In the past few years, Thai people constantly heard about Personal Data Protection Act, or PDPA. It came into full effect on 1st June 2021. The Act aims to protect personal privacy and assure consumers of personal data’s security processed by businesses. 

In a nutshell, compliance with PDPA and applicable laws require businesses to 

• Set up data processing that respects data subject rights.
• Adjust approaches to obtain data consent as well as privacy policies.
• Hire or appoint Data Protection Officer (DPO).
• Create data breach response plans.
• Verify and assess risks and effectiveness of personal data security.
• Comply to other applicable laws related to personal data.

Every business that processes personal data must adhere to this act. In this article, G-Able will help organizations understand the core of PDPA and approaches to compliance. 

1. Data Subject Rights

Thailand’s PDPA covers several aspects of data subject rights including 

• The right to access: Data subjects are entitled to request access to and to obtain copies of personal data as well as to request disclosure of the acquisition of his/her personal data. Requests can be rejected only when permitted by law or pursuant to a court order, and such access adversely affects the rights and freedoms of others.
• The right to have data rectified: Data subjects are entitled to request data controllers to rectify incorrect or incomplete data.
• The right to erasure: Otherwise known as “The right to be forgotten”. Data subjects have the right to request erasure in some cases such as when the personal data is no longer necessary in relation to the purposes for which it was collected, used or disclosed.
• The right to object to processing: Data subjects have the right to object to processing of his/her personal data for specific purposes such as direct marketing or advertising.
• The right to portability: Data subjects have the right to receive his/her personal data in formats which are readable or commonly used by automatic means. Data subjects also have the right to request his/her personal data transfer to other data controllers. 
• The right to restrict processing: Data subjects have the right to request restriction of data processing in certain circumstances such as when data accuracy is in question.

Organizations must implement systems to fulfil requests from data subjects within the specified period. They also need to understand their rights and properly train officers to handle these requests.

2. Consent

Thailand’s PDPA dictates that, unless exempted, organizations must clearly ask for consent before processing personal data. The consent request must not be misleading or deceptive and must be accepted by the data subject him/herself.

The following steps can help organizations assess and become compliant with PDPA:

• Revise privacy policy. Clearly state how personal data will be collected, retained, and disclosed.
• Simplify consent request. Use simple checkboxes that allow data subjects to easily tick.
• Simplify consent withdrawal request as well as provide guidelines.
   

3. Data Protection Officer (DPO) 

Organizations that process highly sensitive data or need to frequently verify data owners must designate Data Protection Officers (DPO). DPO is responsible for giving advice and monitoring compliance to PDPA Act. Designation of DPO includes

• Understanding the intendment behind this required designation.
• Making sure the DPO is fully qualified.
• Defining DPO’s scope of work.
   

4. Data Breach Response Plans

Thailand’s PDPA mandates each company to create data breach response plans which outline steps to identify, investigate, and notify breaches. Response plans help mitigate risks and faster remediation. Here are our suggestions for creating data breach response plans.  

• Designate a department or person responsible for identifying, monitoring, and notifying breaches.
• Create an internal communication protocol which can immediately send out alerts to responsible parties.
• Create a plan to notify data subjects, Personal Data Protection Commission (PDPC), and other related agencies.
• Implement preventive and remedial measures to prevent future breaches.
   

5. Risk and Performance Assessment

Organizations should regularly assess its risks for data breaches, especially when there are significant changes in work processes or personal data processing. Security performance should be assessed. Assessments include

• Risks related to personal data processing.
• Preventive measures for risk-taking.
• Existing data protection measures.
• Future enhancement of data protection measures.
   

6. Compliance to Other Applicable Laws

In addition to PDPA, organizations that process personal information may have to also comply with other related regulations such as those related to commercial use of personal data, children protection, or health records. Revising procedures to comply includes

• Understanding all the laws that govern data your organizations are processing.
• Changing work processes and policies to comply with the laws.
• Consulting with legal experts on PDPA.
   

Summary

Compliance with PDPA is essential to organizations that process personal data. Companies should assess and revise work processes and policies to mitigate risks from personal data breaches. They also need to fulfil data subject’s requests and understand all the applicable laws. If you are looking for experts on Thailand’s PDPA compliance, G-Able is your “Trusted Tech Enabler Partner for Business Resilience.” Our technology will drive your competitive edge in digital space.

Our WhiteFace is inspired by the “Possible. Simple.” philosophy. The solution helps multiply possibilities, open doors, and get you ready for the roles of data controller and processor. Your data processing will be more transparent and fully complaint with PDPA. Log on to https://whitefact.co/ for more information.