Thailand’s PDPA (Personal Data Protection Act) of 2019 comes into effect on 1st June 2022. Compliance with the data protection regulations will be mandatory from this date for every business that handles customers’ personal information and is not on the exempt list.
While you need to implement physical, technical, and administrative data security controls and protection measures immediately, you will also need to execute an internal training program to raise awareness of PDPA standards.
Here is a three-step plan you can adopt to ensure your business is compliant with the PDPA’s regulations:
1: Carry out third party data protection due diligence
A growing business relies on third-party vendors or suppliers for cost-effectively gaining access to expertise.
However, third parties expose companies to reputational and compliance risks, particularly concerning data privacy laws such as PDPA. Consequently, third-party data protection due diligence is vital to businesses that handle personal data.
Measures you can take to carry out third party data protection diligence include:
- Develop a plan to manage third party relationships
- Vet all third-party partners, vendors, and suppliers and conduct due diligence before you select or enter into agreements
- Ensure the third party is PDPA compliant
- Enter into agreements for data processing with all your third-party vendors
- Audit third-party’s data protection and security controls regularly.
- Include risk management processes in the third-party contracts
- Review third party relationships periodically.
- Develop contingency plans to address what steps to take in the event the third party violates the data protection contract
2: Ensure data processing agreements are in place between controller and processor
When the personal data that your business collects is not processed entirely in-house, the data processor and data controller must have a data processing agreement under the PDPA. “Processing” activities can include back-office or day-to-day activities such as cloud-based or offline data storage. This means that most businesses will need to ensure an agreement between the processor and the controller is in place and executed before the transfer can occur.
The responsibilities of both parties have to be adequately allocated in the agreement. In the event of failure of compliance with these obligations, the liabilities include punitive damages up to THB 5 million, apart from administrative, civil, and criminal penalties (imprisonment of one year, additional fine, or both).
3: Comply with data transfer mandates out of Thailand
The PDPA mandates that cross-border data transfers can only be carried out to countries with ‘adequate safeguards’ for data protection. Exemptions are given when the data transfer is necessitated to protect the data subject’s vital interests when consent has been obtained and if the transfer is done to meet legal or contractual obligations.
If a business has a multi-national presence and shares personal data with other legal entities outside Thailand within the business, data can be transferred, provided there is a group-wide internal data protection policy.
If none of the above applies to your business, you can still transfer data out of Thailand:
- By providing effective remedial measures to data subjects in case of violation of personal data
- Implementing additional good practices such as
- Maintaining a record of data processing activities related to the data transfer.
- Creating a data map
- Ensuring a third-party data processing contract
- Data due diligence