This note discusses some of basic steps which businesses/companies should take to be prepared for compliance with the Personal Data Protection Act B.E. 2562 (“PDPA”) of Thailand. The PDPA implementation will start from its full effective date of 27th May 2020. This note does not constitute a legal advice and it is not supposed to be exhaustive or complete.
The PDPA governs the collection, use and disclosure of personal data of natural persons (data subjects) by businesses/companies (data controllers and data processors). The data subjects can be employees, customers and suppliers of companies and the members of the general public.
Each business must comply with the PDPA, otherwise the business itself and/or its directors and/or its managers can be liable to a civil liability (a compensation for actual damages suffered by the data subject from the offence committed by the business plus punitive damages up to two times of the actual damages) and/or an administrative liability (a fine not exceeding THB5 million per offence) and/or a criminal liability (imprisonment for a term not exceeding one year and/or a fine not exceeding THB1 million per offence).
What businesses can do to be prepared for compliance with the PDPA are discussed below.
1. Data Mapping and Data Gap Analysis
A data mapping can be carried out to locate, quantify and categorize the existing collected personal data and the current personal data flow (how data is collected, processed, stored, used, disclosed and transferred) in or from your company. After the data mapping, a data gap analysis should be conducted to find out whether or not the data flow of your company has any loophole or fails to comply with the PDPA.
2.Risk Assessment and Data Treatment Plan
The findings from the data mapping and the data gap analysis should then be used for conducting a risk assessment focusing on the risk criteria, risk level, scenario and possible impacts associated with the current data flow. After the risks have been assessed, an appropriate data treatment plan should then be created to generate suitable solutions, policies and guidelines to make the data flow comply with the PDPA.
3.Revision of Existing Compliance Documents
All the existing documents for or related to personal data protection, such as Personal Data Protection Policy, Privacy Notice and Consent Form, should be reviewed and revised to ensure that they meet the requirements under the PDPA and the PDPA implementation rules and regulations.
4.Additional Compliance Documents
If your business does not have the compliance documents required under the PDPA, such compliance documents should be prepared and ready to be used on and after 27th May 2020 to mitigate risks of offences and liabilities under the PDPA.
5.Legal Advice and Training
The business should take legal advice and the key members of the management and the compliance team of the business should attend a training session so that they gain sufficient understanding about the PDPA and its potential impacts on the business. The training will help the management and the compliance team understand how to collect, use and disclose personal data in compliance with the PDPA.