The Personal Data Protection

The Personal Data Protection Act B.E.2562 (2019) (“PDPA”) was published in the Government Gazette on 27 May 2019. Thailand, for the first time, has a specific law to safeguard forms of personal data.

“It is vital that the business operator and all staff have a comprehensive understanding of the legal ramifications of the PDPA”

The PDPA is primarily intended to protect the personal data (“Personal Data”) of individuals (“Data Subject(s)”) and enhance data security standards of business operators in Thailand (“Data Controller(s)”) or (“Data Processor(s)”). The PDPA, among other things, specifies rules, mechanisms and measures to protect Personal Data during collection, use or disclosure through various media, including internet technology, by such Data Controllers and Data Processors. The PDPA also regulates cross-border transfers of Personal Data.

It is vital that the business operator and all staff have a comprehensive understanding of the legal ramifications of the PDPA. Given the standards and definitions set by the PDPA, it is probable the business operator collects, uses, processes, or discloses significant volumes of Personal Data affecting the individual rights of Data Subjects.

With postponement to the following year, we urge businesses to prepare appropriately. Have you completed the following?

  • Prepared data classification and undertaken data mapping?
  • Undertaken a Gap analysis and risk assessment to understand your exposure?
  • Prepared the appropriate consent forms, agreements and policies?
  • Understand and prepared new processes related to data breach management and data subject rights exercise?
  • Understand new roles as Controllers and Processors (noting that this extends to outsourced vendors also)?
  • Understand systems related risks and how to mitigate these?
  • Have a monitoring and audit plan?

We can support you on the above and your PDPA requirements, please contact us for more information.