Preparing and implementing PDPA compliance policies in Thai companies

This Act applies to efficiently protect people's personal data such as phone number, Line ID, email, address, or bank account no matter in paper form or digital form. 

In the past, many businesses have collected a large amount of customer information for marketing purposes. But after the PDPA Act is enacted, private businesses and SMEs will no longer be able to keep customer data for a long period of time.

On 24 June 2021, True Digital Park organized an online discussion called TDPK TALK: Global Tech Review  “Preparing and implementing PDPA compliance policies in Thai companies” powered by Tilleke & Gibbins to talk with the legal experts from Tilleke & Gibbins and True Digital Group to discuss ways for Thai entrepreneurs to prepare for PDPA.

4 important obligations for businesses to oblige before PDPA come into effect include:

1. Duty to collection, use, or disclose of personal data  

• Set a Records of Processing Activity (ROPA) to help analyze data minimization and purpose limitation 
• Set a privacy notice to notify customers to show transparency in collection, usage or disclosure of personal data. Customers’ consent will also be required.
• Select data processor according to the duties and issue data processing agreement 
• In the event that the data controller sends or transfers personal data to third countries, Binding Corporate Rules (BCR) or standard contractual clauses must be provided.

2. Duty to secure the data

• Data controllers have to determine measures or policy within the organization to standardized data management, if a data breach occurs, there may be problems.

3. Duty to grant rights to data owners

• The company must prepare a process for data owners to exercise their rights. For example, the preparation to oblige by users’ requests such as to view their data collection and amend their consent.

4. Duty to designate a data protection officer (DPO)

• The DPO is responsible for advising how organizations should comply with PDPA Act
• DPO must understand the organization, the PDPA act, and IT & security very well
• DPO can be either a team or an individual

Data management process

1. Designate a data protection officer (DPO)

2. Set a Record of Processing Data (ROPA) to help organizations learn how personal data is processed. This will allows privacy notices to be done appropriately 

3. Provide other documents

• Internal policy
• Data breach 
• Data subject rights 
• Security
• Data processing agreement
• Standard contractual clauses, in case you transfer the personal data to third countries 

4. Set up security measures

5. Create other tasks such as DPIA (Data Protection Impact Assessment)

Who has to comply with the PDPA policies?

Every business that collects, uses, or discloses personal data needs to follow the PDPA act. 

In conclusion, the business sector should not collect more than what is needed and use the data according to the purpose notified to the data subject prior to or at the time of such collection to avoid the problem that might occur in the future.

Related article: What the PDPA means for businesses and people