks.
•This raised issues related to privacy, consent, and unintentional data collection.
Outcome:
•Google faced legal actions in multiple countries.
•They eventually settled lawsuits and took measures to improve privacy checks in their products.
•This incident highlighted the need for robust data governance and ethical considerations even in
unintentional data collection.
Data ethics example: Exploring real-world scenarios
Google street view data collection
Situation: Between 2008 and 2010, Google Street View vehicles, while capturing images, inadvertently
collected data from unencrypted Wi-Fi networks, including emails and passwords.
Ethical concern:
•Google did not have permission to collect personal data from these networks.
•This raised issues related to privacy, consent, and unintentional data collection.
Outcome:
•Google faced legal actions in multiple countries.
•They eventually settled lawsuits and took measures to improve privacy checks in their products.
•This incident highlighted the need for robust data governance and ethical considerations even in
unintentional data collection.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Content
•Data Ethics
•Data Security
•Data Privacy
Content
•Data Ethics
•Data Security
•Data Privacy
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Data Security vs. Data Privacy
•Data Security: The technical measures used to protect data from unauthorized access. (e.g.,
Encryption, Firewalls, Access Controls). It's about keeping people out.
•Data Privacy: The rules and policies governing how data is collected, used, and shared. It's
about respecting an individual's rights. It's about what you do with the data you have.
You need strong security to enable privacy, but security alone does not guarantee it. You can have a very secure database full
of data that was collected unethically.
Data Security (The Fortress) Data Privacy (The Rules)
(Like a house with strong walls, locked doors, and a security camera)(Like a people inside the house, with rules about who can enter which room)
Data Security vs. Data Privacy
•Data Security: The technical measures used to protect data from unauthorized access. (e.g.,
Encryption, Firewalls, Access Controls). It's about keeping people out.
•Data Privacy: The rules and policies governing how data is collected, used, and shared. It's
about respecting an individual's rights. It's about what you do with the data you have.
You need strong security to enable privacy, but security alone does not guarantee it. You can have a very secure database full
of data that was collected unethically.
Data Security (The Fortress) Data Privacy (The Rules)
(Like a house with strong walls, locked doors, and a security camera)(Like a people inside the house, with rules about who can enter which room)
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
What is data security?
Data security is the practice of protecting digital information from unauthorized access,
corruption, or loss. It involves various measures and strategies to ensure the
confidentiality, integrity, and availability of data throughout its lifecycle. This includes
everything from physical security of hardware to access controls and software security.
What is data security?
Data security is the practice of protecting digital information from unauthorized access,
corruption, or loss. It involves various measures and strategies to ensure the
confidentiality, integrity, and availability of data throughout its lifecycle. This includes
everything from physical security of hardware to access controls and software security.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Core Concepts
•Confidentiality: Ensuring that sensitive data is only accessible to authorized individuals or
systems.
•Integrity: Maintaining the accuracy and completeness of data, preventing unauthorized
modification or corruption.
•Availability: Ensuring that authorized users have timely and reliable access to data when
needed.
Core Concepts
•Confidentiality: Ensuring that sensitive data is only accessible to authorized individuals or
systems.
•Integrity: Maintaining the accuracy and completeness of data, preventing unauthorized
modification or corruption.
•Availability: Ensuring that authorized users have timely and reliable access to data when
needed.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Key Aspects of Data Security
•Access Control: Implementing mechanisms to restrict access to data based on user roles and
permissions.
•Encryption: Converting data into an unreadable format (ciphertext) to protect it from
unauthorized access.
•Data Loss Prevention (DLP): Implementing measures to prevent sensitive data from leaving the
organization's control.
•Security Auditing: Regularly reviewing security logs and systems to identify and address potential
vulnerabilities.
•Incident Response: Having a plan in place to detect, respond to, and recover from security
breaches.
•Compliance: Adhering to relevant regulations and industry standards related to data security,
such as GDPR or HIPAA.
Key Aspects of Data Security
•Access Control: Implementing mechanisms to restrict access to data based on user roles and
permissions.
•Encryption: Converting data into an unreadable format (ciphertext) to protect it from
unauthorized access.
•Data Loss Prevention (DLP): Implementing measures to prevent sensitive data from leaving the
organization's control.
•Security Auditing: Regularly reviewing security logs and systems to identify and address potential
vulnerabilities.
•Incident Response: Having a plan in place to detect, respond to, and recover from security
breaches.
•Compliance: Adhering to relevant regulations and industry standards related to data security,
such as GDPR or HIPAA.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Why is data security important?
•Protecting sensitive information: Safeguarding personal, financial, and other sensitive data
from unauthorized access and misuse.
•Maintaining trust and reputation: Ensuring customer confidence and preventing damage to
an organization's reputation.
•Complying with regulations: Meeting legal and industry requirements related to data
protection.
•Preventing financial losses: Protecting against data breaches that can lead to financial
penalties, legal costs, and lost revenue.
•Ensuring business continuity: Minimizing the impact of security incidents on business
operations.
Why is data security important?
•Protecting sensitive information: Safeguarding personal, financial, and other sensitive data
from unauthorized access and misuse.
•Maintaining trust and reputation: Ensuring customer confidence and preventing damage to
an organization's reputation.
•Complying with regulations: Meeting legal and industry requirements related to data
protection.
•Preventing financial losses: Protecting against data breaches that can lead to financial
penalties, legal costs, and lost revenue.
•Ensuring business continuity: Minimizing the impact of security incidents on business
operations.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Types of data security
Organizations can use a wide range of data security types to safeguard their data,
devices, networks, systems, and users. Some of the most common types of data
security, which organizations should look to combine to ensure they have the best
possible strategy
Source: https://www.fortinet.com/resources/cyberglossary/data- security
Types of data security
Organizations can use a wide range of data security types to safeguard their data,
devices, networks, systems, and users. Some of the most common types of data
security, which organizations should look to combine to ensure they have the best
possible strategy
Source: https://www.fortinet.com/resources/cyberglossary/data- security
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Types of data security
•Encryption: By using an algorithm to transform normal text characters into an unreadable format,
encryption keys scramble data so that only authorized users can read it.
•Data erasure: Data erasure uses software to completely overwrite data on any storage device, making it
more secure than standard data wiping. It verifies that the data is unrecoverable.
•Data masking: By masking data, organizations can allow teams to develop applications or train people
that use real data. It masks personally identifiable information (PII) where necessary so that
development can occur in environments that are compliant.
•Data resiliency: Resiliency depends on how well an organization endures or recovers from any type of
failure— from hardware problems to power shortages and other events that affect data availability.
Types of data security
•Encryption: By using an algorithm to transform normal text characters into an unreadable format,
encryption keys scramble data so that only authorized users can read it.
•Data erasure: Data erasure uses software to completely overwrite data on any storage device, making it
more secure than standard data wiping. It verifies that the data is unrecoverable.
•Data masking: By masking data, organizations can allow teams to develop applications or train people
that use real data. It masks personally identifiable information (PII) where necessary so that
development can occur in environments that are compliant.
•Data resiliency: Resiliency depends on how well an organization endures or recovers from any type of
failure— from hardware problems to power shortages and other events that affect data availability.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Content
•Data Ethics
•Data Security
•Data Privacy
Content
•Data Ethics
•Data Security
•Data Privacy
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
What is data privacy?
Data privacy, also known as information privacy, refers to the handling, collection,
storage, and sharing of personal data, ensuring individuals have control over their
information and how it's used. It involves protecting sensitive information from
unauthorized access, misuse, or disclosure, and complying with relevant privacy laws
and regulations.
What is data privacy?
Data privacy, also known as information privacy, refers to the handling, collection,
storage, and sharing of personal data, ensuring individuals have control over their
information and how it's used. It involves protecting sensitive information from
unauthorized access, misuse, or disclosure, and complying with relevant privacy laws
and regulations.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Key Aspects of Data Privacy
•Control and Transparency: Individuals should have control over their personal information, including the ability
to access, correct, or delete it. Organizations should be transparent about how they collect, use, and share data.
•Security: Data privacy necessitates robust security measures to protect data from unauthorized access, breaches,
and other threats. This includes technical safeguards (like encryption and firewalls) and administrative safeguards
(like access controls).
•Compliance: Data privacy is closely linked to legal and regulatory frameworks. Organizations must comply with
data protection laws and regulations such as GDPR, CCPA, and others.
•Ethical Considerations: Data privacy also involves ethical considerations, such as respecting individuals' privacy
preferences and using data responsibly.
•Data Minimization: Organizations should only collect the necessary data for a specific purpose and retain it only
as long as needed.
•Individual Rights: Data privacy laws often grant individuals specific rights, such as the right to access their data,
the right to rectification, the right to erasure, and the right to object to processing.
Key Aspects of Data Privacy
•Control and Transparency: Individuals should have control over their personal information, including the ability
to access, correct, or delete it. Organizations should be transparent about how they collect, use, and share data.
•Security: Data privacy necessitates robust security measures to protect data from unauthorized access, breaches,
and other threats. This includes technical safeguards (like encryption and firewalls) and administrative safeguards
(like access controls).
•Compliance: Data privacy is closely linked to legal and regulatory frameworks. Organizations must comply with
data protection laws and regulations such as GDPR, CCPA, and others.
•Ethical Considerations: Data privacy also involves ethical considerations, such as respecting individuals' privacy
preferences and using data responsibly.
•Data Minimization: Organizations should only collect the necessary data for a specific purpose and retain it only
as long as needed.
•Individual Rights: Data privacy laws often grant individuals specific rights, such as the right to access their data,
the right to rectification, the right to erasure, and the right to object to processing.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Why is Data Privacy Important?
•Protecting Individuals: Data privacy helps prevent identity theft, fraud, and other harms
that can result from misuse of personal information.
•Building Trust: When individuals trust that their data is being handled responsibly, it fosters
trust in organizations and businesses.
•Complying with Regulations: Data privacy laws and regulations are designed to protect
individuals' rights and ensure responsible data handling.
•Avoiding Penalties: Non -compliance with data privacy regulations can lead to significant
fines, legal action, and reputational damage.
Why is Data Privacy Important?
•Protecting Individuals: Data privacy helps prevent identity theft, fraud, and other harms
that can result from misuse of personal information.
•Building Trust: When individuals trust that their data is being handled responsibly, it fosters
trust in organizations and businesses.
•Complying with Regulations: Data privacy laws and regulations are designed to protect
individuals' rights and ensure responsible data handling.
•Avoiding Penalties: Non -compliance with data privacy regulations can lead to significant
fines, legal action, and reputational damage.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
The Global Privacy Landscape: A Manager's Overview
•The Global Shift: The fundamental principle is changing from "the company owns the
data" to "the individual owns their data.
•Core Concepts You Must Know:
•Consent: You need a clear, lawful basis to process someone's data.
•Data Subject Rights: Individuals have the right to access, correct, and request
deletion of their data.
•Accountability: Your organization is responsible for protecting the data and demonstrating
compliance.
The Global Privacy Landscape: A Manager's Overview
•The Global Shift: The fundamental principle is changing from "the company owns the
data" to "the individual owns their data.
•Core Concepts You Must Know:
•Consent: You need a clear, lawful basis to process someone's data.
•Data Subject Rights: Individuals have the right to access, correct, and request
deletion of their data.
•Accountability: Your organization is responsible for protecting the data and demonstrating
compliance.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
What are the laws governing data privacy?
Many countries around the world have implemented laws and regulations to ensure
that personal data is collected, stored, and used in a way that is respectful of
individual privacy. In this section, we will explore some of the key data privacy laws
from around the world.
•General Data Protection Regulation (GDPR) -
•California Consumer Privacy Act (CCPA) - USA
•Personal Information Protection Law (PIPL) - China
•Personal Data Protection Act (PDPA) - Thailand
What are the laws governing data privacy?
Many countries around the world have implemented laws and regulations to ensure
that personal data is collected, stored, and used in a way that is respectful of
individual privacy. In this section, we will explore some of the key data privacy laws
from around the world.
•General Data Protection Regulation (GDPR) -
•California Consumer Privacy Act (CCPA) - USA
•Personal Information Protection Law (PIPL) - China
•Personal Data Protection Act (PDPA) - Thailand
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
General Data Protection Regulation (GDPR)
The GDPR establishes the general obligations of data controllers and of those processing personal
data on their behalf (processors). These include the obligation to implement appropriate security
measures, according to the risk involved in the data processing operations they perform. The EU
general data protection regulation (GDPR) is the strongest privacy and security law in the world.
The GDPR defines:
•individuals’ fundamental rights in the digital age
•the obligations of those processing data
•methods for ensuring compliance
•sanctions for those in breach of the rules
Source: https://www.consilium.europa.eu/en/policies/data-protection-regulation/
General Data Protection Regulation (GDPR)
The GDPR establishes the general obligations of data controllers and of those processing personal
data on their behalf (processors). These include the obligation to implement appropriate security
measures, according to the risk involved in the data processing operations they perform. The EU
general data protection regulation (GDPR) is the strongest privacy and security law in the world.
The GDPR defines:
•individuals’ fundamental rights in the digital age
•the obligations of those processing data
•methods for ensuring compliance
•sanctions for those in breach of the rules
Source: https://www.consilium.europa.eu/en/policies/data-protection-regulation/
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Rights of individuals
The GDPR lists the rights of the data subject, meaning the rights of the individuals whose
personal data is being processed. These strengthened rights give individuals more control
over their personal data, including through:
•the need for an individual's clear consent to the processing of his or her personal data
easier access for the data subject to his or her personal data
•the right to rectification, to erasure and to be forgotten
•the right to object, including to the use of personal data for the purposes of ‘profiling’
•the right to data portability from one service provider to another
Rights of individuals
The GDPR lists the rights of the data subject, meaning the rights of the individuals whose
personal data is being processed. These strengthened rights give individuals more control
over their personal data, including through:
•the need for an individual's clear consent to the processing of his or her personal data
easier access for the data subject to his or her personal data
•the right to rectification, to erasure and to be forgotten
•the right to object, including to the use of personal data for the purposes of ‘profiling’
•the right to data portability from one service provider to another
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a state law that grants California residents
greater control over their personal information. It gives consumers the right to know
what personal information businesses collect, how it's used, and with whom it's shared.
It also allows consumers to request deletion of their data, opt- out of the sale of their
information, and prohibits businesses from discriminating against them for exercising
their privacy rights.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a state law that grants California residents
greater control over their personal information. It gives consumers the right to know
what personal information businesses collect, how it's used, and with whom it's shared.
It also allows consumers to request deletion of their data, opt- out of the sale of their
information, and prohibits businesses from discriminating against them for exercising
their privacy rights.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
CCPA rights and protections
CCPA guidelines were designed to give California consumers a set of rights that deals expressly with
personal data privacy and affords them reasonable security safeguards. These rights include
Californians’ ability to make consumer requests about their customer data. These requests can
include how to:
•Prevent sale of their personal information to third-party companies (that is, The Right to Prevent
Resale) by issuing the so- called “Do not sell my personal information” directive
•Ask for data about any personal information that has been collected (The Right to Access)
•Request that all collected data about that consumer be deleted (The Right to Be Forgotten)
CCPA rights and protections
CCPA guidelines were designed to give California consumers a set of rights that deals expressly with
personal data privacy and affords them reasonable security safeguards. These rights include
Californians’ ability to make consumer requests about their customer data. These requests can
include how to:
•Prevent sale of their personal information to third-party companies (that is, The Right to Prevent
Resale) by issuing the so- called “Do not sell my personal information” directive
•Ask for data about any personal information that has been collected (The Right to Access)
•Request that all collected data about that consumer be deleted (The Right to Be Forgotten)
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Personal Information Protection Law (PIPL)
The Personal Information Protection Law (PIPL) is China's comprehensive data privacy
law, enacted to protect the personal information of individuals within mainland China.
It regulates how organizations and individuals collect, store, use, process, and transfer
personal information. The PIPL is similar to the EU's GDPR in its scope and purpose, but
it also has unique aspects that reflect China's specific legal and cultural context.
Personal Information Protection Law (PIPL)
The Personal Information Protection Law (PIPL) is China's comprehensive data privacy
law, enacted to protect the personal information of individuals within mainland China.
It regulates how organizations and individuals collect, store, use, process, and transfer
personal information. The PIPL is similar to the EU's GDPR in its scope and purpose, but
it also has unique aspects that reflect China's specific legal and cultural context.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Key Aspects of the PIPL
•Scope: The PIPL applies to the processing of personal information of individuals within mainland China,
including both organizations and individuals based in China and those processing data of Chinese citizens
from outside China.
•Purpose: It aims to protect individuals' rights and interests related to their personal information,
standardize personal information handling activities, and promote the rational use of personal
information.
•Principles: The PIPL emphasizes principles like legality, fairness, necessity, openness, transparency, and
accuracy in data processing.
•Data Subject Rights: Individuals have rights to access, correct, and delete their personal information, as
well as to withdraw consent for processing.
Key Aspects of the PIPL
•Scope: The PIPL applies to the processing of personal information of individuals within mainland China,
including both organizations and individuals based in China and those processing data of Chinese citizens
from outside China.
•Purpose: It aims to protect individuals' rights and interests related to their personal information,
standardize personal information handling activities, and promote the rational use of personal
information.
•Principles: The PIPL emphasizes principles like legality, fairness, necessity, openness, transparency, and
accuracy in data processing.
•Data Subject Rights: Individuals have rights to access, correct, and delete their personal information, as
well as to withdraw consent for processing.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Key Aspects of the PIPL
•Sensitive Personal Information: The PIPL imposes stricter requirements for handling sensitive personal
information, such as health or financial data, requiring explicit consent and stricter security measures.
•Cross-Border Data Transfers: Organizations need to obtain consent and implement specific measures
for transferring personal information outside of China.
•Compliance: Organizations must implement security measures to prevent data leaks and unauthorized
access, and in some cases, they may need to appoint a data protection officer.
•Enforcement: The Cyberspace Administration of China (CAC) is the primary regulator responsible for
enforcing the PIPL.
•Effective Date: The PIPL came into effect on November 1, 2021.
Key Aspects of the PIPL
•Sensitive Personal Information: The PIPL imposes stricter requirements for handling sensitive personal
information, such as health or financial data, requiring explicit consent and stricter security measures.
•Cross-Border Data Transfers: Organizations need to obtain consent and implement specific measures
for transferring personal information outside of China.
•Compliance: Organizations must implement security measures to prevent data leaks and unauthorized
access, and in some cases, they may need to appoint a data protection officer.
•Enforcement: The Cyberspace Administration of China (CAC) is the primary regulator responsible for
enforcing the PIPL.
•Effective Date: The PIPL came into effect on November 1, 2021.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Personal Data Protection Act (PDPA)
Personal Data Protection Act (PDPA), is a law designed to protect personal data in
Thailand. It regulates how organizations collect, use, and disclose personal information,
ensuring individuals' privacy rights are upheld. The PDPA aims to prevent the misuse of
personal data and establishes obligations for organizations handling such data.
Personal Data Protection Act (PDPA)
Personal Data Protection Act (PDPA), is a law designed to protect personal data in
Thailand. It regulates how organizations collect, use, and disclose personal information,
ensuring individuals' privacy rights are upheld. The PDPA aims to prevent the misuse of
personal data and establishes obligations for organizations handling such data.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Key Aspects of PDPA
•Purpose: The PDPA, influenced by the GDPR, aims to protect personal data from unlawful
gathering and use.
•Scope: It applies to all organizations, businesses, and websites that collect personal data
from individuals in Thailand, as well as foreign companies doing business with or collecting
personal data from Thailand.
•Key Principles: The PDPA emphasizes the importance of consent, purpose limitation, data
accuracy, security, and accountability in handling personal data.
•Sensitive Data: The law also addresses sensitive personal data (like race, ethnicity,
political opinions, etc.) which requires even more careful handling and protection.
Key Aspects of PDPA
•Purpose: The PDPA, influenced by the GDPR, aims to protect personal data from unlawful
gathering and use.
•Scope: It applies to all organizations, businesses, and websites that collect personal data
from individuals in Thailand, as well as foreign companies doing business with or collecting
personal data from Thailand.
•Key Principles: The PDPA emphasizes the importance of consent, purpose limitation, data
accuracy, security, and accountability in handling personal data.
•Sensitive Data: The law also addresses sensitive personal data (like race, ethnicity,
political opinions, etc.) which requires even more careful handling and protection.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Key Aspects of PDPA
•Consequences of Non- Compliance: Violations of the PDPA can result in various penalties,
including civil, criminal, and administrative sanctions, with fines reaching up to 5 million
Baht and potential imprisonment.
•Impact on Businesses: The PDPA significantly impacts how businesses operate, requiring
them to implement new processes, policies, and potentially invest in new technologies
and personnel to ensure compliance.
•Data Breach Notification: The PDPA includes provisions for data breach notification,
requiring organizations to report security incidents to the relevant authorities.
•Establishment of a Data Protection Authority: The PDPA also led to the establishment
of a Personal Data Protection Committee (PDPC), which will issue further sub-regulations
and guidance on the PDPA.
Key Aspects of PDPA
•Consequences of Non- Compliance: Violations of the PDPA can result in various penalties,
including civil, criminal, and administrative sanctions, with fines reaching up to 5 million
Baht and potential imprisonment.
•Impact on Businesses: The PDPA significantly impacts how businesses operate, requiring
them to implement new processes, policies, and potentially invest in new technologies
and personnel to ensure compliance.
•Data Breach Notification: The PDPA includes provisions for data breach notification,
requiring organizations to report security incidents to the relevant authorities.
•Establishment of a Data Protection Authority: The PDPA also led to the establishment
of a Personal Data Protection Committee (PDPC), which will issue further sub-regulations
and guidance on the PDPA.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Global Data Privacy Regulations: A Manager's Comparison
Feature GDPR (General Data Protection Regulation)
CCPA/CPRA (California Consumer
Privacy Act/Privacy Rights Act)
PIPL (Personal Information
Protection Law)
PDPA (Personal Data Protection Act)
Region
European Union (EU) & European Economic
Area (EEA)
California, USA People's Republic of China Thailand
Who is Protected?
Anyone in the EU/EEA, regardless of their
citizenship. Has broad extra-territorial reach.
"Consumers" who are residents of
California.
Individuals within the territory of
China. Has extra-territorial reach.
Anyone whose data is collected or
processed in Thailand.
Core Philosophy
Opt-in:Data processing is prohibited by
default. You must have a specific, lawful basis
(like explicit consent) to collect and use data.
Opt-out:Companies can collect and
process data by default, but
consumers must be given an easy
way to opt out of their data being
"sold" or "shared."
Strict Opt- in:Similar to GDPR, but
requires separate, explicit consent
for many different processing
activities (e.g., collecting sensitive
data, transferring data abroad).
Opt-in:Modeled after GDPR. You
must have a lawful basis, and
consent must be explicit, clear, and
easily withdrawn.
Key Right for Individuals
The "Right to be Forgotten" (Right to Erasure),
allowing individuals to request the complete
deletion of their data.
The "Right to Opt- Out of
Sale/Sharing," allowing consumers to
stop businesses from selling their personal information.
Strict control over consent. The ability to withdraw consent easily, and the requirement for re-consent
for new purposes.
The right to access, correct, and request deletion of personal data, similar to GDPR.
Rules on Cross- Border
Data Transfer
Highly Restricted.Data can only be transferred
to countries with an "adequacy decision" from the EU, or via strict legal mechanisms.
Less Restricted.Focuses more on
informing consumers about data transfers than on actively restricting them.
Extremely Restricted.Transferring
data outside of China is a major compliance hurdle, often requiring government security assessments or standard contracts.
Restricted.Similar to GDPR, data
transfers are generally only permitted to countries with adequate data protection standards.
Potential Fines
Up to €20 million or 4%of global annual
revenue, whichever is higher.
Up to $7,500 per intentional violation. Statutory damages in case of data breaches.
Up to RMB 50 million or 5%of the
previous year's annual revenue. Potentially the strictest penalties.
Administrative fines up to THB 5
million, plus potential criminal
penalties and civil damages paid to
individuals.
Key Takeaway for
Managers
The Global Gold Standard.If you have
customers in Europe, you must comply. Its
principles are the foundation for many other
laws.
The U.S. Trendsetter.Focuses on
transparency and giving consumers
control to stop data sales. Signals the
direction of U.S. privacy law.
A Major Operational Hurdle.If you
do business in China, you must prioritize PIPL. The rules on consent and data transfers out of China are extremely challenging.
Your Local Reality.This is Thailand's
GDPR. If you operate here—
especially in tourism, hospitality, or e-commerce—compliance is not
optional. You must understand consent and data rights.
Global Data Privacy Regulations: A Manager's Comparison
Feature GDPR (General Data Protection Regulation)
CCPA/CPRA (California Consumer
Privacy Act/Privacy Rights Act)
PIPL (Personal Information
Protection Law)
PDPA (Personal Data Protection Act)
Region
European Union (EU) & European Economic
Area (EEA)
California, USA People's Republic of China Thailand
Who is Protected?
Anyone in the EU/EEA, regardless of their
citizenship. Has broad extra-territorial reach.
"Consumers" who are residents of
California.
Individuals within the territory of
China. Has extra-territorial reach.
Anyone whose data is collected or
processed in Thailand.
Core Philosophy
Opt-in:Data processing is prohibited by
default. You must have a specific, lawful basis
(like explicit consent) to collect and use data.
Opt-out:Companies can collect and
process data by default, but
consumers must be given an easy
way to opt out of their data being
"sold" or "shared."
Strict Opt- in:Similar to GDPR, but
requires separate, explicit consent
for many different processing
activities (e.g., collecting sensitive
data, transferring data abroad).
Opt-in:Modeled after GDPR. You
must have a lawful basis, and
consent must be explicit, clear, and
easily withdrawn.
Key Right for Individuals
The "Right to be Forgotten" (Right to Erasure),
allowing individuals to request the complete
deletion of their data.
The "Right to Opt- Out of
Sale/Sharing," allowing consumers to
stop businesses from selling their personal information.
Strict control over consent. The ability to withdraw consent easily, and the requirement for re-consent
for new purposes.
The right to access, correct, and request deletion of personal data, similar to GDPR.
Rules on Cross- Border
Data Transfer
Highly Restricted.Data can only be transferred
to countries with an "adequacy decision" from the EU, or via strict legal mechanisms.
Less Restricted.Focuses more on
informing consumers about data transfers than on actively restricting them.
Extremely Restricted.Transferring
data outside of China is a major compliance hurdle, often requiring government security assessments or standard contracts.
Restricted.Similar to GDPR, data
transfers are generally only permitted to countries with adequate data protection standards.
Potential Fines
Up to €20 million or 4%of global annual
revenue, whichever is higher.
Up to $7,500 per intentional violation. Statutory damages in case of data breaches.
Up to RMB 50 million or 5%of the
previous year's annual revenue. Potentially the strictest penalties.
Administrative fines up to THB 5
million, plus potential criminal
penalties and civil damages paid to
individuals.
Key Takeaway for
Managers
The Global Gold Standard.If you have
customers in Europe, you must comply. Its
principles are the foundation for many other
laws.
The U.S. Trendsetter.Focuses on
transparency and giving consumers
control to stop data sales. Signals the
direction of U.S. privacy law.
A Major Operational Hurdle.If you
do business in China, you must prioritize PIPL. The rules on consent and data transfers out of China are extremely challenging.
Your Local Reality.This is Thailand's
GDPR. If you operate here—
especially in tourism, hospitality, or e-commerce—compliance is not
optional. You must understand consent and data rights.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Summary & Key Takeaways
•Ethical data handling means asking "should we" not just "can we".
•Biased data leads to biased and damaging business decisions.
•Securityis the fortress; Privacy is the rules inside the fortress.
•Privacy regulations like PDPA are not optional; they are a legal requirement for doing
business in Thailand.
Summary & Key Takeaways
•Ethical data handling means asking "should we" not just "can we".
•Biased data leads to biased and damaging business decisions.
•Securityis the fortress; Privacy is the rules inside the fortress.
•Privacy regulations like PDPA are not optional; they are a legal requirement for doing
business in Thailand.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Case Study #9
Case Study #9
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Case Study #9: Cambridge Analytica & The Weaponization of Data
The scandal that changed the internet
Case Study #9: Cambridge Analytica & The Weaponization of Data
The scandal that changed the internet
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
The Timeline of the Breach
1. The App (2014): A researcher creates a personality quiz app, "thisisyourdigitallife”
2. The Collection: The app collected personal data not just from the ~270,000 users who
took the quiz, but also scraped the data of their entire friend networks—~87 million
people—without their consent.
3. The Sale: The researcher violated Facebook's policies by selling this massive dataset to
Cambridge Analytica, a political consulting firm.
4. The Weaponization: Cambridge Analytica used the data to build psychological profiles of
voters to target them with highly personalized and manipulative political ads.
The Timeline of the Breach
1. The App (2014): A researcher creates a personality quiz app, "thisisyourdigitallife”
2. The Collection: The app collected personal data not just from the ~270,000 users who
took the quiz, but also scraped the data of their entire friend networks—~87 million
people—without their consent.
3. The Sale: The researcher violated Facebook's policies by selling this massive dataset to
Cambridge Analytica, a political consulting firm.
4. The Weaponization: Cambridge Analytica used the data to build psychological profiles of
voters to target them with highly personalized and manipulative political ads.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
The Business Impact on Facebook
•Financial Cost:
•A $5 billion fine from the U.S. Federal Trade Commission.
•Billions of dollars wiped from its market capitalization in days.
•Reputational Cost:
•A catastrophic loss of public trust. The hashtag #DeleteFacebook trended globally for
weeks.
•Regulatory Backlash:
•The scandal directly fueled political will to pass new, stricter privacy laws around the
world, including California's CCPA.
For an MBA class, this is the most important slide. The consequences were not just a fine. It was a fundamental, long-term
erosion of their most important asset: user trust. And it permanently changed the legal landscape they operate in.
The Business Impact on Facebook
•Financial Cost:
•A $5 billion fine from the U.S. Federal Trade Commission.
•Billions of dollars wiped from its market capitalization in days.
•Reputational Cost:
•A catastrophic loss of public trust. The hashtag #DeleteFacebook trended globally for
weeks.
•Regulatory Backlash:
•The scandal directly fueled political will to pass new, stricter privacy laws around the
world, including California's CCPA.
For an MBA class, this is the most important slide. The consequences were not just a fine. It was a fundamental, long-term
erosion of their most important asset: user trust. And it permanently changed the legal landscape they operate in.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Discussion Questions
Break into small groups (4-5 persons), same as previous.
Task:
1. Discuss with your team
•Who bears the most responsibility for the misuse of data? The user who took the quiz? The
app developer? Cambridge Analytica? or Facebook for allowing it to happen?
•What specific governance failures (from last session) allowed this to happen?
•How has this event changed the way businesses must think about data they collect on their
platforms?
2. Please summarize and make the presentation file. (one question one page)
Discussion Questions
Break into small groups (4-5 persons), same as previous.
Task:
1. Discuss with your team
•Who bears the most responsibility for the misuse of data? The user who took the quiz? The
app developer? Cambridge Analytica? or Facebook for allowing it to happen?
•What specific governance failures (from last session) allowed this to happen?
•How has this event changed the way businesses must think about data they collect on their
platforms?
2. Please summarize and make the presentation file. (one question one page)
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Key Takeaways
•A breach of trust can be far more expensive than any regulatory fine.
•"Platform policies" are meaningless without technical enforcement and vigilant
oversight.
•A single data scandal can reshape the legal and competitive landscape for an entire
industry.
Key Takeaways
•A breach of trust can be far more expensive than any regulatory fine.
•"Platform policies" are meaningless without technical enforcement and vigilant
oversight.
•A single data scandal can reshape the legal and competitive landscape for an entire
industry.
Data Analytics and Governance for Business Decision -Assistant Professor Dr. Nattapong Kongprasert
Thank you for your attention
Thank you for your attention
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1
- Slides 44
- Age 58 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
32 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
35 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
32 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
29 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
30 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
33 views