Cybersecurity and Privacy Protection
Challenges and Opportunities
Cybersecurity and privacy protection are critical challenges for businesses in the digital era. Cyber threats, such as ransomware attacks and social engineering, have evolved alongside emerging technologies like artificial intelligence (AI), creating new risks. Cybersecurity breach can disrupt systems, cause financial and reputational damage, and undermine customers and stakeholders confidence.
Effective cybersecurity and privacy protection measures help build trust among stakeholders. Implementing stringent security protocols to prevent cyber threats and developing products and services that adhere to high data protection standards enhance Central Retail’s reputation as a responsible and law-abiding organization. Moreover, safeguarding customers' and suppliers' data from cyber risks is increasingly important to stakeholders.
Central Retail has implemented various measures to strengthen cybersecurity and privacy protection, including deploying threat detection systems, authentication processes, and advanced encryption technologies. Additionally, employee training programs have been established to raise cybersecurity awareness and encourage proactive threat identification and reporting. Embedding data protection measures into products and services further enhances customer trust and ensures compliance with relevant regulations.
Management Approach
Cybersecurity Governance Structure
To ensure the security, effective management, and proper utilization of Central Retail's cybersecurity system and privacy protection, a governance structure has been instituted. This structure involves the Risk Policy Committee, Chief Executive Officer (CEO), Chief Information Security Officer (CISO), and the Information Technology Committee (ITC). The Risk Policy Committee oversees enterprise risk management, including risks from cybersecurity and privacy protection at the Board level. Mr. Yol Phokasub, who is the current CEO of Central Retail, and also a member of the Board of Directors and the Risk Policy Committee, which oversees and establish strategies to manage cybersecurity and privacy protection. The CEO has an educational background in computer science and software engineering and has work experience as a system manager previously. The ITC is an executive-level committee, with the CISO leading the implementation of cybersecurity and privacy protection measures. The current CISO also has vast experience in cybersecurity and as CISO at another major online retail company. Other members of the ITC include executives from different business units that ensure compliance to Central Retail’s cybersecurity and privacy protection management approach, while operating with competent employees possessing expertise necessary for implementing and communicating these measures throughout the organization and to external stakeholders. Importantly, Central Retail has appointed the Data Protection Officer (DPO) to advise, oversee and monitor Central Retail’s compliance with the Personal Data Protection Act B.E. 2562 (PDPA) and established the Data Protection Working Team dedicated to protecting personal data and handling privacy issues.
Cybersecurity Management
Central Retail has established the Information Security Mission Statement and Policy to announce its commitments in ensuring that its information system and services can meet the standards of protection expected by customers and stakeholders. Central Retail has adopted international standards such as the ISO 27001:2022, the National Institute of Standards and Technology (NIST), and Center for Internet Security Control (CIS) to provide and act as an internal policy and guidance that all employees and relevant personnels must adhere to effectively manage and protect the core systems and relevant personal data.
Central Retail has implemented a risk management approach to protect and manage the information environment to keep up with changing situations through balancing control and system usage Central Retail also prioritized sensitive data into different levels of risks, which will determine its level of protection and measures. Other cybersecurity measures include but not limited to server vulnerability management, endpoint detection response and virus protection, and data encryption. Moreover, information technology resources should have cybersecurity measures embedded into their respective lifecycles, from acquisitions to disposal. With regards to physical security, Central Retail has relocated the information systems to the data centers adhering to international standards for both procedural and security measures. This approach provides comprehensive safeguards against potential physical harm from fire, flood, and other emergencies, as well as illegal entry into the system.
Cybersecurity Process
Data Privacy Protection
Central Retail is dedicated to privacy protection from taking appropriate security measures (including organizational and technical measures) to prevent data leakage, and establishing the Personal Data Handling Procedure for internal use that all employees and pertinent personnels must follow to prevent breaches and misuse of personal data. In addition, Central Retail has also put in place its agreements with the suppliers to control the activities carried out by the suppliers and to ensure suppliers’ compliance with privacy practice. The Personal Data Handling Procedure covers extensive topics such as recordkeeping of data processing activity, consent management system, data subject rights management, data retention, data processing agreement, personal data breach procedures, and etc. Central Retail has also made the Privacy Policy available to the public on the website and at various contact points where personal data is collected. This is to ensure transparency and to inform customers and stakeholders of their rights to data privacy. The Privacy Policy encompasses the following issues:
- Type of personal data
- Purpose of data collection, use, and disclosure
- Agencies or individuals to which Central Retail may disclose personal data
- Transfer of personal data to third countries
- Duration of personal data storage
- Security measures
- Cookie policy
- Rights of data subject
- Service points of contact regarding the exercise of personal data rights
Consent
Central Retail is committed to lawfully process personal data of customers and other stakeholders. Central Retail may further obtain a consent from the customers and other stakeholders when the Company cannot rely on other legal basis for collection, use and disclosure of personal data including but not limited to the processing of sensitive personal data, the processing for analysis or marketing activities etc.
In addition, Central Retail has set up channels by which data owners can file complaints, inquiries and exercise their rights regarding personal data. Cases and complaints which are substantiated will be addressed and disciplinary actions will be taken. For any questions, concerns, or would like to exercise rights regarding personal data, please contact our Data Protection Officer at:
Central Retail Corporation Public Company Limited
Central Retail Corporate Marketing
Central Chidlom Tower, 8 th Floor 22 Soi Somkid Ploenchit Road Lumpini, Pathumwan, Bangkok, 10330 ThailandTel: +66 2 650 3600
Data Protection Officer
Data Protection Office, Central Group 22 Soi Somkid Ploenchit Road, Lumpini, Pathumwan, Bangkok, 10330 ThailandEmail: dpo@central.co.th
Security Measures for Personal Data Protection
Central Retail is committed to protect the personal data by establishing effective security measures from a technical, physical and organizational point of view to prevent loss, unauthorized or unlawful access, deletion and destruction, use, alteration, rectification or disclosure of personal data.
Central Retail continuously reviews its security measures and monitors technological changes to ensure effective security protocols, considering the nature, scope, context, and objectives, as well as the level of risk associated with personal data processing.
Central Retail’s cybersecurity systems are tested through conducting internal and external vulnerability analysis and penetration testing (including simulated hacker attacks) to actively monitor and prevent cause for cyberattacks. These tests are performed on an annual basis by qualified experts to help identify the system’s weaknesses in addition to business continuity plans. Likewise, Central Retail conducts audits of compliance to data privacy on a regular basis.
To reduce risks to cybersecurity and privacy protection, Central Retail integrates these risks as part of the quarterly group-wide enterprise risk management process to ensure that these risks are monitored and managed. Central Retail also conducts regular trainings on cybersecurity topics such as physical security, phishing, and email malware protection for both executives and employees. Moreover, Central Retail selects representatives from each business units in functions specific to data privacy to conduct intensive training on PDPA and proper data handling. Employees are able to notify an incident or potential incident should they suspect any breaches which will be escalated and addressed as appropriate. In the case that there are misconduct or breaches by employees, disciplinary actions will be taken. Cybersecurity and privacy protection is also considered as part of annual performance review of relevant employees to ensure continuous improvements of the entire system.
Project Highlights
PDPA Refreshment and Data Subject Rights Handling Training
PDPA Refreshment and Data Subject Rights Handling Training aimed to reinforce key concepts and refresh knowledge and understanding in data protections, company policies or best practices specially for the relevant employees representing all business units in Central Retail (PDPA representatives). The training topics cover fundamental data protection principles, obligations of data controller, data processor and data protection officer, roles and responsibilities of PDPA representatives, as well as penalties under PDPA. A key session was dedicated to data subject rights and the process for handling data subject requests, ensuring that the employees understand how to manage data subject right requests in full compliance with the PDPA. This training serves as an essential organizational security measure required by law, playing a critical role in reducing the risk of non-compliance and legal action, while also demonstrating Central Retail’s commitment to safeguarding both customers and employees data.
