A few years ago, countries worldwide acknowledged the risk of abuse of personal data. As a result, we have seen the development of privacy laws enforcing tight control and regulations over exploiting personal data, and more specifically, sensitive personal data.

Thailand is following suit after a couple of years of a slow start. The PDPA or Personal Data Protection Act is now on par with large countries, protecting data subjects from abuse. Thailand has enacted laws requiring important changes in data processing and a very strict revision of processing activities relating to data subjects. The administrative penalties in the Thai PDPA include heavy fines for non-compliance, but they also can result in criminal penalties, including jail time for those responsible for the infringement over processing personal data.

In addition to the administrative penalties and criminal penalties, the personal data protection act also includes a possible recourse in Court via the personal data protection committee for the data subjects who could feel that they have suffered serious damage following a data breach of their sensitive personal data. A natural person who discloses personal data through their daily personal data processing activities, a such person under the law could see their personal property seized to offer monetary compensation to those who have suffered the leak. This is a drastic departure from how the law works in other countries.

It is not limited to firms based in Thailand...

Another important aspect of the PDPA regulations in Thailand is the extension to any companies or individuals who process data from persons living in Thailand.

You could be a business in Singapore or Europe, totally isolated from Thailand. Because you are holding the personal data of people living in Thailand, you must abide by the PDPA rules, and these laws are published in the Thai language only. This is not going to help foreign companies be compliant, you will need help.

Where to go from here?

You need to assess how compliant you are and what it will take to protect your company and yourself against the risks of a security breach. We prepared a guided online self-assessment as the basis of your compliance. We will help you with each step, choose the level most appropriate for your company size, or request a meeting for a full Audit. We can also help you with your security protocols, advise on the best practices in data storage and encryption, and offer other services such as incident response planning.

What is sensitive personal data?

Personal data is any information that can be used to identify data subjects. This includes, but is not limited to, names, addresses, phone numbers, email addresses, and national identification numbers.

Some can be further classified as Sensitive personal data, ie: Racial or ethnic origin, Political opinions, Religious or philosophical beliefs, Criminal records, Trade union memberships, Genetic data, Biometric data, Health records, Sexual orientation, or preferences.

Data Subject and consent

Data Subjects is the term used to represent the person who is identified by the personal data. The PDPA states that people must give clear, express consent before their personal data is collected except in some very specific cases. The data subject can always revoke their consent, but this doesn't undo any past collections of data that were done with legal consent. There are a lot of reasons why someone wouldn't need to give consent for data collection, like contractual obligations, protection of health (health data) or prevention of bodily harm, and the public interest.

The consent must be freely given, clearly expressed, outside of any constraining environment or document, and the data subject must be able to recall it as easy as it was to give it.

Rights of the data subject

The PDPA provides individuals with certain rights, including the right to:

1. to withdraw consent, and file complaints with the Personal Data Protection Committee
   
   
2. to access and retrieve a copy of his Personal Data
   
   
3. to receive Personal Data in machine-readable formats
   
   
4. to object to the collection, usage, and disclosure of the Personal Data in the circumstances as set out in the PDPA
   
   
5. to request deletion and anonymization of the Personal Data
   
   
6. to request that his Personal Data not be processed under the conditions set out in the PDPA
   
   
7. The Data Controller ensures that the Personal Data remains accurate, up-to-date, complete, and not misleading. If there are any issues with this data, individuals have the right to file complaints with the relevant authority.

Data Protection Officer

A data protection officer must be appointed by the Data Controller, Data Processor, or representative of the Data Controller or Data Processor when either is required to appoint a representative in Thailand.

Data Controllers or Data Processors are a public authority as designated by the Committee.

Data controllers or Data processors should continuously monitor any collected personal data, especially if a lot of it has been collected as determined by the Committee

Enforcement and Penalties

Enforcement of the PDPA will be done by a Personal Data Protection Committee (PDPC). This committee will be responsible for creating guidelines.

If an organization is not compliant with the PDPA, it may face both civil and criminal penalties. The maximum fines under the PDPA are high. Each offense can result in an administrative fine of up to TBH 5 million ($165,000 USD) and a criminal fine of up to TBH 1 million ($33,000 USD). The PDPA also allows the court to award punitive damages that are double the amount of actual damages. The law also allows for one year of jail time. In addition, data owners are now able to file their own class-action lawsuits.

Impact on Businesses

The PDPA will have a significant impact on businesses in Thailand as they will need to comply with the new regulations. This includes ensuring that personal data is collected lawfully, for a legitimate purpose, and with the individual’s consent. Businesses will also need to put in place measures to protect personal data from unauthorized access, use, disclosure, or destruction.

Overall, the PDPA should be seen as a positive step for businesses in Thailand, as it provides consumers with more control over their personal data and reinforces the need for organizations to take steps to protect it. The PDPA will also create new opportunities for businesses in Thailand, such as providing innovative services that are centered on respecting the privacy of individuals.

Personal data protection committee

DATA AUTHORITY The PDPA provides for the establishment of the Personal Data Protection Committee (PDPC) with duties including: Determining measures or procedures for the protection of personal data; Issuing notifications or regulations; Announcing criteria for data protection procedures and the protection of data transferred overseas; and Preparing a master plan to support and protect personal

Potential causes of breaches 
in order of importance

1. Negligent employee
2. Outsourced data with a third party
3. Cyberattack
4. System glitch
5. Protection failure on systems (Servers, laptops...)
6. Malicious insider
7. Lost in a physical delivery

the first 2 elements should get the maximum attention as they have been the leading causes of fines in Europe with GDPR.

Cyberattack is also of very high importance, however, it is often the result of a Negligent employee clicking on a dangerous link, bringing files to the office, or using a personal email or social media on a work computer.

Processing Personal Data remains a challenge

Personal Data Controllers are the most at risk for policy infringements. There is a need for education on sanctions for failure to process personal data collected. Penalties could be applied to their personal properties in case of security leaks that disclose personal data.

Personal Data Processors are under strict obligation to limit their activity to the framework dictated by the data controllers. Data subjects will have the right to claim damage if the data controller or the data processor fails to follow data protection laws.

Transfer of Personal Data across a border

The Personal Data Protection Act (PDPA) states that there are only a few requirements for cross-border data transfers. These requirements are not clearly defined and still evolving, which increases the risk of non-compliance.

For international transfers, the PDPA currently requires that the data transfer be approved before being executed, which places users of Cloud Technology and services like O365 in a delicate way for their compliance. The fundamental concept is that if a data controller sends or moves sensitive personal data or normal personal data to another country, Thailand's data protection obligations require that first permission from the PDPC, Personal Data Protection Committee, be requested

A serious threat in the implementation of the law.

These days, the personal data protection act has become more convoluted as many businesses have shifted to cloud technology. 

This ranges from email servers (Microsoft Office 365, Google mail) to file-sharing sites (SharePoint, Google Drive). Though none of these services are based in Thailand, the companies that use them transfer personal data between countries—which breaks PDPA law.

Furthermore, to avoid an administrative fine, exchanging personal data with a platform located across borders would require that this organization holds data protection obligations with a compliance certificate.

They must still comply with other data protection laws and need to have implemented appropriate measures for protecting the personal data stored within those platforms.

To ensure compliance, organizations must audit their systems for security issues regularly and thoroughly document their data processing activities.

There are a few exceptions to these legal obligations:

This transfer abides by all current laws.

Explicit Consent was given by the data subject, after having been informed of the risks posed by Personal Data protection measures limited after the transfer

The transfer is required to comply with a contract that the individual has entered into or to take steps at the request of the individual prior to entering into a contract.

The transfer is necessary to comply with a contract between the Data Controller, and other persons or legal entities for the interests of the data subject.

The data transfer is authorized when it is necessary to prevent or suppress a danger to the life, body, or health of the data subject or other persons for that consent cannot be given at a such time.

The transfer is necessary for completing activities that serve a significant public interest.