Personal 

Data Protection Act Compliance.

are you ready?

We have a guided online Self Assessmen t tool to   
let you verify your GAP to compliance 

and give you all tools and templates to  
maximise your compliance posture


 Start your road to PDPA Compliance today - scroll to find how now!

 

Your Option to protect Personal Data

and immediately start your journey to compliance

Basic Self Assessment

For MSME limited to 10 staff with a single office configuration. 

You will have access to all our templates and documents to help you collect the critical data for your PDPA compliance with a clear plan and produce your policies and compliance documents.

  • Detailed User Guide
  • PDPA important facts & regulations
  • Comprehensive forms and Templates to complete your Policies
  • 45 min call supporting the process

Included for free, is a short report sent by email after the completion to validate your work or suggest improvements, including a check on Data classification.

From THB 25,000
*if required, can upgrade to level above

 

Advanced Self Assessment

For SMEs with a multi-office setup, the  Advanced Self Assessment will offer all elements included in the Basic plus 1 hr online session for extra guidance and support to help with questions and coaching.

We will also include a meeting in person (Bangkok area) or online via Zoom or MS Teams for your key staff.

  • 1 remote session of guidance
  • 1 presentation online or in person
  • A detailed review of your findings
  • Privacy policy revision
  • Privacy notice for collection points

A detailed review of your work with advice and a 2nd revision after your final work is also included in the package.

From THB 45,000
*if required, can upgrade to level above

Gap & Implementation plan

Targeting larger SMEs qualifying as Enterprise who need to record Processing Activities (RoPA) with multi-office set up and larger processing of personal data. We will assist you in the data mapping, and review your collection points and data silos, and validate all your policies.

Includes all elements of Advance +

  • Review Data Classification
  • Revision of All policies
  • Validation of last IT security Audit
  • Revision of Privacy Notice
  • Revision of Data minimization
  • templates for your RoPA
  • Setting your implementation Plan
  • Documented structure for Audits

From THB 75,000
*if required, can upgrade to "a la carte"
 


You can also get these services through your Accountant

We have also trained a number of Accountants and Professional Consultants to use our methodology and assessment. With our supervision and guidance, they can take you through the entire process, getting our full support along the way, to perform your Gap Assessment and to personalise your Implementation Plan, and process all the steps for your Compliance.

Not ready to buy and need more information?

Request an appointment with one of our Consultants

Why do privacy and personal data protection matters?

Data is the new GOLD

We are witnessing the largest and fastest change in this revolution commonly referred to as Industry 4.0. In a heartbeat, people all over the planet exchange personal data disclosing their location, whereabouts, health data, and all other details of their personal data and those of their friends, relatives, and business associates, often without even realizing the importance of the danger associated with this.

Sensitive personal data represents immense value to those prepared to exploit it, for sales and marketing purposes, but also as leverage to take advantage of opportunities, or even plan illegal activities, creating potentially massive drama and scandals.

How prepared are you with the personal data protection act to keep your clients safe?
Would you survive a Data breach?

Only 8% of Companies in Thailand were ready by June 2022

Join the Companies who have made the choice to comply with the PDPA and act now...

Time to take the Personal Data Protection Act seriously.

A few years ago, countries worldwide acknowledged the risk of abuse of personal data. As a result, we have seen the development of privacy laws enforcing tight control and regulations over exploiting personal data, and more specifically, sensitive personal data.

Thailand is following suit after a couple of years of a slow start. The PDPA or Personal Data Protection Act is now on par with large countries, protecting data subjects from abuse. Thailand has enacted laws requiring important changes in data processing and a very strict revision of processing activities relating to data subjects. The administrative penalties in the Thai PDPA include heavy fines for non-compliance, but they also can result in criminal penalties, including jail time for those responsible for the infringement over processing personal data.

In addition to the administrative penalties and criminal penalties, the personal data protection act also includes a possible recourse in Court via the personal data protection committee for the data subjects who could feel that they have suffered serious damage following a data breach of their sensitive personal data. A natural person who discloses personal data through their daily personal data processing activities, a such person under the law could see their personal property seized to offer monetary compensation to those who have suffered the leak. This is a drastic departure from how the law works in other countries.

It is not limited to firms based in Thailand...

Another important aspect of the PDPA regulations in Thailand is the extension to any companies or individuals who process data from persons living in Thailand.

You could be a business in Singapore or Europe, totally isolated from Thailand. Because you are holding the personal data of people living in Thailand, you must abide by the PDPA rules, and these laws are published in the Thai language only. This is not going to help foreign companies be compliant, you will need help.

Where to go from here?

You need to assess how compliant you are and what it will take to protect your company and yourself against the risks of a security breach. We prepared a guided online self-assessment as the basis of your compliance. We will help you with each step, choose the level most appropriate for your company size, or request a meeting for a full Audit. We can also help you with your security protocols, advise on the best practices in data storage and encryption, and offer other services such as incident response planning.

Three Step to look at your Compliance...


Understand PDPA
 

The Compliance deadline has already been extended, and full implementation is expected by 2023. We are in a transition period where companies still have time to become compliant.

It is time to prepare your Gap Assessment and take the appropriate steps to protect your company and its data. PDPA will require the involvement of all your divisions, the support of the top management, and the dedication of a small number of employees who will assume the delicate positions of Data Controller, Data Processor, and possibly a Data Protection Officer.

It is time to review these roles and instill the importance of keeping data confidential among all your employees. This is a major culture change. Your employees were never used to questioning their right to view or share data or to collect personal information on the fly for later use. This time is over, PDPA is changing the landscape, and the data subjects will impose their rights.


Align people, policy, processes
 

PDPA is 20% legal, 30% processes, and 50% IT security. You need to focus on the correct approach; aligning your people with understood policies, clear processes for your data processing, and overall quality security to protect your data, systems, and infrastructure.

Your objective is to avoid a data breach and its heavy consequences. This begins with a clear understanding of your current situation; a Gap Assessment to decide on your priorities, and the drafting of a clear roadmap to compliance.

It is time to review all your data points of entry, collection mechanisms, and storage procedures. You need to create missing policies for data handling and privacy notice for each collection point, record clearly the data set you collect, strictly minimalize it, and question the use of its content.

Do I need this, who can access it, what is the impact if it gets lost, how long should I keep it and how will I discard it?


be prepared for an incident
 

An airline can not guarantee 100% safety on each of its flights, but when you trust the pilot, the crew, the mechanics and maintenance people of the airline, the air traffic controller, and the crew on the ground, the security preparation before each flight, etc, you can fly without fear.

In the same way, you can not prevent 100% of all potential issues, you can however make them extremely rare, limit their impact and be prepared to handle the situation with a proper plan and attitude. You need to treat PDPA the same way airlines treat flying people.

Analyze your data silos, protect all of them, encrypt the sensitive and important data, create policies for confidentiality and security practice, control your processes, and design new ones as cross-checks. Make sure critical data is encrypted, and organize excellent access control. Document all your efforts and record your actions and checks so that in case of an incident, you can show the regulator you took PDPA very seriously and you will limit your exposure to fines or damages.

Buy online

If you need the first level of self Assessment, IT Audit validation, or training on IT/PDPA  awareness

Sign in

and complete all the steps, download and fill in the forms and Submit your final work.

Finalize

We will review your submission and guide you to improve it to get closer to the requirements.

Never Alone

if you need help, because your environment is too complex, we will assist you. Request a quote.

The only Compliance method where YOU define the Budget.

Join one of our informative Breakfast seminars 

A review of Thailand Data Protection Act.

Worried about the Personal Data Protection Act?


You’re not alone. The PDPA is a new law in Thailand, and it affects how businesses must handle personal data. But don’t worry, we can help! Our online self-assessment tool is easy to use and comprehensive – it will tell you everything you need to know about how to comply with the PDPA.

We know that compliance can be expensive, but our affordable pricing means that everyone can get the help they need. And our team of experts is always available to answer your questions and help you. So why wait? Get started today!

Click here now and take our online guided self assessment!.

Discover more

Origin of the Data Privacy Act

Inspired by the European GDPR, the PDPA law protects the personal information of Data Subjects (the person defined by the personal data), whether it is stored on computers or not. An organization that disregards this law and discloses personal data or doesn't adhere to the different standards will be penalized by the law and could get slapped with administrative fines and potentially face criminal penalties based on how severe the violation is.

PDPA is applicable in Thailand to any company that collects, uses, or discloses personal data. This includes companies that operate in Thailand as well as companies that have Thai customers or employees.

A few definitions to clearly understand the new Law


  • PDPA: Personal Data Protection Act
  • GDPR: General Data Protection Regulation
  • Data Subjects: Identified by the Personal Data
    (also named Data Owner)
  • DPIA: Data Protection Impact Assessment


  • Data Controller: Responsible for the rules of the Collection Process
  • DPA: Data Processing Agreement (Contract)
  • Data Processor: Processes Data on behalf of DC
  • DPO: Data Protection Officer (Nominated by DP and DC)
  • ePrivacy: Compliance for Web Marketing 







What is sensitive personal data?


Personal data is any information that can be used to identify data subjects. This includes, but is not limited to, names, addresses, phone numbers, email addresses, and national identification numbers.

Some can be further classified as Sensitive personal data, ie: Racial or ethnic origin, Political opinions, Religious or philosophical beliefs, Criminal records, Trade union memberships, Genetic data, Biometric data, Health records, Sexual orientation, or preferences.



Data Subject and consent


Data Subjects is the term used to represent the person who is identified by the personal data. The PDPA states that people must give clear, express consent before their personal data is collected except in some very specific cases. The data subject can always revoke their consent, but this doesn't undo any past collections of data that were done with legal consent. There are a lot of reasons why someone wouldn't need to give consent for data collection, like contractual obligations, protection of health (health data) or prevention of bodily harm, and the public interest.

The consent must be freely given, clearly expressed, outside of any constraining environment or document, and the data subject must be able to recall it as easy as it was to give it.


Rights of the data subject


The PDPA provides individuals with certain rights, including the right to:

  1. to withdraw consent, and file complaints with the Personal Data Protection Committee

  2. to access and retrieve a copy of his Personal Data

  3. to receive Personal Data in machine-readable formats

  4. to object to the collection, usage, and disclosure of the Personal Data in the circumstances as set out in the PDPA

  5. to request deletion and anonymization of the Personal Data

  6. to request that his Personal Data not be processed under the conditions set out in the PDPA

  7. The Data Controller ensures that the Personal Data remains accurate, up-to-date, complete, and not misleading. If there are any issues with this data, individuals have the right to file complaints with the relevant authority.

Data Protection Officer


A data protection officer must be appointed by the Data Controller, Data Processor, or representative of the Data Controller or Data Processor when either is required to appoint a representative in Thailand.

Data Controllers or Data Processors are a public authority as designated by the Committee.

Data controllers or Data processors should continuously monitor any collected personal data, especially if a lot of it has been collected as determined by the Committee


Enforcement and Penalties


Enforcement of the PDPA will be done by a Personal Data Protection Committee (PDPC). This committee will be responsible for creating guidelines.

If an organization is not compliant with the PDPA, it may face both civil and criminal penalties. The maximum fines under the PDPA are high. Each offense can result in an administrative fine of up to TBH 5 million ($165,000 USD) and a criminal fine of up to TBH 1 million ($33,000 USD). The PDPA also allows the court to award punitive damages that are double the amount of actual damages. The law also allows for one year of jail time. In addition, data owners are now able to file their own class-action lawsuits.


Impact on Businesses


The PDPA will have a significant impact on businesses in Thailand as they will need to comply with the new regulations. This includes ensuring that personal data is collected lawfully, for a legitimate purpose, and with the individual’s consent. Businesses will also need to put in place measures to protect personal data from unauthorized access, use, disclosure, or destruction.

Overall, the PDPA should be seen as a positive step for businesses in Thailand, as it provides consumers with more control over their personal data and reinforces the need for organizations to take steps to protect it. The PDPA will also create new opportunities for businesses in Thailand, such as providing innovative services that are centered on respecting the privacy of individuals.

Personal data protection committee

DATA AUTHORITY The PDPA provides for the establishment of the Personal Data Protection Committee (PDPC) with duties including: Determining measures or procedures for the protection of personal data; Issuing notifications or regulations; Announcing criteria for data protection procedures and the protection of data transferred overseas; and Preparing a master plan to support and protect personal


PDPA should lead to increased trust


The benefits of the PDPA 


The benefits include increased protection of the personal data of individuals in Thailand. 

The act protects individuals’ rights to data privacy and establishes strict guidelines on how personal data can be collected, used, and disclosed by businesses. It gives customers a sense of security that their personal information is well-protected, which in turn builds trust and loyalty towards the brands.

The PDPA will also create greater transparency around how businesses collect, use, and disclose personal data as it will require companies to protect personal data from misuse and unauthorized disclosure. It also provides individuals with the right to access their personal data and the right to correct inaccurate data. Finally, the PDPA creates a legal framework for companies to follow when collecting, using, and disclosing personal data.

Brand safety and loyal customers are the two most important outcomes of the Personal Data Protection Act (PDPA) in Thailand.

Customer loyalty and trust will result in increased confidence among users to share their data when they are required to use some Products and Services. In a nutshell, PDPA creates a win-win situation for both brands and consumers – while building customer trust and confidence, it also allows businesses to harness the power of big data without violating anyone’s privacy.


The negative aspect of PDPA


The PDPA may negatively impact businesses due to the strict regulations on data collection, use, and disclosure. 

The act requires businesses to obtain explicit consent from individuals before collecting, using or disclosing their personal data. This may result in reduced customer engagement as some individuals may be reluctant to provide their consent.

The act also strictly controls the transfer of information outside of the Country, which if a positive element in the trust chain will create serious issues for the users of Cloud technology, which probably represent 90% of the companies concerned by the PDPA.

In addition, businesses may incur additional costs in order to comply with the act, such as by appointing a data protection officer and implementing new security measures. Non-compliance with the PDPA can also lead to heavy fines of up to THB 5 million (approx. USD 150,000).

One downside is that people with important responsibility like Data Controllers have to take on extra liability beyond what the company as a Limited Responsibility would typically cover.

Overall, the PDPA is a positive step towards protecting individuals’ rights to data privacy. However, businesses need to be aware of the potential impacts of the act and take steps to ensure compliance.

Players in PDPA development in Thailand?


The main player in developing PDPA in Thailand is the National Electronics and Computer Technology Center (NECTEC). NECTEC is a research and development institute under the Ministry of Higher Education, Science, and Technology. NECTEC has been working on the development of PDPA since 2016. Other players include the Ministry of Digital Economy and Society (MDES), the Ministry of Justice (MOJ), the Ministry of Information and Communication Technology (MICT), the Royal Thai Police (RTP), and the Office of the Data Protection Commission (ODPC). What are some tips for complying with PDPA in Thailand? read and rewrite

Tips for complying with PDPA:



  • Understand the definition of "personal data" under PDPA.
  • Data Controllers will define the rules and security of such personal data
  • Know when and how to collect, use, and disclose personal data.
  • Put in place policies and procedures to protect personal data from misuse and unauthorized disclosure.
  • Limit your data collection to what is critically necessary; delete anything else
  • Prepare comprehensive documentation on your efforts toward compliance
  • Train employees on how to comply with PDPA.
  • Keep accurate records of personal data collected, used, and disclosed.
  • Cooperate with the Data Protection Commission (DPC) when investigations are conducted.

Potential causes of breaches 
in order of importance


  1. Negligent employee
  2. Outsourced data with a third party
  3. Cyberattack
  4. System glitch
  5. Protection failure on systems (Servers, laptops...)
  6. Malicious insider
  7. Lost in a physical delivery

the first 2 elements should get the maximum attention as they have been the leading causes of fines in Europe with GDPR.

Cyberattack is also of very high importance, however, it is often the result of a Negligent employee clicking on a dangerous link, bringing files to the office, or using a personal email or social media on a work computer.

Time to move on...

With the compliance deadline already passed and considering the low number of companies currently prepared, it's crucial that you immediately start assessing your current personal data practices (i.e., customer data, supplier data, employee data, billing and payment documents, etc.) and take the proper measures to adhere to all PDPA policies.

Compliance remains difficult as the law is still evolving...

Processing Personal Data remains a challenge

Personal Data Controllers are the most at risk for policy infringements. There is a need for education on sanctions for failure to process personal data collected. Penalties could be applied to their personal properties in case of security leaks that disclose personal data.

Personal Data Processors are under strict obligation to limit their activity to the framework dictated by the data controllers. Data subjects will have the right to claim damage if the data controller or the data processor fails to follow data protection laws.

Transfer of Personal Data across a border

The Personal Data Protection Act (PDPA) states that there are only a few requirements for cross-border data transfers. These requirements are not clearly defined and still evolving, which increases the risk of non-compliance.

For international transfers, the PDPA currently requires that the data transfer be approved before being executed, which places users of Cloud Technology and services like O365 in a delicate way for their compliance. The fundamental concept is that if a data controller sends or moves sensitive personal data or normal personal data to another country, Thailand's data protection obligations require that first permission from the PDPC, Personal Data Protection Committee, be requested

Secondary regulations from June 2022 easing regulations


On June 21, 2022, lessening the compliance regulations for small organizations by exempting them from having to record the Processing of Personal Data information. (RoPA - Record of Processing Activities)

Although the criteria used to remove this burden is linked to the maximum number of employees, to keep the Data Controller exempt from this, a threshold analysis must still be conducted nonetheless. Criteria are currently subject to interpretation.

The Data Processor follows similar rules and procedures while preparing and maintaining Personal Data processing activities.

The expert committee on the PDPA will soon release rules and subordinate regulations regarding administrative fines.

The PDPA requires Data Controllers and Data Processors to monitor subordinate regulations and to review their privacy policy and procedures regularly to see if any changes need to be made.


Data Controllers and Data Processors authorized to use existing data


Previously collected Data can still be exploited and Data Controllers may continue to use such Personal Data collected before the date that the PDPA came into force, provided that:

  1. Personal Data is only used for the purpose it was collected.
  2. The Data Controller creates a consent withdrawal method to allow the data subject, who no longer wants his or her Personal Data collected and used, to withdraw consent conveniently.




Cloud Technology remains an unforeseen problem.

Latest update September 2022 - under fine-tuning

A serious threat in the implementation of the law.


These days, the personal data protection act has become more convoluted as many businesses have shifted to cloud technology. 

This ranges from email servers (Microsoft Office 365, Google mail) to file-sharing sites (SharePoint, Google Drive). Though none of these services are based in Thailand, the companies that use them transfer personal data between countries—which breaks PDPA law.

Furthermore, to avoid an administrative fine, exchanging personal data with a platform located across borders would require that this organization holds data protection obligations with a compliance certificate.

They must still comply with other data protection laws and need to have implemented appropriate measures for protecting the personal data stored within those platforms.

To ensure compliance, organizations must audit their systems for security issues regularly and thoroughly document their data processing activities.

There are a few exceptions to these legal obligations:


This transfer abides by all current laws.

Explicit Consent was given by the data subject, after having been informed of the risks posed by Personal Data protection measures limited after the transfer

The transfer is required to comply with a contract that the individual has entered into or to take steps at the request of the individual prior to entering into a contract.

The transfer is necessary to comply with a contract between the Data Controller, and other persons or legal entities for the interests of the data subject.

The data transfer is authorized when it is necessary to prevent or suppress a danger to the life, body, or health of the data subject or other persons for that consent cannot be given at a such time.

The transfer is necessary for completing activities that serve a significant public interest.

Always First.

Subscribe to our Newsletter to be informed of the recent modifications of the law.


Our guide will prepare you for Compliance


Worried about compliance and don't know where to start? 

We have the perfect solution for you - our online self-assessment guide. It's an affordable, easy way to figure out what your company needs to do in order to be compliant. Plus, we're here to help every step of the way.

You'll be able to breathe a sigh of relief knowing that you're on track for compliance and didn't break the bank in the process. Our online self-assessment guide is a great way to get started without overspending on unnecessary services or products.

Sign up now and take the first step towards compliance!


Learn more

Our Guide 

knows the steps

Make a move now!

Start the Compliance