test
2 End hunger, achieve food security and improved nutrition and promote sustainable agriculture
goal 3
goal 4
goal 5
goal 6
goal 7
goal 8
goal 9
goal 10
goal 11
goal 12
goal 13
goal 14
goal 15
Goal 16
16.3: Promote the rules of law and the national and international levels and ensure equal access to justice for all.
16.5: Substantially reduce corruption and bribery in all their forms
16.7 Ensure responsive, inclusive, participatory and representative decision-making at all levels
16.b: Promote and enforce non-discriminatory laws and policies for sustainable development
Goal 17
Data and Cybersecurity and Privacy Protection
Significance and Exposure
In 2024, the security of information technology systems in the retail sector is critically important due to the growing reliance on digital technologies. This increased dependency has given rise to more sophisticated and diverse cybersecurity threats, such as ransomware attacks and personal data breaches, which have the potential to severely disrupt operations and undermine customer trust. Moreover, the integration of emerging technologies, such as Generative AI in e-commerce, introduces novel risks that demand proactive adaptation and strategic investment to safeguard both data integrity and system resilience.
BJC recognizes the importance of safeguarding personal data to build and maintain trust with customers and suppliers. Cyberattacks can result in financial losses and damage a company’s reputation, while non-compliance with data protection regulations may lead to penalties and legal actions. These risks necessitate effective management through strategic investments in robust security systems, including the implementation of enhanced security measures, data encryption to prevent unauthorized access and continuous training to improve the knowledge and skills of employees responsible for information system security.
Moreover, the organization emphasizes fostering awareness of data security among all staff and conducting regular reviews of policies and management practices. Given the ever-evolving nature of cyber threats, updating security measures to stay current is essential to ensure that risks in this area are managed effectively and efficiently.
Data and Cybersecurity Privacy Protection Management Approach
BJC’s commitment to data protection and privacy is deeply embedded within its corporate governance framework. The company has established comprehensive policies, including the Information and Cybersecurity Policy and Privacy Policy to guide its operations and ensure the effective development and maintenance of information technology systems. These efforts are aligned with legal requirements, such as the Personal Data Protection Act B.E. 2562 (PDPA), as well as international standards for information technology security, such as ISO 27001.
BJC has established a management structure as follows:
The management of information technology security is integrated into BJC’s corporate governance framework. The Board of Directors (BOD) oversees overall governance and monitors progress through the Management Board, which manage operations by establishing policies and tracking performance.
During the Management Board meeting on March 28, 2023, the Cybersecurity Committee was established, tasked with policy formulation, strategy development and cybersecurity risk management. This committee conducts regular monitoring of critical issues, reporting on risk and opportunity management to ensure the Risk Management Committee receives at least an annual update on cybersecurity matters. Mr. Aswin Techajareonvikul, Executive Vice Chairman and Board Member, serves as Chairman of BJC’s Cybersecurity Committee. With extensive experience in information technology, he has played a pivotal role in advancing the company’s cybersecurity initiatives.
Additionally, the Information Security Working Group has been appointed to implement projects related to data protection and security oversight, while the Cybersecurity Working Group is responsible for initiatives addressing cybersecurity, focusing on the protection of systems, networks and corporate data as directed by the Cybersecurity Committee. These groups ensure robust cybersecurity governance, emphasizing ethical practices, IT system protection and data security alongside the implementation of cybersecurity measures. Mrs.Bussaya Yindeesuk, Executive Vice President of the IT Department also serves as the Chief Digital Transformation Officer (CDTO), further reinforcing the company’s commitment to digital resilience and security.
Information and Cybersecurity Policy
BJC has implemented an Information and Cybersecurity Policy that outlines key guidelines for all employees, directors and executives to ensure the protection of sensitive information and prevent cybersecurity threats. The policy emphasizes confidentiality, data security and employee responsibilities, including prohibitions on disclosing trade secrets and using company assets for personal gain. It also mandates regular training, strong security measures for equipment and systems and clear protocols for system development, incident management and whistleblower protection. The policy stresses compliance, outlines penalties for violations and promotes continuous monitoring of information security across the organization.
Information Security and Cybersecurity Management Structure
The Chief Digital Transformation Officer (CDTO) plays a pivotal role in driving an organization’s digital transformation initiatives, focusing on several strategic areas. The CDTO spearheads the adoption and integration of advanced digital technologies, modernizing and enhancing the organization’s digital capabilities to maintain competitiveness and agility.
Overseeing the Management Information System (MIS) department and C Smart Solution, the CDTO ensures robust data management, reporting and analytics to support informed strategic decision-making. Additionally, the CDTO manages the organization’s e-commerce strategy and operations, ensuring the delivery of seamless online sales platforms, impactful digital marketing campaigns and exceptional customer engagement. By aligning these functions, the CDTO develops a cohesive digital strategy that fosters growth, drives innovation and secures a competitive edge.
Furthermore, the CDTO is responsible for overseeing cybersecurity management and cultivating a strong cybersecurity culture across the organization. This is achieved through initiatives such as online learning courses and newsletters aimed at raising awareness among employees and reducing the risks of cyberattacks.
C Smart Solution
C Smart Solution (CSS) is a data analytics company in which BJC has a joint investment, focusing on big data development. The Chairman of the Cybersecurity Committee actively participates in CSS’s monthly business reviews, which assess both financial and non- f inancial performance. For non-financial performance, the reviews prioritize key operational aspects of CSS, including information management and information security, ensuring alignment with corporate objectives.
Mr. Aswin Techajareonvikul, Chairman, plays a pivotal role in these reviews, leveraging his expertise in big data and IT management to evaluate IT-related projects and innovations before implementation. His involvement ensures that projects meet the organization’s strategic goals and maintain high standards of efficiency, security and innovation.
Information Security Working Group
The Information Security Working Group plays a pivotal role in defining, evaluating and reviewing strategies, scope and operations related to the organization’s information technology infrastructure. This group holds monthly meetings and comprises personnel from the Management Information System (MIS) department as well as representatives from other departments involved in the IT structure.
The working group establishes overarching operational guidelines, including best practices for personal information security and provides training and education for employees and stakeholders.
BJC’s Compliance with Thailand’s Personal Data Protection Act (PDPA) and aligning with GDPR Standards for Robust Data Protection.
BJC has implemented the Personal Data Protection Policy aligning its practices with the principles of the Thailand’s Personal Data Protection Act, both frameworks are designed to safeguard personal data and protect individual privacy, providing organizations with comprehensive guidelines for handling and processing personal information. Key similarities between PDPA and GDPR include the protection of data subject rights, mandatory data breach notifications and adherence to data protection principles such as minimization, purpose limitation and transparency. Additionally, both emphasize organizational accountability to ensure compliance with data protection standards.
Privacy Policy
To ensure the protection of personal information in compliance with the Thailand Personal Data Protection Act (PDPA), BJC has implemented a comprehensive Privacy Policy that applies to both BJC and its subsidiaries, as well as its suppliers. The policy outlines the processes for collecting, storing and using personal data, including the actions to be taken in the event of a personal data breach.
BJC is committed to continuously developing and updating its Privacy Policy and related documents in alignment with personal data protection standards. These updates occur periodically or whenever relevant laws are revised, whenever internal practices change, or at least once annually.
To guarantee that our personal data protection policies comply with applicable laws and regulations, BJC undergoes security and data privacy audits in accordance with ISO 27001, which ensures compliance with personal data protection requirements. Additionally, internal audits are conducted by the Group Internal Audit Department, following the scope of the Bank of Thailand’s regulations on data security and privacy, such as information security systems and data confidentiality.
There are three groups of stakeholders in data protection communication as follows;
1. Customers - a consent letter to disclose information to notify customers about the purpose of data collection including other requirements to comply with the PDPA.
2. Employees - a training course on information security to ensure employees’ awareness of information security and how to prevent data leakage.
3. Suppliers - communication with suppliers regarding data privacy through the supplier code of conduct to comply with BJC’s requirements.
Customer Privacy Information
In compliance with the Thailand Personal Data Protection Act Thailand Personal Data Protection Act (PDPA), BJC has established a robust process for collecting and managing customer data, with a focus on data storage, authorized use and protection methods in accordance with the Act. BJC is committed to continuously refining its processes to inform customers about the purpose and use of their personal information through a privacy notice on the company website and consent letters.
These documents include the following details:
• The nature of the information collected from customers, including data from request forms, contracts, letters, other documents, the company’s website, cookies, applications and telephone systems.
• The duration for which the data will be collected.
• The specific purposes for collecting and using personal data.
• The options available to customers regarding the control of their personal data, such as the ability to correct, use, retain and process their data, including consent opt-in/out options, access requests, data transfers to other service providers and data deletion requests.
• Data protection management, including defining authorization and access control for relevant parties.
• Employee training programs to raise awareness of the PDPA and related laws and regulations.
• The implementation of the customer privacy policy and measures to prevent data breaches.
• Contracts regarding personal data protection.
By implementing these procedures, the company ensures transparency and compliance with the PDPA, providing customers with clear information and control over their personal data.
In addition, at Big C, the company uses a Point-of-Sale system where customers are asked for their consent prior to joining the Big C Big Card membership program. Once their consent is given, the information is stored in a PDPA Management System database which operated by MIS department. The PDPA Management System allows responsible personnel to request for personal data, remove consent to store, share or use data as well as delete their data. Personal information is protected through the process of role permission, user authorization and censoring personal data (e.g. personal identification number). A CRM Maxar (Terabit) system is used for monitoring percentage of users whose customer data is used for secondary purposes.
In accordance with BJC’s privacy policy, the company has appointed a Data Protection Officer (DPO) responsible for integrating data breach issues into enterprise risk management, assessing their impact and raising employee awareness on personal data protection matters.
The DPO plays a pivotal role in ensuring BJC’s compliance with data protection laws, including the Personal Data Protection Act (PDPA). The key responsibilities of the DPO include:
• Providing Knowledge and Advice: Offering guidance to BJC and its employees on compliance obligations related to data protection.
• Policy Oversight: Supervising the development, implementation and periodic review of data protection policies.
• Audits and Assessments: Conducting internal audits and leading data protection impact assessments to evaluate the organization’s adherence to data protection standards.
• Incident Management: Monitoring and addressing data breaches, ensuring timely and effective responses to mitigate risks.
• Regulatory Liaison: Acting as the primary point of contact for regulatory authorities and facilitating communication during audits or investigations.
• Record-Keeping: Maintaining comprehensive records of data processing activities, ensuring transparency and accountability.
• Safeguarding Data Subjects’ Rights: Ensuring that data subjects can exercise their rights, such as access, correction, deletion and data portability.
The DPO operates independently, free from conflicts of interest and has access to the necessary resources, authority and support to perform their duties effectively. This autonomy enables the DPO to mitigate data protection risks and ensure BJC’s continued compliance with applicable data protection regulations.
Notification in Case of a PDPA Breach
In the event of a personal data breach or data leakage, the Data Protection Officer (DPO) is responsible for assessing the nature, type and extent of the data involved, as well as evaluating the characteristics, type, or status of the affected data subjects. The DPO must then assess the potential risks, considering the severity of the impact and the possible damages.
The DPO will also review the effectiveness of the measures currently in place by the data controller to mitigate such breaches. If it is determined that the breach impacts the rights and freedoms of the data subjects, a formal report outlining the incident and the measures taken to mitigate the impact must be submitted to the regulatory authority, the Office of the Personal Data Protection Committee.
This process ensures that BJC complies with the PDPA’s requirements for breach notification, demonstrating transparency and accountability in protecting personal data.
Cybersecurity Working Group
The role of the working group is to manage cybersecurity projects to protect the security of the company’s systems, networks and data, adhering to the principles that uphold the Confidentiality, Integrity and Availability (CIA) of all business operations. The MIS plays a crucial role in providing support related to information technologies, including the development of a robust cybersecurity infrastructure, establishing cybersecurity guidelines and managing all cybersecurity incidents. The department ensures that digital risk management and data protection initiatives are in alignment with both internal policies and all applicable external laws, regulations and standards, which are rigorously monitored through a structured process. These efforts reflect BJC’s steadfast commitment to information security and cybersecurity.
Moreover, BJC recognizes that the rapid adoption of emerging technologies often surpasses the company’s ability to develop adequate safeguards. As such, BJC aims to go beyond simple regulatory compliance and strives to build a cyber-resilient business.
Cybersecurity Management Process
BJC places great emphasis on information security and has undergone an audit to certify its Information Security Management Systems (ISMS) in accordance with Information Security Management System: ISMS (ISO 27001) to ensure that internal information is handled effectively by international standards. Cybersecurity Management Process has also been used to eliminate and prevent cyber threats. In the process, all employees are encouraged to report all suspicious cyber activities, which can be reported through various channels including company’s secretary’s email, hotline and direct supervisor. All information technology risks incidents are reported to the Risk Management Committee at least annually to manage in accordance with Enterprise Risk Management framework (ERM) and inter- nationally recognized standards such as ISMS (ISO 27001), ensuring that all information and cybersecurity risks are effectively and promptly managed to prevent operational impacts.
In 2024, 100% of BJC’s IT infrastructure and information security management systems has been certified.
Cybersecurity Test Procedure
BJC has implemented comprehensive cybersecurity testing procedures, including a Disaster Recovery Plan (DRP), Penetration Testing and Vulnerability Assessments (VA), all of which are conducted at least semi-annually to ensure the continued effectiveness of its cyber- security management and its adaptation to evolving business needs. Additionally, BJC’s IT infrastructure and information security management systems undergo audits by external auditors to assess accounting procedures and overall processes, helping to develop action plans aimed at enhancing productivity and security.
Furthermore, BJC ensures that its suppliers are covered by insurance for information security breaches, providing an additional layer of protection for the organization in the event of such incidents.
Information Security Controls and Practices
1. Data Encryption and Access Control
BJC has implemented a Data Loss Prevention (DLP) procedure to enhance data security through measures such as data encryption and access control. This procedure includes monitoring user behavior within the organization, particularly
2. Data Classification
BJC has established a comprehensive data classification procedure to ensure effective data management and security. Data is categorized into four levels: Highly Confidential, Restricted, Internal and Public, with controls implemented across all stages, including data creation, usage, transmission, storage and destruction.
BJC retains full ownership of all data stored or transmitted on the company’s computer systems and networks. The company reserves the right to access such data, without prior notice to employees, in circumstances deemed necessary. However, the company doesn’t assert ownership of data belonging to customers, external individuals, or intellectual property such as software or materials protected by patents or copyrights.
3. Inspection and Audit
The IT Security & Compliance Team is responsible for ensuring robust data security and compliance across multiple domains. Their responsibilities include monitoring database usage, data exportation, data disclosure to external parties, intercompany data and software exchanges, portable storage media usage and data encryption.
Key monitoring activities include:
• Surveillance and Tracking Systems: Utilizing tools such as Assure Information Protection (AIP) to monitor user activities related to file and folder access, track event histories (e.g., file creation, deletion, copying and movement) on the network and identify actual file owners.
• Policy Enforcement: Implementing policies to prevent unauthorized file transmission via email, particularly for files lacking password protection, confidential documents, payroll slips and similar sensitive data.
• Data Transfer Monitoring: Conducting regular inspections of critical data transferred or copied to other sources, including removable media, network printers, local printers, shared network drives and optical storage devices like CDs/DVDs.
To maintain the highest security standards:
• Third-Party Audits: Independent audits are conducted to ensure compliance and enhance operational security.
• Collaborations with External Entities: BJC and its subsidiaries collaborate with external organizations for standardization and assessments, including ISO 27001 certification, vulnerability assessments and penetration testing (simulated cyberattacks). These evaluations are conducted annually to identify potential weaknesses and enhance the organization’s security posture.
• All inspection and audit results are reported to the Cybersecurity Committee annually, ensuring continuous improvement and alignment with evolving cybersecurity standards.
4. Business Continuity Plans for Cyberattacks
BJC is committed to preventing and mitigating cyber threats with the objective of achieving zero losses from cyberattacks. To address such risks, a comprehensive Business Continuity Plan (BCP) has been established, with annual testing conducted at least once a year. The results of these tests are used to regularly review and update the BCP, ensuring its continued effectiveness in responding to evolving cybersecurity challenges.
In addition, in response to recent updates in standards, information security breaches and cyberattack incidents, corrective measures are being implemented to further strengthen operational protocols. This includes updating and refining the Business Continuity Plan (BCP) to enhance BJC’s resilience and ensure that response strategies are optimized to effectively mitigate operational disruptions.
Cultivating a Culture of Cybersecurity Awareness
In the digital era, where personal data and information systems are central to organizational success, BJC places a strong emphasis on employee training and ongoing communication to promote cybersecurity awareness. The company conducts regular training sessions designed to enhance employees’ understanding of cyber threats, such as phishing, password management and risk identification. These initiatives aim to encourage employees to adhere to personal data protection standards and to foster a proactive approach to safeguarding the organization’s information assets.
In 2024, three courses on Data and Cyber Security, Privacy Protection and Digitalization Training were conducted for employees. Additionally, weekly security alerts and knowledge updates, as well as notifications on the latest events related to these subjects, have been communicated via email. These initiatives aim to enhance employees’ awareness of data protection and cybersecurity while fostering a strong cybersecurity culture within the organization.
Performance Indicators
As a result of efficient data management, there has been no complaint on customer privacy, no substantiated reports issued by BJC over consumer privacy violations and 6% of customers’ data has been used for secondary purposes in 2024.
1. The number of complaints received regarding personal data breaches and data loss
| Indicators | Target | 2024 |
| Total number of information security breaches | 0 | 0 |
| Total number of clients, customers and employees affected by the breaches | 0 | 0 |
2. The number of Data and Cybersecurity and Privacy Protection and Digitalization Training conducted for employees
| Training Courses | Number of Participants |
| Cybersecurity 101 Training (SOSECURE) and Cyber Security Awareness Training (Monster Connect) | 118 |
| Intensive Cybersecurity Capacity Building Program Training (THNCA) | 126 |
| ISO27001:2022 (FRECO Soft) | 24 |
3. Cybersecurity Awareness Drill Simulation Result Post-Awareness Training
| Number of employees | Percentage | |
| Total number of employees who received a phishing email | 2,483 | 100 |
| Total number of employees who clicked a link in a phishing email | 856 | 34.5 |
| Total number of employees who clicked a link in a phishing email and input data in a phishing email | 108 | 4.3 |
Key Initiatives
1. Enhancing Security Infrastructure
• Data Immutability: Safeguards data from unauthorized modifications or destruction caused by hackers, ransomware, or viruses, ensuring data integrity and protection.
• Segregated DC/DR Networks: Reduces the risk of cyberattacks by isolating data center (DC) and disaster recovery (DR) networks, aligning with Business Continuity Plan (BCP) best practices.
2. Continuous Improvement and Audits
• Continuously implementing ISO 27001 standards to enhance information security management.
• Upgrading to the ISO 27001:2022 version to meet the latest security requirements and achieve certification in 2024.