On 1 June 2022 Personal Data Protection Act (PDPA) was introduced in Thailand. At the time I was also tasked with the Data Protection Officer role of a Thai organization. This was in primarily to ensure that any personal data request were responded to in a timely fashion, whilst also Chairing the Privacy Committee in the efforts required for our organization to become compliant. To be complaint I had to navigate the complexities of how we needed to operationalize the law. Some examples are having privacy notices, ensuring you have a mechanism to make requests for portability or deletion, have policies and procedures in place, being transparent with the selling and using of personal data and have an inventory of the organizations data.
It was a soft opening if you will by the Thai authorities, some of the required legislations that underpinned the Act hadn’t been finished, and therefor I certainly read it as a way to tell businesses to get ready, after having been postponed several years for several different factors. There was no Personal Data Protection Committee let alone a website, or any published forms or guidance other that the PDPA Act itself and navigating the act had to be left to the corporate lawyers to work through with expert assistance from the likes of the big 4 and boutique law firms in Data Protection. There is no substitute for some well needed Due Diligence with these matters!
Fast forward to today and we see that more information has come out from PDPC the and clarifications have also been issued for some areas of compliance like the Record of Processing Activities (ROPA) doesn’t need to be completed by the majority of small to medium size businesses, which, brings some form of relief for some smaller companies (Thailand does have a definition on employee size and turnover for SMB’s). For others not so lucky they will have to have the ROPA available to be inspected by the Personal Data Protection Committee on request and for it to be promptly presented. This is no mean feat in itself and would always go through the route of automation to produce the ROPA as there are mature products out there that do this already for GDPR.
Notifying the PDPC of Data breaches is now clearer there is actually a mechanism to do so now: you have 72 hours to report a breach that may harm a data subjects rights and freedoms. In severe cases you are also obliged to inform the data subject – which can become a bit of a challenge and something organizations are really not geared up to do in the main, in reality most would struggle managing the corporate communications around an incident unless they are generally an MNC size.
Thailand’s PDPA should be in a position to match other ASEAN member states which often both share data and hold data. Again there are further guidance’s in this area as you should ensure that the hosting country has adequate data protection regulations and agencies that enforce data protection. Obviously there are stipulations that data should be adequately protected.
Protection measures are those deployed organizationally (Process, Procedures and Policies) and technical (Controls) to protect confidentiality, integrity and availability (CIA) of all personal data. One of the measures that is stipulated is the implementation of account and access controls to prevent unauthorized processing of personal data.
Another interesting development was the introduction of the Personal Data Violation Surveillance Center – PDPC Eagle Eye. This is where anyone can provide information in the efforts against Personal Data being sold. They are actively providing advice to the general public on recent scams and cyber security topics and encouraging the reporting of information to their contact center – this is a major step forward for Thailand as it intensifies its fight with Cyber Crime and navigates the Digital Frontier.
This article is not meant as advice or detailed guidance – just my observations over the last two years on the challenges and opportunities with the evolving PDPA requirements in Thailand. I have not gone into the detail but provide an overview for those interested in the topic.