Compliance with Thailand’s Personal Data Protection Act (‘PDPA’) has been on the horizon for many organizations since it was published in the Thai Government Gazette on May 27, 2019. After the original PDPA compliance deadline of May 27, 2020 was postponed to May 31, 2021 due to the Coronavirus pandemic, the deadline for compliance had firmly in the spotlight for businesses that fall under the PDPA’s scope. However, on May 5, 2021, the Ministry of Digital Economy and Society announced that the Cabinet of Thailand had approved a draft decree that would postpone the enforcement of the PDPA for a second time, citing the impact of the Coronavirus pandemic on the country’s society and economy as the driving force for the postponement. The new deadline of June 1, 2022 means that organizations that have operations in Thailand have a further 12 months to prepare their PDPA compliant privacy programs.


Keep up-to-date with developments regarding the second postponement of the PDPA with OneTrust DataGuidance


In many ways, the PDPA reflects the EU General Data Protection Regulation (GDPR), with similar provisions in relation to the legal bases for processing personal data and extraterritorial scope. These similarities make organizational readiness slightly less of a headache for companies that have already created GDPR compliance programs. However, there are many differences that still apply to businesses regardless of their previous compliance efforts. Making PDPA readiness a top priority to all applicable organizations.

Are Companies in Thailand Ready? And What Can You Do to Prepare for the PDPA Compliance Deadline?

According to PWC Thailand’s PDPA Survey 2020, only 5% of respondents have finalized their preparedness for the PDPA’s compliance deadline while 34% have not started their preparations. Furthermore, 75% of respondents state that they are fully aware of the PDPA’s requirements. It is safe to say that, while awareness of the PDPA is high, there is still a long way to go for many organizations to be ready for the June 1, 2022 deadline. So, what can organizations do to begin, or enhance their readiness for the PDPA?

  • Appoint and empower a Data Protection Officer (‘DPO’): The PDPA requires organizations to appoint a DPO under Section 41. Under the PDPA, the DPO must inform and advise the organization on their obligations, monitor the performance of the data controller and data processors, and act as a point of contact. Organizations can empower their DPOs with automated data mapping and inventory tools to accurately catalog relevant data to assist with the fulfillment of data subject rights and accountability with supervisory authorities.
  • Stay up to date with the latest developments and regulatory changes to the PDPA: Over the past three years of the GDPR, we have seen guidance regularly issued by supervisory authorities. Under the PDPA, the Personal Data Protection Committee (PDPC) is authorized to issue its own guidance in relation to the provisions of the PDPA. Therefore, staying up to date with the latest developments and regulatory changes issued by the PDPC is crucial to remain compliant with the PDPA.
  • Monitor and measure personal data risks: Section 84 and 87 of the PDPA outline the maximum monetary penalty for non-compliance that can be issued by the PDPC at THB 5 million (approx. €149,000). Enforcing internal processes to monitor potential risk is key to avoid monetary penalties and reputational harm. Measuring potential risks within an organization can help identify gaps in compliance efforts, reduce the risk of data breaches, and assist in the fulfillment of data subject rights, all of which will benefit an organization’s compliance efforts.

Beyond the considerations listed above, organizations with operations in Thailand should also be aware of data breach reporting and documentation, upholding data subject rights and fulfilling data subject access requests, and control over third-party access to data.


Register for the webinar: Thailand PDPA: What You Need to Know on May 11 at 9:00 am BST 

How OneTrust Helps Organizations Achieve PDPA Readiness

OneTrust is the most widely used solution for privacy and security compliance and has helped over 8000 customers with compliance programs from the GDPR, to the LGPD, and the CCPA. OneTrust offers its Data Mapping tool that helps build the foundation of an organization’s compliance program. OneTrust Data Mapping leverages flexible intake methods to populate data inventories, automates risk identification and mitigation, and generates reports, empowering organizations to build and maintain ongoing compliance with the PDPA.

Demonstrate accountability and readiness and prioritize PDPA compliance requirements with OneTrust Maturity & Benchmarking. Through built-in readiness assessments, organizations can evaluate their readiness for compliance with the PDPA as well as properly inform ongoing planning and maintenance of their privacy program as a result.

All of OneTrust’s compliance solutions are underpinned with regulatory knowledge from OneTrust DataGuidance, an in-depth and up-to-date privacy and security regulatory research platform powered by more than two decades of global privacy law research. OneTrust DataGuidance offers resources for understanding obligations under the PDPA such as Insight articles provided by local experts, reports – including the Comparing Privacy Laws: GDPR v. PDPA report – and daily news updates to assist organizations with understanding the latest additions or clarifications provided by the PDPC.

The recent postponement of the PDPA has eased the pressure on many organizations seeking to make sure their data protection programs are compliant with the PDPA. However, many organizations will benefit from leveraging the right tools and solutions to get their PDPA compliant privacy program up to speed in time for the June 1, 2022 deadline. Request a demo to find out how OneTrust can help your organization in its readiness for the PDPA.

Further reading on the Thailand Personal Data Protection Act:

Next steps on readiness for the PDPA compliance deadline: 

Follow OneTrust on LinkedInTwitter, or YouTube for the latest on the Thailand Personal Data Protection Act.