The latest country to follow in the EU’s data protection footsteps, Thailand is gearing up for the arrival of its first bill to protect individuals’ personal data rights, but what does this mean for your business? VinarcoPDPA global data privacy experts have the answers.
Thailand’s relationship with the concept of privacy has always been a curious one to say the last. For years, the idea that individuals have a right to privacy was a key part of the country’s national constitution, albeit one without any law or regulation forcing businesses to uphold that right. Sure, certain rules and codes of practice were in place for Thailand’s health sector and other industries dealing in particularly sensitive personal data. However, even still, the country had nothing like GDPR, nor anything which may have in any way resembled even the most basic of all-encompassing data protection laws, such as the UK’s Data Protection Act.
At least, that was the case until now.
After a lengthy process of drafting, consulting the public and revising, Thailand is finally set to enact their own Personal Data Protection Bill (PDPA). Much like the raft of other new data laws which have come along in the past two years, this one takes many of its cues directly from GDPR. Despite Covid, the PDPA will enter law on 27th May 2021.
On its face, this is good news for many businesses as the similarities between the two mean that a number of the processes, policies and procedures they already have in place for GDPR can prove equally as sufficient for PDPA.
Even so, in much the same way that business owners were left scratching their heads in the run-up to GDPR coming into force last May, PDPA’s arrival has left many with some serious questions about what exactly Thailand’s new data protection law means for them.
That’s where we come in.
At VinarcoPDPA, we specialize in helping businesses worldwide achieve frictionless compliance with global data protection laws in a way that provides long-term added value.
Today, we answer your burning questions about Thailand’s Personal Data Protection Bill and how it may affect your business.
Who does PDPA apply to?
Just as GDPR applies to all data processors and data controllers who deal with data subjects within the European Union, PDPA applies to all processors and controllers who deal with Thai data subjects, regardless of where they are processors and controllers are actually based.
In other words, if you’re a UK business, but you provide goods and services to people in Thailand (no matter whether you charge for them or not), then you need to ensure that your business is PDPA-compliant.
That’s not all.
The new law also applies in any instance where the behaviour of Thai data subjects is monitored. So, even if you don’t provide services directly to data subjects, but you carry out business-to-businesses services such as tracking people’s internet activity for targeted marketing or user testing, then PDPA applies.
I outsource my data processing to Thailand; how does this affect me?
According to the Personal Data Protection Committee (PDPC) which oversees the creation, implementation and enforcement of PDPA in Thailand, the new requirements apply to personal data that is collected, used, or disclosed by a Thailand-based data processor or controller, regardless as to where that data is collected, used or disclosed.
To put that in simpler terms, if you only collect the data of EU data subjects but use a firm in Thailand to collect for you, then, yes, PDPA applies.
What do I need to do to ensure frictionless compliance with PDPA?
The most pressing issue for any business affected by Thailand’s new data protection bill is to ensure that you have a lawful basis for collecting, processing, or disclosing data.
Much as with GDPR and similar regulations, explicit consent is typically the one lawful basis that is talked about the most, and often for a good reason.
It’s certainly the most straightforward and uncomplicated method of collecting and processing data legally. Gain the express consent of data subjects, and you leave no doubt as to the validity and legality of your processing activities.
However, many businesses tend to overlook the fact that explicit consent isn’t the only option they have at their disposal. There are others which are every bit as valid and every bit as legal.
Explicit consent is not required if the data processing activities are required to carry the terms of a contract your data subject has entered into with you or take certain steps requested by the data subject before entering into a contract.
You do not need to gain explicit consent if processing is required to protect an individual’s life under vital interest.
This lawful basis can be used if the processing is required to carry out a task in the public interest, as long as that interest has a clear basis in law.
If you can prove that processing is required for your business’s legitimate interests or a third party, you can forgo explicit consent.
However, it is worth noting that this can be overruled when the protection of a persona’s data is deemed to be more important than your legitimate interest.
What else do I need to know about consent?
It’s also important to point out that PDPA lays out extra conditions for gaining minors’ consent. Your compliance consultant at Relentless can advise you as to what these are and how you can best implement them should it be necessary.
What rights do data subjects have under PDPA?
Again, PDPA isn’t too dissimilar from other new regulations that have come along in the last few years. Managing these requests will need A Good Compliance Platform, good processing management.
- The right to be informed
- The right to access
- The right to data portability
- The right to object
- The right to erasure/right to be forgotten
- The right to restrict processing
- The right to rectify
Does my business have any other obligations?
In particular, you need t to ensure that sufficient physical and digital security measures are in place to prevent unauthorised or malicious access, use, or modification of any personal data you have.
You’ll also need to be sure that, if you plan to transfer the personal data of Thai data subjects to businesses in other countries, that those countries have -and that those businesses are compliant with- sufficient data protection regulations such as GDPR,
What do I need to do in the case of a data breach?
Naturally, you’ll have done everything in your power to prevent a data breach. However, your first and most pressing responsibility is to inform the affected data subjects immediately should the worst happen. If the data breach affects a certain number of data subjects, your next task will inform the PDPC.
What are the consequences of non-compliance?
Businesses who are found in violation of PDPA are liable to pay administrative, civil, and/or criminal penalties depending on the circumstances. Of course, your business never has to reach this stage.
As part of our comprehensive Global Data Privacy Service, VinarcoPDPA offer expert advice, guidance, and hands-on support to ensure that you’re not only fully compliant with PDPA and other international privacy regulations but that you achieve that compliance in a way that helps your business to grow.