Personal Data Protection Act Comes into Full Effect on 1 June 2022
The Personal Data Protection Act (“PDPA”) came into full effect on 1 June 2022 and its ramifications are extensive. Similar to the EU, Thailand is now imposing higher standards of care and duties on businesses and organisations to ensure the privacy and security of personal data. Embedded in the PDPA are the rights of individuals in relation to the collection, use and dissemination of their personal information along with the obligations and procedures that organisations must uphold. Failure to comply may result in civil and criminal liabilities for the organisation and its management.
Here are some key features to know about the PDPA and what organisations need to do now to be compliant:
PDPA Main Features:
- Adopted for data privacy which aligns with global data protection laws in the EU and elsewhere
- Data overseen by Personal Data Protection Committee
- Applicable to all people-identified information – both direct and indirect
- Violations are punishable by administrative fine (up to THB 5 million), criminal penalties (up to THB 1 million or 1 year penalty), and punitive damages (up to twice the cost of damages)
What businesses need to do now:
- Find and catalogue all the personal information you have
- Establish a retention/deletion schedule to get rid of personal information you no longer need
- Put privacy notices on your website and other information collection points
- Make sure you have procedures in place for recognising and actioning individuals’ rights requests (e.g. access requests)
- Decide whether or not to appoint a Data Protection Officer or establish an alternative privacy function
- Review your data security and governance arrangements
- Identify the legal basis for collecting/using personal information – consent or an alternative
- Explain new rules to staff and train them to reinforce their personal responsibility
Grant Thornton offers a comprehensive series of detailed GAP analyses to assess a company’s current state of preparedness for compliance with the PDPA. Grant Thornton will leverage its presence in the UK and Thailand to provide valuable insight into the requirements of the law and the local regulator’s approach.
We are aware of the worldwide expansion of data protection law, and whilst there will be regional variations in the law and regulation, we will focus on the basic principles, key requirements and building-blocks of data privacy. This will put the client in a good position to comply with the law and to adopt good practice.
By using our expert understanding of global data protection law, we will ensure that your company adopts a proportionate approach that is in harmony with its values and priorities. We will focus on the areas of greatest regulatory risk, recognising that compliance can be challenging and in some respects will be a ‘work in progress’.