Where to start?
This Guide is the complement to the Online Assessment from Safecoms.
It is recommended that you read this Guide first before proceeding with the questions from the online application. Come back to this guide each time you have a question with the data the application asks you to provide.
Quick User Setup Guide
Step 1: Team up:
Create a team within your company that will be dedicated to this project. You need to name the official roles (Data Controller, Data Protection Officer, Data Processor) as well as those who will assist you (Security advisor, Legal advisor, etc.).
Step 2: Company analysis:
Locate every area in your company where Personal Data is being processed or stored. Determine who is responsible for each section. You will also need to repeat this process for each 3rd party company that may have access to Personal Data.
Step 3: Collection, Storage, Security
Define the type of Data you are handling, classified into Normal Data or Sensitive Data. Understand the legal basis for the collection. Minimize data processing, and explore ways to exclude non-critical data. Analyze your entire company as well as all third-party suppliers.
Step 4: Risks Management
Analyze how much exposure you have to the personal data and understand your level of processing, systematic or occasional. Run a risk analysis to assess the impact of a data leak. Prepare yourself for questions from Data Subjects or Regulators. Always keep track of all changes made to data protection policies as well as any communication with data subjects.
Step 5: Maintain Compliance
Constantly evaluate and improve your company's compliance by conducting routine audits, measuring the effectiveness of your current plans. Update them accordingly with any changes in the law. Additionally, you should make sure to regularly train your teams in regard to data processing and security measures.
Overview
The PDPA online self-assessment guide provides an easy way to get compliant with the Personal Data Protection Act (PDPA) in Thailand. The guide covers all aspects of PDPA compliance, and provides practical advice on processes, along with examples of privacy policies, privacy notices, data processing agreements, and definitions of roles for compliance. Companies can use this self-assessment tool to assess their existing processes and procedures and identify areas where changes need to be made in order to meet the requirements of PDPA.
The guide also helps familiarize users with the work
environment, workspace, and people who might be affected by any potential data
processing activities.
It allows companies to get an overview of their operations and identify potential risks they may face when collecting or using personal data.
The PDPA online self-assessment guide is not only useful for getting compliant with the Personal Data Protection Act but also when a company complies with the PDPA regulations, it can show potential partners and customers that they take data privacy seriously and are committed to protecting the information of their clients and partners.
In addition to the self-assessment guide, SafeComs also provides security audits, training for IT security awareness, and Data Privacy Act awareness for employees.
How to use this Self-Assessment
We recommend that you get familiar with the work environment, workspace, and people. Then we suggest that you start by reading the guide, and thereafter download the templates and annexed forms to familiarize yourself with them. After that, you can use the self-assessment questionnaire to assess your current privacy compliance level and identify areas for improvement.
Once you have identified any gaps in your current compliance status, our experienced consultants are available to help you address them. We provide a variety of services such as security audits, training for IT security awareness, and Data Privacy Act awareness for employees. We can also help you develop and implement policies that are tailored to your company’s specific needs.
Team up
This will determine your success immediately
Company
You need to have a detailed analysis of your entire firm.
Data
The Gold of this century, worth protecting
Risks
You need to plan to avoid but also be prepared to manage
Maintain
This is an ongoing process to update constantly.
Step 1 - Team up!
Create your action team.
The first step will be to create your team and get commitment from everyone who will help. This project requires that a Data Privacy Committee is formed, with someone appointed as Data Protection Officer (DPO). In addition, you should name a Data Collector who will establish the rules for complying with PDPA. Additionally, it would be beneficial to identify individuals who could act as internal or external legal support; finally, all division managers should be consulted for resources needed going forward.
- Confirm the full support of Top Management
- Create your Data Privacy Committee.
- Identify your single point of contact for all questions and information
- Who is your internal legal support?
- Who will drive this project (probably you)?
- Who is your data controller?
- Who is the Data Protection Officer (DPO)?
Each team member will have different roles and responsibilities. However, everyone should be involved in understanding the implications of data privacy regulations, as well as implementing policies that ensure compliance with PDPA.
Step 2 - Gather all details about your company.
Your Company
Your company's description, main activities, and organization chart are crucial. Also, identify all areas where Personal Data could be collected or processed. Not only is your company responsible for the data processing that happens internally, but you're also responsible for any data processing that occurs with third-party contractors. Make sure you have a complete picture of who processes Personal Data.
Draw your Organization chart
- Branch offices, responsibility, and location
- Identify each department where there is personal data processing
- Identify all 3rd parties working for your company
- Does your company have an overall security policy, is it GDPR already compliant?
- What is the level of security of each department?
- What is the level of security of each 3rd party?
- What is the level of your awareness program for your employees?
- What is the level of your awareness program for your 3rd party?
- We will need to understand the level of training required for your employees
You can watch our Training Videos on Data Classification, Guidelines and law basis for Personal Data Processing in our website www.pdpa.guide
Step 3 - Data Collection and Storage
You will start by identifying every single place where personal data is collected, for each of your offices or department, and all your 3rd party contractors. You will need to draw a Data Map with the flow of all information. You need to identify every piece of data that is collected or processed to make sure you have classified it with the appropriate level of sensitivity and know how it should be treated.
After collecting or processing data, you need to identify where it is stored. You will also need to assess the level of protection and ensure that it is adequate given the sensitivity of the data being processed. This task must be completed for your entire company as well as any third parties you are working with.
For your company
Location of each data silo, physical or logical
Collection area - what processing is happening?
Take a copy of each collection form used in each department
What personal data is collected?
Classify if it is normal or sensitive data
What is the legal basis of this selection?
Is it legal, and fair for the data subject? Is it allowed?
Remove fields if data is sensitive and not critically needed
Storage
How is the data protected
Normal data
Sensitive data
Do you have a RoPA for each collection?
Do you have a Privacy Notice for each collection? (To be uploaded)
For each 3rd party
Location of each data silo, physical or logical
Collection area - what processing is happening?
Take a copy of each collection form used in each department
What personal data is collected?
Classify if it is normal or sensitive data
What is the legal basis of this selection?
Is it legal, and fair for the data subject? Is it allowed?
Remove fields if data is sensitive and not critically needed
Storage
How is the data protected
Normal data
Sensitive data
Do you have a RoPA for each collection?
Do you have a Privacy Notice for each collection? (To be uploaded)
Privacy policies and Notices
You need to create privacy policies and notices for your customers, employees, and other stakeholders. Explain what personal data is being collected, how it will be used, who has access to the data, and how it will be protected. Make sure that all interested parties can easily understand the content of your policies. Use our templates for guidance if you don't have any policies internally.
Each collection point will need to have a clear Privacy Notice where the data is collected, to let people know your privacy and retention policy. Each will also include a RoPA, see details in annexes to understand the definition.
Step 4 - Risks Management
A crucial element of your compliance
Risk Management is a crucial element of your compliance with the privacy act. To ensure data security, you need to apply the highest level of security measures to sensitive data, and then work down from there based on the risks involved for the individual whose data is being processed.
To get an idea of how much exposure you have, you will need to perform an Impact Assessment. This will help you identify how damaging a breach would be to individuals whose data is being processed if it were compromised.
Collect each form used to capture personal information and
answer the following questions to analyze your legal requirement to perform a
RoPA and an Impact Assessment.
• Do you process data systematically or only on occasion?
• Do you process on a large scale or a small scale?
• Do you merge data to could increase personal identification?
• Do you share data with other companies?
• Do you export to other countries?
• Do you use Cloud-based storage?
• Do you use cloud-based email?
Data subject Response plan
Create your registry of requests from Data Subjects
How do you verify the identity of a Data Subject? How can
you make sure the request is legitimate?
For each request, indicate how you handled and replied, and
keep your registry up to date.
Create a process to handle requests for deletion of data and
implement an appeal process for Data Subjects who feel their rights were not
respected
Build your Incident response plan
Understand what is an incident, what is a security breach
When do you have to report it, and under which circumstances?
What data precisely and to whom to report it to?
When can you consider it to be an internal incident only?
Auditing and Reporting
Once the self-assessment is complete, this guide provides a
best practice audit and risk assessment to validate that your company is
compliant with PDPA. The aim is to identify any gaps in processes and data
protection practices and correct them.
This self-assessment software offers companies a
comprehensive way to ensure they are compliant with PDPA and the mechanism to
report it in case of control by the regulators.
Step 5 - Maintaining Compliance
Compliance is an ongoing process, not a one-time activity. It involves continuous analysis of your compliance level, adaptation to changing situations, and fine-tuning of the laws by regulators. We recommend a number of activities to maintain a high level of compliance and avoid damaging security breaches.
regular actions
Annual Audit of security posture.
It is vital that you focus on a high level of security for sensitive data
Measure your security plan efficacy.
Monitor legislation
Review your cybersecurity posture
New Employees should be trained regularly, and each employee should receive training when they are first hired ("onboarding")
Conclusion
By taking these steps, you should be able to ensure that your organization remains compliant with data protection laws and regulations. The self-assessment tool provided by SafeComs will help you identify any areas where more work needs to be done in order to reach the highest level of compliance. With regular monitoring and training, we are confident that your organization will remain compliant with the PDPA.