PDPA: We’ve had a year, are we ready?
The Personal Data Protection Act B.E. 2562 (“PDPA”) originally scheduled for enforcement in 2020, was delayed via Royal Decree, to be effective on 1 June 2021. With economic conditions only starting to recover from the impact of COVID-19, the question still to be asked is, are we now ready for the enforcement of PDPA in 2021? With the delay, companies have postponed preparation and implementation work, focusing immediate attention on dealing with the pandemic. However, coming into 2021, it’s unlikely the authorities will be lenient when it comes to enforcement this year, so we urge businesses to be ready, given the implication to Company Directors.
…it’s unlikely the authorities will be lenient when it comes to enforcement this year, so we urge businesses to be ready, given the implication to Company Directors…
The Thailand PDPA is primarily intended to protect the personal data (“Personal Data”) of individuals (“Data Subject(s)”) and enhance data security standards of business operators in Thailand (“Data Controller(s) “) or (“Data Processor(s)”). The PDPA, among other things, specifies rules, mechanisms and measures to protect Personal Data during collection, use or disclosure through various media, including the internet and other systems, by such Data Controllers and Data Processors. The PDPA also regulates cross-border transfers of Personal Data.
At a high level, the PDPA creates duties for any entity collecting, using, disclosing and/or transferring personal data will be required to comply as a data controller and/or a data processor. In order to protect the rights of the data subjects and the third parties, entities may be required to undertake the following;
Duties to Data Subjects:
- Implementing appropriate security measures to prevent loss, unauthorized access, alteration or disclose of personal data
- Deleting personal data when the retention period for storage expires, the data is no longer necessary or pursuant to an individual’s request.
- Notifying any data breach or violation within 72 hours to the Office
- Keeping written or electronic record of the processing activities
Related to the Third Parties:
- Disclosure to the third parties ensuring that the third party to whom personal data are disclosed and shall not be used nor disclose such data wrongfully.
- Transfer overseas:
- Transferring personal data outside Thailand to third-country or organization having sufficient personal data protection standards only
- Exception may apply.
If you haven’t yet prepared or are unsure, there are three potential areas of exposure that businesses can opt to review, typically being the point of collection, processing and data storage/management.
So, the question again, is that we’ve had a year to prepare, do we have the adequate processes, policies and systems in place? If you haven’t yet prepared or are unsure, there are three potential areas of exposure that businesses can opt to review, typically being the point of collection, processing and data storage/management. Consider the following points to help determine the PDPA risk within your organisation:
- Collection
- Define what is the category of data required by utilizing data classification and mapping (legal basis)
- Determine in current forms if consent is required
- Is disclosure required?
- Do we collect unnecessary information or from indirect sources? Review existing internal forms to determine if this is the case and amend as necessary or obtain consent/provide disclosure
- Processing
- Identify the processes that will be impacted by PDPA and evaluate if there are adequate controls in place within our existing processes and systems
- Do we utilize third-party providers? If so, identify where in the process this occurs, and ensure that Data Processing Agreements are in place and signed. Perhaps consider Vendor Due Diligence
- Understand points in the process where personal data is processed to mitigate process and system risk of breach, security and accuracy
- Data Storage/Management
- Identify where data is stored (which processes and what systems) and ensure retention policies are clear
- Understand requirements of addressing any Data Breach Management and ensure adequate Security Measures
- Understand the rights of the data subject, and ensure that systems can handle the rights such as access, erasure, portability, objection and rectification
- Do we have in place a Record of Processing inventory?
For further information and help managing and implementing PDPA in your business, contact us now for assistance.