Thailand postpones the PDPA enforcement: What it is and how to prepare your business for the PDPA
Businesses take note. Officially, Thailand postpones the PDPA or the Personal Data Protection Act (PDPA) to June 1, 2022. Considered as the first local law designed to govern data protection in the digital age, the PDPA was originally scheduled to come into effect on June 1, 2021. However, it created multiple challenges for both local and foreign businesses alike. In addition, the ongoing COVID-19 crisis is putting extra pressure on numerous corporations. In this Pacific Prime Thailand article, we’ll go through what it is and how to prepare your business for the enactment of PDPA.
Note that meanwhile, your business is still required to comply with the Data Protection Standard, as prescribed by the Ministry of Digital Economy and Society (MDES).
What is the PDPA?
Taking a page from the European General Data Protection Regulation (GDRP), the PDPA is a data protection law. Key aspects of it include: data processing, data collection, data storage, and data consent protocols.
Under the PDPA, you have the right to control how your personal data is collected, stored, disseminated and protected by organizations. We all have the right to know which organizations have our data, and how they use and share it. The PDPA prescribes duties and responsibilities to those who control and process our data.
Below is a brief overview of several key features of the PDPA:
1. An opt-out procedure must be made available
Data collectors (DCs) must make available an opt-out procedure which allows clients to withdraw his/her consent. They must then notify their clients of this option. However, DCs can continue to keep and use personal data which was collected prior to the PDPA becoming effective. Note that this is only possible if its collection or use is within the scope of the original purpose.
2. Secured cross-border transfer of personal data
Recipient countries who collect personal data in Thailand must have “adequate personal data protection standards”. Also, this migration of data must comply with the Personal Data Protection Committee’s rules of protection.
3. Data Protection Officer appointment
You should appoint a Data Protection Officer (DPO) if the personal data you process/collect requires regular monitoring because it is sensitive and/or large in scale. On top of that, your DPO should be able to communicate in Thai.
Preparing your business for when the PDPA comes into law
Here is a non-exhaustive list of the key actions you can do to prepare before June 1st, 2022.
- Make sure your company has an “opt out” procedure in place for the past personal data you collected.
- Do you have a global personal data protection policy covering the migration of personal data to your main office or offices overseas? If not, consider developing a policy to cover Thailand.
- Evaluate the size and nature of the personal data you handle in Thailand. You might be required to appoint a DPO. Having said that, the PDPC has yet to announce the threshold of personal data in order to appoint a DPO.
Protect your company with corporate insurance
While Thailand postpones the PDPA, cybercrime rates are rising With an increased urgency to keep yours and your clients’ data safe, it’s more important than ever to secure the right business insurance solution.
Pacific Prime Thailand is here to help. We leverage our close partnerships with top insurance providers in Thailand to formulate a best-fit plan that fulfills all of your business needs. Contact our team of experienced corporate and employee benefits specialists today for a free plan comparison!
Outside of work, Serena spends her time buried in books and dreaming of her next travel destination.
Latest posts by serena (see all)
- What an expat should know before buying property in Thailand - October 11, 2021
- List of “Hospitels” for COVID-19 patients in Thailand - July 26, 2021
- New COVID-19 vaccine registration method for expats in Thailand - July 12, 2021