Thailand’s Personal Data Protection Act (PDPA) forces organizations to comply with sweeping and technically complex data requirements, imposing costly penalties on organizations and individuals who fail to abide by its rules. The law was published in the Royal Thai Government Gazette on 27 May 2019, but enforcement has been delayed twice in order to allow more time for compliance.
This reprieve, due to COVID19, however, is a temporary one – and companies around Thailand must act decisively in order to stay on the right side of the law. The cost of non-compliance may include an administrative fine of up to THB 5 million, a criminal fine of up to THB 1 million (plus imprisonment), with heavy punitive damages possible as well. The safest, smartest path forward is simply to protect the privacy rights of data subjects by following the law.
Here we offer a brief review of the PDPA and its mandates, followed by a practical guide to preparing your business for the imminent arrival of this important data privacy law.
Adapting to a new era of data privacy
On June 1, 2022, Thailand will begin enforcement of the PDPA. The law generally mirrors Europe’s General Data Protection Regulation (GDPR), in that it forces, for example, websites to gain informed user consent before collecting any personal data through web cookies. This permission request must be made in clear language, and must state the type of data being collected and what it will be used for.
The PDPA also regulates the usage and disclosure of any collected personal data, in order to protect users from risks associated with data insecurity as well as usage by third parties.
Data subjects are granted particular rights under the PDPA, which include the right to access any personal data that has been collected from them, the right to have their data erased upon request, the right to restrict the processing of their data, and more. The details of these rights are complex; the full law may be read here.
Importantly, the PDPA applies to any organization that is in a position to collect personal data from users within Thailand. The scope of the law also includes foreign controllers or processors that collect, use or disclose personal data of data subjects in Thailand for certain activities as well.
Moreover, even if users have given consent for their personal data to be transmitted to third parties (foreign or domestic), the data controller must procure that the receiver of data will not use or disclose such data without authorization or unlawfully.
In most situations, the data collection and handling rules put in place by the PDPA overlap with those set out by Europe’s GDPR. Yet there are some subtle differences; the GDPR, for example, states that the data subject shall have the right not to be subject to a decision based solely on automated processing, while the PDPA does not distinguish between automated and non-automated data processing, meaning it allows for the automated processing of data provided its other rules are met.
In short, the PDPA forces organizations operating within Thailand to conform to a detailed set of privacy regulations that is similar to, but not entirely the same as, Europe’s GDPR system. The time allotted for preparation is limited, and businesses must successfully upgrade their systems and processes by May 31, 2022.
Although recent extensions have pushed this date back, there are many advantages to early compliance – including additional time to grow accustomed to the new system. Moreover, it is simply good business to respect user privacy; and the standards of the PDPA represent a worthwhile foundation for improvement in these areas.
A practical guide to complying with the PDPA
To ensure full compliance, organizations should take the following steps:
Each of the above steps will take time to carry out successfully. Organizations must undertake a thorough self-examination to identify every point of data collection, as well as how their data is stored and overseen, and which other organizations it is shared with. Staff must also be trained to follow the appropriate procedures in accordance with the new law.
At every point where current practice falls short of the requirements of the PDPA, immediate changes must be put in place to allow compliance. Budgets may be tight in the current economic environment, so a focused and efficient approach will be necessary. Outside assistance from a consultant may be a sensible solution.
An extra form of security
Thailand’s PDPA is designed to protect data subjects, though this protection comes at the cost of leaving businesses open to costly fines if they fail to live up to the exacting standards of the new regulation.
We therefore strongly recommend a legal review of each organization’s systems, to guard against the risk of penalty for non-compliance even after a well-intentioned effort has been made to make the necessary upgrades and adaptations. Kudun & Partners can guide organizations through any part of the upgrade process, to ensure full compliance with the PDPA as well as peace of mind.
By conducting a thorough examination of all the relevant systems, our experts will go far beyond simply protecting businesses from the long arm of the law. Our team’s ability to identify incomplete processes or security risks will also lead to a much safer experience for our clients’ customers.
Better data protection ultimately pays dividends by improving the brand’s reputation among its customers. This realization alone should prompt companies to take better care of the privacy of their customers and employees.
Though the deadline for PDPA compliance has once again been extended, it nevertheless represents an idea whose time has come. Organizations should act quickly to meet the requirements of this new law – and with a little help from our legal team, full PDPA compliance will be well within reach.
Let Kudun & Partners help you adapt quickly and successfully to this sweeping new data privacy law. Contact us today to get started.