5 Ways to Simplify Compliance wi...
5 Ways to Simplify Compliance with Thail...

5 Ways to Simplify Compliance with Thailand PDPA Requirements

Get your Thailand PDPA privacy program up to speed by working on these five areas

Angela Potter Manager, Privacy Research | FIP, CIPM, CIPP/E

clock7 Min Read

Featured Image

After three years and two postponements, the Thai Personal Data Protection Act (PDPA) compliance deadline is finally upon us. The deadline passed on May 31, 2022, meaning that the requirements of the PDPA are now enforceable and businesses operating in Thailand must implement the appropriate solutions for managing the provisions of the law.

If you haven’t already approached compliance with the PDPA, you can take some solace in the fact that it heavily aligns with the General Data Protection Regulation (GDPR), making certain provisions easier to embed into your existing privacy program.  We’ve highlighted the top five PDPA requirements that you can start solving right now.

Top 5 PDPA requirements you can work on today

1. Build and maintain a comprehensive data map

The bedrock of any privacy program is an up-to-date data map. This serves as the starting point for streamlining several key areas of compliance with the PDPA such as maintaining records of processing activities, fulfilling data subject rights, and respecting consent preferences. Conducting a data mapping exercise can help you develop a clear picture of how your organization uses data as well as having insight into policy violations and the appropriate remediation actions you need to take.

Further to data mapping being good practice, Section 39 of the PDPA requires data controllers to maintain, at a minimum, records of the following:

  • The personal data collected
  • The purpose of the collection
  • Details of the data controller
  • The retention period of personal data
  • Data subject rights and the methods for exercising these rights
  • The use or disclosure of personal data if the data controller is exempt from consent requirements
  • The rejection of data subject rights requests
  • Explanation of appropriate security measures used

OneTrust can help your organization build a comprehensive data map through the Data Mapping Automation module that enables you to keep records of your processing activities.  The solution assists you to generate a central inventory of data flows through questionnaires, automated scanning, workshops, or bulk import. Real-time intelligence and automation maintain evergreen data catalogs with automatic feeds from ongoing assessments and help to monitor compliance with different privacy laws from around the world.

2. Manage data subject rights requests

Respecting the rights of individuals can be a straightforward task and one that is essential for compliance with the PDPA. There are several steps for fulfilling data subject rights under the PDPA that you can implement today.

Firstly, understanding the rights that individuals have under the PDPA will be foundational to compliance. The PDPA sets out the following rights for data subjects:

  • Right to be informed
  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to object/opt-out
  • Right to data portability

Secondly, you will need to set up an intake method so that individuals can exercise their rights. This can be as simple as an email address however a dedicated centralized intake method will help to streamline the process and ensure that requests are not lost in a crowded inbox.

Once a request is received, you should have processes and technology in place to verify the requestor’s identity to make sure they are who they say they are and to avoid disclosing personal data to unauthorized individuals. The next step is to find all the data that your organization holds on the requestor, making sure to omit, delete, or redact personal data relating to others. An automated data discovery solution is the most efficient way to scan multiple systems and data sources for instances of personal data.

Finally, you should respond to the requestor without undue delay and no longer than 30 days from the date of the request. Communication should be made through a secure portal to ensure that personal data cannot be accessed by any unauthorized third parties.

OneTrust offers the Privacy Rights Automation (DSAR) module for fulfilling data subject rights requests from start to finish by utilizing real-time regulatory intelligence, identity verification integrations, and automated data discovery. You can streamline your processes for responding by reducing turnaround from weeks to just minutes.

3. Obtain and record valid consent

The PDPA outlines strict consent requirements and highlights that data controllers are restricted from collecting, using, or disclosing personal data without obtaining valid consent.

Section 19 of the PDPA outlines the conditions for valid consent, stating that it should:

  • Be explicit
  • Be freely given
  • Inform the data subject of the purpose of the collection, use, or disclosure of the personal data
  • Be clearly distinguishable from the other matters
  • Be easily accessible using clear and plain language
  • Not deceive or mislead the data subject
  • Be possible to withdraw consent at anytime

Organizations that fall under the PDPA’s scope can promote transparency and choice by ensuring that data subjects are provided with the relevant information relating to the collection and use of their personal data at the time of collection and that they are able to withdraw this consent at any time – which is also outlined as a data subject rights under the PDPA.

OneTrust tracks consent documentation and generates records of valid consent to help produce consent reports. The OneTrust Consent & Preferences trust domain offers a configurable centralized preference center, allowing data subjects to change their preference settings at any time and for organizations to track these preferences in a central data map.


Download the PDPA Overview Infographic

4. Develop incident and breach response plans

Data breaches are one of the top reasons consumers lose trust in an organization. The Thailand PDPA sets out data breach notification requirements for controllers and processors. These include documenting any data breach activity and notifying the Personal Data Protection Committee (PDPC), where feasible, within 72 hours of realization. In addition to notifying the PDPC, data controllers may be required to notify impacted data subjects without undue delay if the incident is deemed to likely result in a high risk to the rights and freedoms of the data subject affected by the breach.

OneTrust outlined a six-step plan for incident management and tabletop exercise that you can put into action today to help prepare your team for incidents, report events, define responsibilities, and manage response procedures. The six steps include:

  • Prepare
  • Investigate
  • Assess
  • Remediate
  • Notify
  • Lessons learned

In addition to the Incident Management Playbook, the OneTrust Privacy Incident Management module analyzes security incidents through a PDPA-specific notification assessment template as well as templates designed for other privacy laws around the world. Organizations can understand the nature of the incident, respond appropriately, and implement a remediation plan with customizable workflows to streamline the process from discovery to notification.

5. Monitor the legislative landscape and maintain compliance

If the postponements to PDPA’s compliance deadlines have taught us anything, it’s that the privacy landscape is always subject to change – often at short notice. As recently as January 2022, the Ministry of Digital Economy and Society (MDES) published eight secondary draft laws under the PDPA following public hearings.

With these eight secondary laws in the legislative cycle and the prospect of further guidance being issued by the PDPC after the compliance deadline passes, organizations should equip themselves with the regulatory intelligence to ensure their privacy program remains up to date with the latest developments.

OneTrust DataGuidance is the world’s largest database of regulatory research that informs the real-time intelligence underpinning the OneTrust Privacy & Data Governance Cloud. Organizations can rely on the regulatory intelligence embedded in OneTrust’s automated solutions to ensure their privacy program is well informed of the latest updates to privacy legislation, standards, and frameworks from around the world.

What is the OneTrust Privacy & Data Governance Cloud?

The OneTrust Privacy & Data Governance Cloud helps companies adopt best-in-class privacy practices, so individuals trust them with their data, allowing them to deliver more valuable experiences and create business value through trust.  The Privacy & Data Governance Cloud introduces key platform capabilities that help bring visibility, action, and automation to your privacy and data governance programs. This includes data discovery technology to help you know your data, real-time regulatory intelligence that brings clarity and context to how that data needs to be governed, insights and benchmarking so that you can measure your program and compare against your peers, and a central trust center that delivers a unified privacy user experience to your stakeholders. Request a demo to learn more. 

You Might Also Be Interested In

NOVEMBER 28, 2022

From Sapin II to Sapin III: France’s anti-corruption fight

NOVEMBER 25, 2022

7 myths about SOC 2 compliance

NOVEMBER 18, 2022

What every Chief Privacy Officer should know  about third-party risk management

NOVEMBER 17, 2022

The role of disclosures in risk assessment and mitigation 

NOVEMBER 15, 2022

US climate risk rule could affect more than 5,700 federal suppliers

NOVEMBER 14, 2022

The COP27 climate summit: What to expect and why it matters

NOVEMBER 10, 2022

CSRD update: EU approves new ESG disclosure rules

NOVEMBER 9, 2022

SOC 2: Starting your audit process

Onetrust All Rights Reserved