Advance Blog

April 17, 2020
LawPlus Logo

PDPA COMPLIANCE PREPARATION – What Businesses Can and Should Do to Be Prepared for Compliance with the Personal Data Protection Act B.E. 2562 of Thailand

This note discusses some of basic steps which businesses/companies should take to be prepared for compliance with the Personal Data Protection Act B.E. 2562 (“PDPA”) of Thailand. The PDPA implementation will start from its full effective date of 27th May 2020. This note does not constitute a legal advice and it is not supposed to be exhaustive or complete.

The PDPA governs the collection, use and disclosure of personal data of natural persons (data subjects) by businesses/companies (data controllers and data processors). The data subjects can be employees, customers and suppliers of companies and the members of the general public.

Each business must comply with the PDPA, otherwise the business itself and/or its directors and/or its managers can be liable to a civil liability (a compensation for actual damages suffered by the data subject from the offence committed by the business plus punitive damages up to two times of the actual damages) and/or an administrative liability (a fine not exceeding THB5 million per offence) and/or a criminal liability (imprisonment for a term not exceeding one year and/or a fine not exceeding THB1 million per offence).

What businesses can do to be prepared for compliance with the PDPA are discussed below.

1. Data Mapping and Data Gap Analysis

A data mapping can be carried out to locate, quantify and categorize the existing collected personal data and the current personal data flow (how data is collected, processed, stored, used, disclosed and transferred) in or from your company. After the data mapping, a data gap analysis should be conducted to find out whether or not the data flow of your company has any loophole or fails to comply with the PDPA.

2.Risk Assessment and Data Treatment Plan

The findings from the data mapping and the data gap analysis should then be used for conducting a risk assessment focusing on the risk criteria, risk level, scenario and possible impacts associated with the current data flow. After the risks have been assessed, an appropriate data treatment plan should then be created to generate suitable solutions, policies and guidelines to make the data flow comply with the PDPA.

3.Revision of Existing Compliance Documents

All the existing documents for or related to personal data protection, such as Personal Data Protection Policy, Privacy Notice and Consent Form, should be reviewed and revised to ensure that they meet the requirements under the PDPA and the PDPA implementation rules and regulations.

4.Additional Compliance Documents

If your business does not have the compliance documents required under the PDPA, such compliance documents should be prepared and ready to be used on and after 27th May 2020 to mitigate risks of offences and liabilities under the PDPA.

5.Legal Advice and Training

The business should take legal advice and the key members of the management and the compliance team of the business should attend a training session so that they gain sufficient understanding about the PDPA and its potential impacts on the business. The training will help the management and the compliance team understand how to collect, use and disclose personal data in compliance with the PDPA.

Kowit Somwaiya, Managing Partner, LawPlus Ltd.
Kowit Somwaiya is the Managing Partner of LawPlus Ltd. respectively. Hecan be contacted at kowit.somwaiya@
Oramart Aurore Saardphak, Senior Associate of LawPlus Ltd,
Oramart Aurore Saardphak is the Senior Associate of LawPlus Ltd. respectively. She can be contacted at [email protected].

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)

As the Personal Data Protection Act (PDPA) also applies to personal data collected prior to the PDPA’s entry into force, please be informed that AustCham Thailand will automatically keep your contact details including email address, name and last name, and company details, on our mailing list.

Your data was received by AustCham Thailand as a result from you either registering or attending an event, contacting our office or subscribing to regular updates via the website. However, if you would like to stop receiving emails AustCham Thailand and revoke your consent for AustCham to keep and use your data to contact you for chamber events and updates, please scroll down to the end of this email and click “Unsubscribe from this list”. Your personal data will be shortly deleted once the opt-out notice request is received.

Please note that your data is kept in AustCham’s CRM system, please see here for AustCham’s Terms of Use and Privacy Policy. AustCham uses a management software system from Wild Apricot, and emails are distributed through MailChimp.