article banner

Practical Preparation for PDPA Compliance

Sanjay Sachdev

With Thailand’s Personal Data Protection Act set to come into effect on May 27th, organisations across the country must ready themselves to comply with the new regulations. Being adequately prepared entails understanding the PDPA and effectively communicating its implications with everyone in the organisation who has access to personal data.

In previous articles, we discussed the background and conceptual framework of the PDPA as well as implementation issues surrounding the Act, with a particular focus on cases where companies could be allowed to collect and use personal data on grounds of legitimate interest. Here, we will discuss some practical strategies that will enable your organisation to meet the May 27th deadline.

Assessing current data collection practices

The first step of preparation is to comprehensively assess your organisation’s personal information collection and use practices by carrying out a detailed gap analysis. At this stage, special attention should be paid to the areas of greatest regulatory risk. Compliance with new regulations is a work in progress that can pose significant challenges, but by focusing on basic principles, key requirements, and the building-blocks of data privacy, your organisation should be well-equipped to adhere to the new regulatory requirements.

A designated lead, Data Protection Officer, should be appointed to determine which employees deal with client data and inform them of how the new regulations may affect their day-to-day tasks.

The organisation must then determine how much personal data it has access to and where it is all stored, including personal devices. This process will involve a careful assessment of local and cloud-based operating systems, personal and company mobile devices, spreadsheets and databases, paper records, personal files, handwritten notes, and any other places where data could conceivably be located.

Once you have a full grasp of all the personal data your organisation currently holds, you must then clearly define your purpose for holding it. Under the PDPA, this purpose must be “specified, explicit and legitimate”. An ambiguously stated purpose such as “fundraising” could cover a wide range of data uses, and thus would not meet PDPA standards.

Gaining consent

When seeking consent to use someone’s data, you should be completely transparent about your intentions. The simplest way to achieve this is with a short privacy notice that is as plainly written as possible. Individuals need to know exactly what you plan to do with their data, how long you will hold it, who else you will share it with, and why – this is the bare minimum. However, it is also good practice to provide whatever additional information you feel will help your potential customers make an astute decision.

Moreover, there is a fundamental difference between telling a person that you’re going to use their personal data and getting their consent. For your use of an individual’s personal data to be both ethical and compliant with the PDPA, the individual in question must positively opt-in. If your consent mechanism consists solely of an “I agree” box with no supporting information, it won’t be considered valid.

You will also need to regularly remind clients of when consent will expire and send them a new privacy notice if you wish to collect and use their data again. To manage this, an update of your systems and processes may be required.

Be ready for data breaches

Under the PDPA, a data breach is a defined as an “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. The PDPA compels organisations to report certain types of data breaches to the regulator and to the affected individuals. To be PDPA compliant, you need to be able to demonstrate that you have appropriate technical and organisational measures in place to detect, investigate and report data breaches.

Make a plan and seek support if needed

You’ll need to have a strategy in place to ensure your organisation is ready for the May 27th deadline. You’ll also need time to test out any new systems and processes. If you have any doubts or questions about your organisation’s ability to meet PDPA requirements, reach out and speak with other trusted business leaders in your sector. Better yet, Grant Thornton will be offering more in-depth PDPA training sessions, so sign up for these and bring us your questions.

Related Content

Complying with the PDPA – A Balancing Act

Thailand’s Personal Data Protection Act (PDPA) will enter into effect on May 27th of this year. While official guidelines for complying with the PDPA are still scant, many businesses have recognized the need to review their data collection policies and business processes in preparation for the May 2020 deadline.

Read more