article banner

Hitting a Moving Target: Regulatory Compliance in a Changing Landscape

Chris Cracknell Chris Cracknell

As businesses strive to maximise growth and performance, they must always keep an eye on the changing environment around them. These changes typically occur among their customers or competitors, but regulatory policy can also have a big impact on business operations.

The Thai government has recently enacted a number of policies, provisions and regulations to respond to new developments around the business world. These include the Personal Data Protection Act, new merger amendments to the Trade Competitions Act of 2017, and the Cybersecurity Act – all requiring potentially significant action among businesses operating in country.



The Personal Data Protection Act was approved by the National Legislative Assembly earlier this year. This act is similar to the European Union General Data Protection Regulations. It aims to regulate the collection, use, and disclosure of personal data, while also providing a framework for proper processing and use of customer data. Any organisations that depend on data control – especially e-commerce companies, insurance firms, and financial institutions – will have to ensure they are making lawful use of their customers’ data.

Data collectors must now obtain clear consent from users before they can collect data, use it in any way, or provide it to a third party. Collectors are required to clearly explain what they intend to do with the data, and will be held liable if it is misused.

Organisations should be aware that liability also extends to any part of their activities that they outsource. If, for example, a company outsources its HR functions, it will still be held accountable if the HR service provider violates the terms of the PDPA.

Outsourcing non-core activities can be an excellent business decision that allows the organisation to focus on its strengths. However, it is vitally important to only outsource to a reliable and trusted partner.

The PDPA applies to most businesses, both onshore and offshore. All organisations in Thailand should start reviewing their data collection practices as well as specific items such as customer data, supplier data, and employee data to ensure everything is in proper compliance with the PDPA.


New merger provisions

New merger provisions have been added to the Trade Competition Act of 2017.

The new provisions impose substantial merger notification obligations in cases where the relevant turnover exceeds THB 1 billion. Essentially, the Trade Competition Commission must provide advance permission for mergers whose outcome leads to a monopoly or a dominant position in the marketplace.

In other cases, where competition is substantially reduced, the commission must be notified within seven days of the merger. 


The Cybersecurity Act

Cybersecurity should be among the biggest concerns for all businesses, as instances of data trading and data hacking become increasingly prevalent. Yet many business leaders often ignore or underestimate cyber threats despite the horror stories of both data and financial loss that have circulated in recent years.  

In Thailand, the Cybersecurity Act came into force in May 2019. The implications of this Act are far-reaching and will affect most entities.

When a cyber threat occurs, the entity in question may be obligated to monitor the system, provide authorities with access to the relevant data and systems, or even allow officials to seize equipment.

Entities that take part in activities concerning national security, material public service, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, or public health, may be deemed a “Critical Information Infrastructure Organization” and thus subject to further regulation. These organisations are required to comply with the pre-determined minimum standards and code of practice, actively conduct risk assessments, notify authorities of any threats, and provide the names of owners as well as the names of those who monitor the systems.

Penalties for non-compliance can be quite severe, ranging from fines to imprisonment. Businesses should therefore take steps to comply with the Act by preparing their IT systems, as well as training staff, raising awareness, and updating any relevant legal documents.

Again, the right strategic partner can be instrumental in helping the organisation ready itself for compliance, if it does not have the necessary capability already in place.


From compliance to revenue maximising

Complying with all government laws and regulations is more than a legal requirement – it is also sound business practice. However, there is much more that organisations can do to both protect themselves and maximise profits.

One important area where many businesses lag is in contract assurance. Entities that issue regular and varied invoices to their clients often fail to include everything they should on these statements.

There are also many workarounds that dishonest customers can use to avoid paying the full amount when purchasing products online. These techniques are often shared on the Dark Web or even on social media.

Contract assurance is a specialist service provided by Grant Thornton, to help clients maximise revenues from invoicing. Moreover, we can quickly identify online scams and help clients avoid further financial loss.

There are so many challenges in front of businesses today, that having a good business partner like Grant Thornton is essential. We are committed to helping clients comply with all laws and regulations, handle loose ends, improve performance, and prosper throughout their business journey.