Key principles for businesses to prepare for PDPA compliance

As we all are aware personal data is very valuable and important for businesses in today’s world, the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) came into force on 1 June 2022 with the purpose of protecting personal data. 

As the PDPA applies to both public and private entities that collect, use or disclose personal data, if entrepreneurs are not well prepared for PDPA compliance, they may easily cause a violation of the PDPA which could lead to severe civil and criminal penalties. Therefore, every  entrepreneur should conduct a self-assessment to ensure the readiness of PDPA compliance.

There are three key principles which entrepreneurs may consider as guidelines to examine their PDPA readiness: 

For the effectiveness and sustainability of PDPA compliance within an organization, all of its personnel and other relevant persons should, at all times, be aware of the importance of personal data protection. To ensure this, organizations should provide appropriate and relevant PDPA training to their people and maintain regular communications on PDPA updates and guidelines.

As the PDPA provisions are complicated, organizations should design separate training courses to ensure suitability for participants. This could include:

• Training for management level: To draw the attention of management to importance of the PDPA so they can best monitor PDPA compliance within the organization.
• Training for PDPA working teams: Training should be detailed and be relevant to actual business operations. 

Besides regular training, there should be recap sessions.

Almost all departments get involved in personal data processing in the day-to-day operations. Therefore, PDPA preparation and compliance require cooperation from all departments within an organization since each department will have the best understanding of its own activities.

For example, all related departments should assist with the preparation and update of the Record of Processing Activities (“ROPA”) to ensure that the ROPA is accurate, complete and up to date. The ROPA also helps the organization to define a PDPA compliance framework in accordance with its actual operations which supports the effectiveness of PDPA compliance. The appropriate ROPA could also assist the legal department in analyzing and preparing the necessary PDPA legal documents to support compliance.

The organization should have measures to monitor the PDPA compliance, for example:

• Determining a responsible person(s) for monitoring PDPA compliance within the organization: This could be the Data Protection Officer (“DPO”) and DPO support team (where the organization meets the criteria for appointment of the DPO under the PDPA), or other related persons (in case the organization is not required to appoint the DPO under the PDPA).
• Conducting PDPA compliance check: The organization may arrange an annual PDPA compliance check, either by an internal team or by external consultants, in order to ensure effective compliance.

However, the organization should carefully consider and balance compliance with the law against continuity of business operations. Specifically for the activities relating to a large amount of personal data, deliberate consideration of all aspects should be carried out before any implementation occurs. In this regard, the organization may consult with specialists for assistance in providing both legal and practical advice.

KPMG Law has extensive experience with PDPA compliance and supporting services. We provide full PDPA services from the data identification stage to completion of PDPA implementation. Our services include subsequent PDPA support such as training, PDPA document review, ad-hoc advisory services, Data Protection Officer support and advisory services. 

We welcome any opportunity to discuss the relevance of the above matters to your business. 

KPMG Thailand’s Legal Services Team offers a wide range of practical legal solutions. For more information, please visit https://home.kpmg/th/en/home/services/legal.html