test
2 End hunger, achieve food security and improved nutrition and promote sustainable agriculture
goal 3
goal 4
goal 5
goal 6
goal 7
goal 8
goal 9
goal 10
goal 11
goal 12
goal 13
goal 14
goal 15
Goal 16
16.3: Promote the rules of law and the national and international levels and ensure equal access to justice for all.
16.5: Substantially reduce corruption and bribery in all their forms
16.7 Ensure responsive, inclusive, participatory and representative decision-making at all levels
16.b: Promote and enforce non-discriminatory laws and policies for sustainable development
Goal 17
Cybersecurity and Data Privacy
Data and Cybersecurity Privacy Protection Strategy
Over the past few years, businesses have seen a significant rise in the number and complexity of cybersecurity threats, and this trend is expected to continue in the years to come. The threat landscape is becoming more challenging, as new technologies and trends create new opportunities for cybercriminals to exploit vulnerabilities in corporate systems. The cybersecurity and data privacy threats that businesses face in 2023 were complex and evolving. Phishing attacks, insider threats, cloud security, and the shortage of skilled cybersecurity professionals were just a few of the trends that businesses need to be aware of.
Data and cybersecurity privacy protection have both negative and positive impacts on the economy, environment, and people. The negative impacts include the risk of financial losses due to cyber-attacks, which can result in significant economic damage to businesses and the wider economy. Additionally, the harm to customers' privacy rights can have serious implications for human rights and consumer trust in organizations. Moreover, network damage or disruption can cause data loss and downtime, which can be costly and disruptive to business operations and overall productivity. On the positive side, stronger security measures can help protect against cyber threats and safeguard sensitive data, leading to increased consumer confidence and trust. Convenient and user-friendly security measures can also encourage wider adoption of digital technologies, which can lead to increased economic growth and innovation.
BJC realized that to create awareness and preparation by protecting its assets and data, it must prioritize cybersecurity and take proactive measures above and beyond to balance the value of new technology and the cyber risk that may come with it. Moreover, the company must invest in training and development programs to help grow its own cybersecurity talents and ensure they have the necessary skills to protect the digital assets.
Data and Cybersecurity Privacy Protection Management Approach
BJC has always been committed to upholding comprehensive and robust Cybersecurity and Data Privacy measures. This is demonstrated through the corporate-wide Information and Cybersecurity Policy, which is available in the company website and can be accessed by all employees, providing a complete guideline for all business operations under BJC and its subsidiaries. The policy instructs employees on the appropriate practices to ensure data security and promptly manage all cybersecurity attacks. The policy was developed and overseen by the Centralized Management Information System under the guidance of the Information Technology Management Structure, which is responsible for the management and prevention of all cyber security, and cyberattack related topics, including revision of the information and cybersecurity policy, strategies Disaster Recovery Plan (DRP), Vulnerability Assessment (VA) oversight, and penetration/stress tests.
BJC had taken steps above and beyond to enhance its cybersecurity and data privacy measures in 2023 due to the increasingly severe global threat of cyberattacks. The company viewed information security as a critical aspect and included it on the agendas of key meetings; the monthly Management Board meetings, Risk Management Committee meetings, and annual Sustainable Development Committee meetings.
BJC prioritizes information security, including cybersecurity and data privacy, and has established various measures and committees to ensure that best practices are in place and continuously reviewed to stay ahead of evolving risks.
Information Technology Management Structure
Information Technology Management Structure
Mr.Aswin Techajareonvikul, Executive Vice Chairman and Board Member, brings extensive experience in information technology, particularly through his joint investment in big data development with C Smart Solution Co., Mr. Aswin participates in CSS’s monthly business review, which examine financial & non-financial performance. For non-financial performance the main agenda is related to key operations of CSS, including information management and information security etc., are central to these reviews, ensuring alignment with corporate objectives. Mr. Aswin also plays a crucial role in evaluating IT-related projects and innovations prior to implementation, demonstrating expertise in big data and IT management. In addition, Mr. Aswin, as chairman of BJC's cybersecurity committee, overseeing all cybersecurity matters.
Mrs.Bussaya Yindeesuk as Chief Digital Transformation Officer (CDTO) leads the digital transformation initiatives within an organization, focusing on several key areas. She drive the adoption and integration of digital technologies, modernizing and enhancing digital capabilities to ensure the organization remains competitive and agile. She overseeing the Management Information System (MIS) division, C Smart Solution to ensures robust data management, reporting, and analytics to support strategic decision-making. In addition, CDTO manage the organization's e-commerce strategy and operations, ensuring seamless online sales platforms, effective digital marketing, and strong customer engagement. Overall, the CDTO aligns these functions to create a cohesive digital strategy that drives growth, innovation, and competitive advantage.
The management structure is also accountable to oversee cybersecurity management and foster a corporate-wide cybersecurity culture, which has been achieved through raising awareness amongst all employees by online learning courses and the newsletters that aim to reduce the risks of cyberattacks. BJC regards information security as one of the most critical aspects of the organization and includes it on the agendas of Management Board meeting held on a monthly basis and Risk Management Committee meeting held on a quarterly basis, The Management Board acknowledges any a process in place to prevent information system interruptions and cyberattacks within a timely manner, and actions for preventing recurrence of situation. The Company has an Information Technology Committee that defines, evaluates and reviews strategies, scope, and operations in information technology structure. The committee has a monthly meeting and it consists of MIS Technology department personnel and other departments involved in information technology structure. These set overall operational guidelines, including best practices regarding personal information security, as well as training and education for employees and stakeholders. Moreover, there is Data Protection Officer or DPO that educates and trains employees involved in data processing, ensures compliance and proactively addresses potential issues. The DPO is also a contact point between the company and Personal Data Protection Act (PDPA) regulator, monitoring the effectiveness and the impact of data protection efforts.
The Data Protection Officer (DPO) has an essential role in ensuring that the company complies with relevant laws regarding data protection, such as the PDPA law. The responsibilities of the DPO are providing knowledge and advice to BJC and its employees regarding compliance obligations, overseeing the implementation of data protection policies, performing internal audits, and leading data protection impact assessments. In addition, the DPO is responsible for overseeing and addressing data breaches, serving as the main point of contact for regulatory authorities, and keeping comprehensive records of data processing activities. In addition, they are responsible for assuring the safeguarding of data subjects' rights, including but not limited to access, correction, deletion, and data transferability. The DPO must function autonomously, without any conflicts of interest, and be provided with the necessary tools and authority to efficiently fulfill their responsibilities and minimize data protection risks within the business.
Throughout 2023, the Management Board maintain its recognition of the critical importance of cybersecurity and has taken concrete steps to prioritize it within the organization, including the establishment of the Cybersecurity Committee. They have approved an Information Technology Management Structure that is led by the Chief Executive Officer and President. This team continuously invests in big data development through the C Smart Solution Co., Ltd (CSS), a data analytics company, and oversees the overall IT management systems with the assistance of the Chief Digital Transformation Officer (CDTO) .
This structure integrates cybersecurity throughout the entire value chain through a corporate-wide information technology strategy, developed with principles that uphold the Confidentiality, Integrity, and Availability (CIA) of all business goals. BJC's internal information technology is managed by the Management Information System department, which provides assistance related to information technologies, including the development of a robust cybersecurity infrastructure and cybersecurity guidelines. The Information Technology Security Department is responsible for managing all cybersecurity incidents, ensuring that all digital risks management and data protection initiatives align with internal guidelines and all applicable external laws, regulations, and standards, which are closely monitored through a rigorous process. These efforts demonstrate BJC's unwavering commitment to information security and cybersecurity. In addition, BJC realized the speed at which emergent technologies are used frequently outraces the company’s capacity to develop safeguard, so the company must step beyond simple regulatory compliance in order to be cyber resilient business.
BJC places great emphasis on information security and has undergone an audit annually to certify its Information Security Management System (ISMS) in accordance with international standard ISO 27001. In response to the pandemic and the transition to remote work, the company has also developed additional protocols, policies, and preventive mechanisms to ensure the secure handling of internal information. BJC utilizes a comprehensive Cybersecurity Management Process to identify and eliminate cyber threats, and all employees are encouraged to report any suspicious activity through various channels. All IT risk incidents are reported to the Risk Management Committee on an annual basis, and managed in accordance with internationally recognized standards such as ISMS (ISO 27001) and the Enterprise Risk Management framework (ERM). These efforts demonstrate BJC's strong commitment to information security and their dedication to effectively and promptly managing all cybersecurity risks to prevent any potential operational impacts.
BJC has also implemented Management Information System Division (ISD) to ensure that cybersecurity and infrastructure within BJC are managed properly through a centralized structure. Any Information Technology risk incidents will be reported to Risk Management Committee quarterly to be handled in alignment with Enterprise Risk Management Framework (ERM) and the company policy. The committee is responsible for reporting and receiving advice to ensure that company manages information security and cybersecurity risk effectively and appropriately, in order to prevent and mitigate negative business impacts. Additionally, Information Technology system has been audited to certify Information Security Management System: ISMS (ISO 27001) to ensure that internal information is handled effectively in accordance with international standards, as well as to develop additional protocols, policy and preventive mechanisms during the pandemic.
Moreover, in addition to the BJC Privacy Protection Policy, the company embedded the privacy and personal information risk to the group-wide risk management / compliance management and relevant departments. Risk management framework for risk assessment about personal data protection, including impact assessments has been established to perform assessment by data owner. The company has in place the process to consider the risk regarding personal information and take appropriate measures, determined the operational process related to personal data, and regularly examined it by the Internal Audit department.
Notification in Case of a PDPA Breach
In the event of a personal data breach or data leakage, the DPO (Data Protection Officer) is responsible for assessing the nature, type, and extent of the data involved in the breach, as well as the characteristics, type, or status of the affected data subjects. The DPO must then evaluate the potential risks, including the severity of the impact and potential damages. Additionally, the effectiveness of the measures currently in place by the data controller must be reviewed. If it is determined that the breach impacts the rights and freedoms of the data subjects, a formal report detailing the incident and mitigation efforts must be submitted to the regulatory authority (Office of the Personal Data Protection Committee).
BJC’s Compliance with PDPA: Aligning with GDPR Standards for Robust Data Protection
BJC has adopted the Personal Data Protection Act (PDPA), which aligns closely with the principles of the General Data Protection Regulation (GDPR). Both PDPA and GDPR are designed to safeguard personal data and protect individual privacy, establishing comprehensive guidelines for organizations on how to handle and process personal information. Key similarities between these regulations include the protection of data subject rights, mandatory data breach notifications, and the implementation of data protection principles such as minimization, purpose limitation, and transparency. Additionally, both frameworks emphasize the importance of organizational accountability in ensuring compliance with data protection standards.
Despite these similarities, there are notable differences between PDPA and GDPR. While GDPR has a broad and comprehensive scope that applies to organizations processing the data of individuals within the EU and EEA, PDPA’s scope and enforcement mechanisms vary by country. For instance, the penalties under GDPR can be significantly higher, with fines up to €20 million or 4% of global annual turnover, compared to the generally lower penalties imposed under PDPA frameworks like that of Singapore. Furthermore, while GDPR mandates the appointment of a Data Protection Officer (DPO) for certain organizations, PDPA’s requirements for a DPO differ across jurisdictions. Despite these differences, BJC’s adherence to PDPA ensures robust data protection measures that can be considered equivalent to those under GDPR, reflecting a strong commitment to safeguarding personal data and privacy.
Policy and Cybersecurity Test
BJC has implemented BJC’s information and cybersecurity policy and cybersecurity test. The policy focuses on the measures that employees need to follow regarding the use of IT equipment. In addition, cybersecurity tests such as Disaster Recovery Plan (DRP), Penetration test, and Vulnerability Assessment (VA) have been tested at least semi-annually to ensure that its cybersecurity management remains effective and evolves appropriately with BJC. Furthermore, IT infrastructure and information security management systems also have been audited by external auditors in order to criticize accounting procedures and general processes and to develop an action plan for greater productivity. In addition, BJC's suppliers have insurance cover for information security breaches, resulting in BJC being protected against this incident.
Cybersecurity Management Process
BJC places great emphasis on information security and has undergone an audit to certify its Information Security Management Systems (ISMS) in accordance with applicable international standards, such as the Information Security Management System: ISMS (ISO 27001) to ensure that internal information is handled effectively by international standards. In 2023, 100% of BJC's IT infrastructure and information security management systems has been certified. Additional protocols, policies, and preventive mechanisms have also been developed in response to the pandemic to accommodate the transition in working styles. Cybersecurity Management Process has also been used to eliminate and prevent cyber threats. In the process, all employees are encouraged to report all suspicious cyber activities, which can be reported through various channels including company’s secretary’s email, hotline and direct supervisor. All information technology risks incidents are reported to the Risk Management Committee quarterly to manage in accordance with Enterprise Risk Management framework (ERM), and internationally recognized standards such as ISMS (ISO 27001), ensuring that all information and cybersecurity risks are effectively and promptly managed to prevent operational impacts.
Privacy Protection
BJC places great importance on our customers' personal information protection as we are aware of data privacy and the upcoming PDPA laws in the near future. Therefore, the process has been set up to ensure that BJC has established effective policies and procedures. The Privacy Policy clearly outlines the objective and uses of collected data, which includes behavior analysis, lifestyle and purchasing history to develop a customized marketing campaign that meet customer needs. To protect this personal information, BJC is committed to continuously develop and update policy and documents in accordance with the protection of personal information periodically, or every time the relevant laws are revised, or every time the company’s internal practices are changed or at least once a year. To ensure that personal data protection policies are compliant with applicable laws and regulations. Therefore, BJC has been audited security and data privacy according to the requirements of ISO 27001:2013, which covers personal protection policy compliance. In addition, we also conduct internal audit by internal audit department follow scope of the Bank of Thailand's announcement relating to data security and privacy such as Information security system, Data confidentiality.
About communication, there are three groups of stakeholders in data protection communication as follows;
1. Customers - prepares a consent letter to disclose information to notify customers about the purpose of data collection including other requirements to comply with the PDPA act.
2. Employees - organizes a training course on information security to ensure employees' awareness of information security and how to prevent data leakage.
3. Suppliers - communicates with suppliers regarding data privacy through the supplier code of conduct to comply with BJC's requirements.
In order to rasie awareness on the importance of personal data protection throughout BJC, PDPA Committee meetings have been organized monthly. The meetings aim to ensure that employees are aware of the act and to provide PDPA updates to the executives and related departments.
Customer Privacy Information
As the provisions of the National Personal Data Protection Act (PDPA) come into effect on 1st June 2022, BJC has established customer data collection processes by emphasizing on customer data storage, the authorized use of personal data and data protection method to comply with the Protection Act. Currently, BJC has continuously developed the process to inform customers about objective and the use of personal information through privacy notice on company website and consent letter with the following details;
- Nature of information captured from customer information in the request form, contract, letter or other documents, company's website, cookies or applications and telephone system
- Period of data collection
- The purpose of collecting and use of personal data
- Possibility for customers to decide how private data is corrected, used, retained and processed e.g. customer data collection, option in-out in consent, availability of opt-out option, request access to data held by the company, request data will be transferred to other service providers, customer request data will be collected and deleted.
- Data protection management by defining authorization and access control for only related parties including
- Organizing training program to raise awareness for employees in accordance with personal data protection act (PDPA), law and regulations.
- The implementation of customer privacy policy and measure to prevent data leakage
- Contract on personal data protection
To address customers' personal information protection, with regards to the national Personal Data Protection Act (PDPA) that would take effect in 2022, BJC has established Personal Data Protection Policy to be applied to BJC and subsidiaries business operations, including suppliers. The policy determines how personal data has collected, stored and used, including the actions to be taken in case of personal data breach incident. According to the policy, The Data Protection Officer (DPO) is responsible for integrating data breach issues into enterprise risk management, assessing the impact and raising employee awareness on the personal data protection issues. Moreover, in order to comply with the Act, BJC has established a customer data collection process that emphasizes customer data storage, authorized use of personal data, and data protection methods. The company has developed a process to inform customers about the purpose and use of personal information via a privacy notice on the company website and a consent letter. As a result of efficient data management, there has been no substantiated reports issued by BJC over consumer privacy violations. As a result of efficient data management, there has been no complaint on customer privacy, no substantiated reports issued by BJC over consumer privacy violations, and 7% of customers’ data has been used for secondary purposes in 2023. The company has developed a process to inform customers about the purpose and use of personal information via a privacy notice on the company website and a consent letter.
In addition, at Big C, the company uses a Point of Sale system where customers are asked for their consent prior to joining the Big C Big Card membership program. Once their consent is given, the information is stored in a PDPA Management System database which operated by MIS department. The PDPA Management System allows responsible personnel to request for personal data, remove consent to store, share or use data as well as delete their data. Personal information is protected through the process of role permission, user authorization and censoring personal data (e.g. personal identification number). A CRM Maxar (Terabit) system is used for monitoring percentage of users whose customer data is used for secondary purposes.
Cybersecurity Training
BJC recognizes that cybersecurity and privacy protection are critical to the success of any organization in the digital age. To ensure that employees are equipped with the knowledge and skills necessary to protect data and systems, BJC consistently conducts IT Digital, Cyber Security, and Privacy Protection training courses for its personnel, aimed at updating policies, enhancing knowledge and understanding, and preventing potential breaches or security incidents. The primary objective is to elevate the IT and cybersecurity literacy of employees across the organization. Notably, in 2023, 3 training highlight courses were organized, including the Security Awareness course, Data Classification course and Digital Transformation Canvas, which were made available to all employees within the company. These Security Awareness course and Data Classification course training initiatives are crucial in ensuring that employees are equipped with the necessary skills and awareness to navigate the complexities of digital and cybersecurity landscapes. By participating in these courses, employees gained insights into best practices for digital security awareness, data classification, ensuring the proper digital literacies, handling and mitigate potential risks and vulnerabilities. Additionally, the Digital Transformation Canvas course empowered employees to understand and leverage digital tools and technologies proactively to the organization’s digital resilience and success in an ever-evolving digital ecosystem while prioritizing security and privacy considerations.
Data Classification Course
In the contemporary digital era, data and information serve as pivotal assets shaping organizational strategies and outcomes. Recognizing the significance of data quality and management, safeguarding these assets becomes paramount. Thus, fostering employee awareness and understanding of data’s importance is essential. Educational resources such as instructional videos and learning materials are utilized to effectively disseminate knowledge. Acknowledging data’s critical role in today’s competitive environment, BJC introduced the Data Classification program in 2023 to equip employees with the necessary skills for data protection and utilization. By leveraging engaging video content and interactive materials, the program aimed to raise awareness about data security and classification. High participation rates, with 86.46% of targeted full-time employees and 88.50% of Big C employees, underscore the organization’s commitment to empowering its workforce with essential knowledge in data management and security, thus fostering a culture of responsibility and accountability in data handling practices. In addition,quantitative impact from IT Security Awareness and Cyber Drill Simulation found that before the training, phishing email sent to 1,924 employees and there were 333 employees clicked the phishing link. After the training conducted, phishing email sent to 1,924 employees and there were 151 employees clicked the phishing link. Moving forward, sustained efforts in promoting data awareness and providing comprehensive training will remain integral to maintaining a secure digital infrastructure for BJC and its subsidiaries.
Digital Transformation Canvas
The program aimed to equip Business Unit (BU) Heads and affiliated company representatives with skills essential for devising strategic plans aligned with Digital Transformation principles, fostering innovation and seizing opportunities. By imparting a deep understanding of digital trends and technologies, it enabled participants to lead their units towards a digitally-driven future. In 2023, amidst the rapidly evolving global scenario, embracing digital transformation became imperative for businesses to stay competitive and relevant, prompting the program to offer a comprehensive curriculum tailored to address specific unit challenges and opportunities. Through interactive workshops, case studies, and expert-led sessions, participants engaged with digital disruption, emerging technologies, and agile methodologies in a collaborative learning environment. Encouraged to apply insights directly into daily operations, participants catalyzed real-world digital transformations within their units, extending the program’s impact beyond the training room. With 87 participants from diverse sectors in 2023, the Digital Transformation Canvas served as a guiding framework, empowering leaders to navigate uncertainty with confidence and chart a course towards sustained growth and innovation in the digital economy of tomorrow.
Other Security and Cybersecurity Awareness training
|
|
|
|
|
|
BJC is firmly committed to safeguarding both data and systems against cyber threats, in addition to ensuring the privacy of its customers, partners, and employees. This commitment underscores the importance of Cybersecurity and Privacy Protection, which are supported by comprehensive training initiatives implemented across the organization. Through the prioritization of IT Digital, Cyber Security, and Privacy Protection training programs, BJC ensures that its personnel are equipped with the necessary skills to securely navigate the ever-evolving digital landscape. These initiatives not only enhance the skills and awareness of employees but also foster a culture of cybersecurity resilience within the company. It is noteworthy that the scope of BJC’s privacy policy extends to cover the entire operations, including suppliers. Looking ahead, BJC remains steadfast in its commitment to staying abreast of emerging threats and technologies, thereby ensuring the continued protection of its digital assets and upholding the trust of stakeholder’s cybersecurity.