Key takeaways
- Thailand’s PDPA regime was enacted to protect the data of individuals.
- Most, if not all, SMEs are required to comply with the laws set out in the PDPA.
- Major fines and penalties can be implemented failure to comply with the PDPA.
Thailand’s approach to data protection
Tabled in 2019 before coming into effect in 2021, Thailand’s Personal Data Protection Act, B.E. 2562 (A.D. 2019) (PDPA) is the country’s answer to the European Union’s General Data Protection Regulation (GDPR).
As data privacy and protection become ever more important to SMEs, it is essential that all businesses, big and small, have a succinct understanding of how the law will impact their operations and how to remain compliant with the regulations.
Overview of the PDPA
In this short article, we will try to summarise some of they key elements of the PDPA that SMEs should be aware of.
Complying with the PDPA
With a couple of notable exceptions, the PDPA applies to legal entities that collect, utilise or disclose a natural person’s personal data.
Most, if not all, businesses will be required to abide by the laws of the PDPA.
Obligations under the PDPA
As a controller of personal data, SMEs are required by law not to collect, use or disclose personal data without the express consent of the data subject.
To be able to utilise data from a customer, it is essential that the request for consent is gained in a written statement or via electronic means.
Security requirements under the PDPA
As cyber-attacks, including ransomware attacks, become more commonplace, it is imperative that you ensure the safety of your data.
The PDPA mandates that companies are under the requirement to have suitable security measures in place to protect the personal data of data subjects.
Requirements for data breaches
In the event of a data breach, the company must inform Thailand’s Personal Data Protection Commission (PDPC) within 72 hours of said breach.
Penalties for non-compliance with the PDPA
As government bodies take a more stringent approach to the protection of data, it is essential that companies take the necessary actions to ensure they remain compliant with the PDPA.
A breach of the PDPA can result in a company facing civil penalties and criminal liability. Failure to adhere to the regulations of the PDPA can result in fines of THB 5m and/or a jail term of not exceeding one year. However, this depends on the severity of the data breach and the type of violation.
What does this mean for my business?
To ensure SMEs can remain compliant with the PDPA, we suggest the following:
- Conduct a thorough analysis of the requirements of the PDPA to ensure constant compliance.
- Develop a stringent internal framework for dealing with the requests of data subjects.
- Ensure that all employees are aware of their obligations when handling personal data.
How can WSR International help you?
As this article was an introduction to some of the very basic principles of the PDPA, we suggest that companies take a more detailed look at the various requirements under the law, as there are numerous elements to be considered.
With business and legal experts located in both Bangkok and Phuket, WSR International are perfectly situated to assist you to get to grips with the PDPA.
If you would like to discuss the contents of this article in further detail, please do not hesitate to reach out to the business and legal experts at WSR International.
𝗖𝗼𝗻𝘁𝗮𝗰𝘁 𝘂𝘀:
WSR International Co., Ltd.
Chartered Square Unit 16-05, 152 North Sathorn, Khwaeng Silom, Khet Bang Rak, Bangkok 10500 VAT Registration no: 0905565001881
Phone: +66 92 616 4423
Email: info@wsrlawgroup.com
