10 practices for companies to comply with PDPA

Thailand’s Personal Data Protection Act B.E. 2562 (PDPA) will be fully enforced in June 1, 2022 after 1 year postponement. General people as the owners of the data or as the business operators who want to use the data should understand well each provision of this law in order to prevent infringement of rights and prosecution that would lead to severe legal penalties.

What is PDPA?

PDPA is a law established in Thailand to protect the rights of data owners and not allow any companies that receive the personal data to use them without prior consents of the data owners. PDPA was enacted because recently there are many infringements on the privacy rights regarding personal data that cause trouble or damage to personal data owners. In addition, today’s technology advancements make it quick and easy to collect, use, or disclose personal data, thus without law enforcement, it might cause damages in the overall economy.

What is personal data?

  1. Personal Data is the data which can directly or indirectly identify the owner of the data.
  1. Sensitive Personal Data is personal data that may lead to unfair discrimination. 

This type of data requires special care when collecting. The sensitive personal data are protected by law more stringent than the above general personal data.

Who are involved in personal data?

  • Data Subject is the person whose personal data is identified or the owner of the data but does not include those who have passed away and juristic persons.
  • Data Controller is a person or a juristic person who has the authority and duty to make decisions about the collection, use, or disclosure of personal data.
  • Data Processor is a person or a juristic person who collects, uses or discloses personal data by following the order of the Data Controller or on behalf of the Data Controller, but does not decide to process the data on its own.

Data Subject Rights

Guidelines of personal data collection

Business operators or organizations that want to collect personal data of the Data Subject need to inform of data collection objectives and obtain the consent of the Data Subject first. A Privacy Policy must be created to describe and let the Data Subjects understand the data privacy protection measures before asking them to give consent. The topics to be addressed in the Privacy Policy are as follows:

  1. Personal data to be collected
  2. Purposes of collecting personal data
  3. Storage period of personal data
  4. Security measures of personal data
  5. Provision of personal data (Disclosure destination)
  6. Data subject rights
  7. Contact information of Data Controllers

Cautions in acquiring consent from Data Subjects

  1.  The request for consent must be clearly separated from other messages, easily accessible, with an easy-to-understand explanation.
  2. Do not use any methods or contents that lead the Data Subject to misunderstand the purpose.
  3. Data Subjects can withdraw their consents at any time and it must be as easy as giving consent.

Penalties for non-compliance

10 practices to prepare your organization

  1. Set up a working group in the organization. There should be persons in charge from Policy Department, Legal Department, IT Department, and Human Resources Department to make mutual understanding regarding PDPA.

Prepare personal data protection practices that cover the following matters:

  • Setting clear objectives
  • Collecting, storing, using and disclosing personal data within the extent necessary
  • Data security measures
  • Quality of personal data
  • Data subject participation
  • Disclosure of personal data in accordance with the law
  • Responsibilities of Data Controller and Data Processor

Assess the impact of personal data protection. Consider the necessity of data processing and manage the risks that will affect the individual freedom, and settle the appropriate data protection measures.

  1. Create data mapping to verify what type of personal data each department receives, uses and stores, and who is the data controller. Then create a record system to identify the source, record every activity of the data, and differentiate the data according to the risks and severity that may occur.
  2. Set up a privacy policy and a clear, easy-to-understand consent form.
  3. Establish IT security measures to prevent the personal data from loss, illegal access, destruction, use, modification, alteration or disclosure. Maintain physical security of personal data. Data processing devices or other devices must be secure. For example, networks and communication systems must be defined, data storage media must be well managed.
  1. Define how to deal with in case of data leakage. Create a manual explaining how to prevent data breach. Investigate and report results of potential data breach. If any data leakage occurs,  the Data Controller must report to the Office of the Personal Data Protection Committee within 72 hours.
  2. Supervise and monitor the operations of related persons to keep them follow the prescribed guidelines. Perform risk assessment on a regular basis. If any process becomes inconsistent with the law or it is at risk, all related processes of personal data collection, use and disclosure must be reviewed or improved.
  3.  Provide regular training and raise awareness about data privacy to let all related parties understand their responsibilities for the rights of personal data owners and the consequences of violating the organization’s personal data protection policy.
  4.  Design and develop the system by considering the security of personal data and how to protect them, such as using data encryption, using anonymized data.
  5.  Appoint a Data Protection Officer (DPO). According to the PDPA, the following 3 types of organizations that are Data Controllers and Data Processors have to appoint a DPO.
    • Government agencies
    • Organizations primarily engaged in the processing of sensitive personal data, such as facial recognition data processing companies, insurance companies, hospitals.
    • Organizations that process large amounts of personal data
  6.  Establish measures related to cross-border data transfer (If any). It needs to consider whether the recipient’s country has the appropriate personal data protection laws or not.

The consequences of data breaches are not only legal penalties but it also brings about reputational damage of the company. Therefore, business operators who need to use personal information or many departments in companies that need to process employee data are required to understand PDPA well and prepare themselves to prevent all damages resulting from personal data breaches.