May 30, 2022
Are You Ready For The Thailand PDPA Compliance Deadline?
5 Min Read
Compliance with Thailand’s Personal Data Protection Act (PDPA) has been on the horizon for many organizations since it was published in the Thai Government Gazette on May 27, 2019. After the original PDPA compliance deadline of May 27, 2020, was postponed to May 31, 2021, due to the Coronavirus pandemic, the deadline for compliance had been firmly in the spotlight for businesses that fall under the PDPA’s scope. However, on May 5, 2021, the Ministry of Digital Economy and Society announced that the Cabinet of Thailand had approved a draft decree that would postpone the enforcement of the PDPA for a second time, citing the impact of the Coronavirus pandemic on the country’s society and the economy as the driving force for the postponement.
The new deadline of June 1, 2022, meant that organizations that have operations in Thailand had a further 12 months to prepare their PDPA compliant privacy programs.
What is Thailand’s PDPA?
Thailand’s PDPA is a comprehensive data protection law that regulates data collection and subsequent processing activities. The PDPA imposes stricter requirements on certain types of personal data such as racial and ethnic origins, religious beliefs, biometric information, and more. However, the PDPA does not explicitly reference such data as sensitive data.
In many ways, the PDPA reflects the data protection obligations of the EU General Data Protection Regulation (GDPR), with similar provisions relating to legal bases for processing personal data, data subject rights, and an extraterritorial scope. These similarities make organizational readiness less of a headache for companies that have already built GDPR compliance programs. However, there are many differences that still apply to businesses regardless of their previous compliance efforts making PDPA readiness a top priority for all applicable organizations.
Are companies in Thailand ready? And what can you do to prepare for the PDPA compliance deadline?
According to PWC Thailand’s PDPA Survey 2020, only 5% of respondents had finalized their preparedness for the PDPA’s compliance deadline while 34% had not started their preparations. Furthermore, 75% of respondents state that they are fully aware of the PDPA’s requirements. It is safe to say that, while awareness of the PDPA is high, there was a lot for organizations to do in order to be ready for the June 1, 2022 deadline. So, what can these organizations do to begin, or enhance their readiness for the PDPA?
- Appoint and empower a Data Protection Officer (DPO): The PDPA requires organizations to appoint a DPO under Section 41. Under the PDPA, the DPO must inform and advise the organization on their obligations, monitor the performance of the data controller and data processors, and act as a point of contact. Organizations can empower their DPOs with automated data mapping and inventory tools to accurately catalog relevant data to assist with the fulfillment of data subject rights and accountability with supervisory authorities.
- Stay up to date with the latest developments and regulatory changes to the PDPA: Over the last four years of the GDPR and other data protection laws from around the world, we have seen a range of guidance issued by supervisory authorities. Under the PDPA, the Personal Data Protection Committee (PDPC) is authorized to issue its own guidance in relation to the provisions of the PDPA. Therefore, staying up to date with the latest developments and regulatory changes issued by the PDPC is crucial to remain compliant with the PDPA.
- Monitor and measure personal data risks: Sections 84 and 87 of the PDPA outline the maximum monetary penalty for non-compliance that can be issued by the PDPC at THB 5 million (approx. $145,600). Enforcing internal processes to monitor potential risk is key to avoiding monetary penalties and reputational harm. Measuring potential risks within an organization can help identify gaps in compliance efforts, reduce the risk of data breaches, and assist in the fulfillment of data subject rights, all of which will benefit an organization’s compliance efforts.
Beyond the considerations listed above, organizations with operations in Thailand should also be aware of data breach reporting and documentation, upholding data subject rights and fulfilling data subject access requests, and control over third-party access to data.
Watch the webinar: Thailand PDPA: What You Need to Know
How OneTrust helps organizations achieve PDPA readiness
OneTrust is the most widely used solution for privacy and security compliance and has helped over 8000 customers with compliance programs from the GDPR, to the LGPD, and the CCPA. OneTrust offers its Data Mapping tool that helps build the foundation of an organization’s compliance program. OneTrust Data Mapping leverages flexible intake methods to populate data inventories, automates risk identification and mitigation, and generates reports, empowering organizations to build and maintain ongoing compliance with the PDPA. Having an up to date data mapping can also help your organization enforce data policies such as retention and access.
Demonstrate accountability and readiness and prioritize PDPA compliance requirements with OneTrust Maturity & Benchmarking. Through built-in readiness assessments, organizations can evaluate their readiness for compliance with the PDPA as well as properly inform ongoing planning and maintenance of their privacy program as a result.
All of OneTrust’s compliance solutions are underpinned with regulatory knowledge from OneTrust DataGuidance, an in-depth and up-to-date privacy and security regulatory research platform powered by more than two decades of global privacy law research. OneTrust DataGuidance offers resources for understanding obligations under the PDPA such as Insight articles provided by local experts, reports – including the Comparing Privacy Laws: GDPR v. PDPA report – and daily news updates to assist organizations with understanding the latest additions or clarifications provided by the PDPC.
The second postponement of the PDPA on 2021 helped to ease the pressure on many organizations seeking to ensure their data protection programs are compliant with the PDPA. Many organizations will benefit from leveraging the right tools and automated solutions to get their PDPA compliant privacy program up to speed in time for the June 1, 2022 deadline.
Request a demo to find out how OneTrust can help your organization in its readiness for the PDPA.