Thailand: Personal Data Protection Act (PDPA) Amendments on the way: What does this mean for your company?

Thailand’s Personal Data Protection Act (“PDPA“) is in the process of being updated, and full implementation and compliance are expected by 1 June 2021. This comes by way of the Notification of the Ministry of Digital Economy and Society Re: Personal Data Security Standards B.E. 2563 (2020) (“Notification“) which was recently released by the Thai Ministry of Digital Economy for Society and is effective from 18 July 2020.

The Notification sets out minimum standards for the personal data security measures covering administrative safeguard measures, technical safeguard measures, and physical safeguard measures in respect of the access to, or controlling the use of, personal data (“Measures“).

Specifically, the Measures set out the following:

  • Access control of personal data as well as the procurement of equipment used for the collection and processing of personal data needs to take into consideration usage, safety and security;
  • Entities must now set out the relevant criteria that will be put in place with respect to authorisation/rights in accessing personal data
  • User access management protocols must be put in place to control the access of personal data by only permitted personnel;
  • User responsibilities must be clearly specified for the prevention of unauthorised access, disclosure, knowledge and copying of personal data, and stealing of equipment that collects or processes personal data; and
  • Retroactive inspections of access, alterations, erasures, or transfers of personal data must be able to be arranged in line with suitable methods used in the collection, use or disclosure of personal data.

Please note that the above measures constitute a base level of data security standards that the Notification sets forward. In practice, the specific data security measures implemented by any given company may vary, but such measures must have security standards no lower than those mentioned above.

In addition, data controllers (or data processors) under the PDPA are now required under the Notification to:

  • implement the Measures (which would include creating a data inventory and updating or procuring a new IT system); and
  • notify staff, employees, and/or any relevant persons of the Measures under this Notification in order to raise awareness of the importance of personal data protection and to encourage strict compliance.

If you have any questions for what this means for you or your company, please contact the authors of this article.

Authors: Samata Masagee, Pattama Jurunpunphol and Nahsinee Luengrattanakorn