Following a growing global interest in data privacy, and the influence of the implementation of the EU’s General Data Protection Regulation (GDPR) in 2018, the first Thai Personal Data Protection Act (PDPA) was issued in May 2019.

Due to the COVID-19 pandemic, the effective implementation date for PDPA compliance – particularly relevant for Data Controllers engaged in almost all types of businesses – has been postponed to 1 June 2021.

Under the PDPA, a Data Controller is a person or juristic person who collects, uses or discloses personal data.

Personal data under the PDPA consists of any data, such as names, e-mails, telephone numbers, photos, etc. which enables the identification of a living person, either directly or indirectly.

In practice, it is impossible for businesses to avoid collecting personal data in their daily operations. Businesses often collect, use and/or disclose the personal data of customers, employees, vendors, business partners, etc. However, the rules about how this can be done are about to change and businesses need to properly prepared.

Why does the PDPA matter?

Penalties under the PDPA are severe. They could be cumulative and could result in significant fines, imprisonment, or both.

For example, under the new PDPA rules, a data controller who fails to obtain legally required consent from a personal data owner when processing personal data may be liable for a fine not exceeding 3,000,000 Baht per time, e.g. failing to obtain consent 10 times, could make a data controller liable for a fine of up to 30,000,000 Baht.

Timeline for PDPA preparation

Based on our experience, for a mid-size business the general timeline for PDPA compliance preparation ranges from between three to five months, depending on the complexity of business activities and amount of personal data involved.

It is important, therefore, that business operators start the preparation process now, in order to be ready for PDPA compliance by 1 June 2021. 

Getting started

To start preparing, business operators should take these initial first steps:

Step 1: Identify your working team and plan your strategy for PDPA compliance. For effective PDPA preparation, the working team should involve key personnel from business, operations, IT, HR, legal and compliance.

Step 2: Identify all activities which relate to personal data and the affected persons – who, what, where and with whom do you share personal data? This activity is known as data mapping, performing a data inventory or creating a record of data processing.

Step 3: Prepare your plan to comply with the PDPA’s provisions in order to manage both existing personal data and personal data to be collected and processed in the future. This could apply to customers, employees, third parties (e.g. vendors, business partners), and other individuals (e.g. building visitors, website users, etc.).

In the forthcoming articles, we will share some of the key experiences of PDPA compliance and the common challenges our clients face during PDPA preparation.

KPMG Thailand is a member firm of the KPMG network in the EU which has extensive experience with the GDPR. We provide full PDPA services, including legal, risk management and IT services, from the data identification stage up until the completion of PDPA implementation, and including subsequent PDPA support.

We welcome any opportunity to discuss the relevance of the above for your business.

KPMG Thailand’s Legal Services Team offers a wide range of practical legal solutions. For more information, please visit KPMG Legal.