On May 5th, 2021, the Minister of the Ministry of Digital Economy and Society (MDES) has announced that the Thai Cabinet had approved a postponement of the enforcement of the Thailand Personal Data Protection Act B.E. 2562 (2019) (PDPA) to June 1, 2022.
Due to the Covid-19 pandemic, businesses in Thailand and international locations covered by the PDPA were facing mounting challenges to meet the June 1st, 2021 deadline. We estimate that as many as 76% of organisations would not have been compliant on that date.
Now that the date has been further delayed to 2022, it gives both the ministry and all covered organisations to plan well in advance and ensure that you are ready and achieved compliance by 1st June 2022.
It’s worth noting that controllers also have to ensure they have performed the required due diligence on their third-party data processor’s no mean feat considering the heavy lift of examining existing contracts, drawing up data processing addendums and negotiating liability caps.
How should companies prepare the right plan for compliance? Every successful journey begins with a detailed knowledge of where you are starting from and a solid plan to get to your destination.
Full Gap Analysis
We recommend a full gap analysis by the business department measuring your current data processing operations against a global data privacy maturity standard. This should include a full remediation section detailing what is needed to close the gaps.
Data Discovery and Mapping
A full Data mapping exercise that captures the 5 w’s
Why: your organisation is processing personal data the
What: personal data is processed, the source of the data and the lawful basis for processing
Whose: personal data is processed, and the category of the data subject
When: the personal data is processed, how was it obtained, and how is it updated.
Where: the personal data is processed, location; this includes manual paper records, digital on-premise and cloud locations.
This facilitates the speedy delivery of data Rights requests for access and data deletion, restriction, objection etc., and records how it is secured.
Legal Compliance:
Before entrusting your company data with a third party for processing, the controller is accountable and responsible to perform due diligence on the third party to ensure they will process and protect the data to your instructions. Added to that are the requirements to look at the country of location of the third-party organisation to ensure the country has the data protection regulations that match or better the PDPA. These requirements are met with a third-party due diligence questionnaire expert advice on global data regulations and data processing contract addendums ( DPA). Having expert guidance on this limits the risk of non-compliance and possible fines.
VinarcoPDPA provides a one-stop-shop for all PDPA services delivered by our in house privacy, legal and operational teams. contact us on +66 (0) 2285 6240-9 or info@vinarcopdpa.com
