Anuwat Ngamprasertkul and Piniti Chomsavas

The public and private sectors have had around three years to study, check their readiness and adapt to comply with the Personal Data Protection Act B.E. 2562 (2019) (“Personal Data Act”) from the date of publication in the Government Gazette on 27 May 2019 until the date the law was fully enforced on 1 June 2022. The Personal Data Act is a new law that introduces legal principles aimed at protecting the rights of personal data subjects and controlling the collection, processing or disclosure of personal data by data controllers or data processors. In the early stages of enforcement, there may be obstacles to compliance unless there are guidelines and awareness of the legal burdens and penalties in particular.

From the author’s experience of studying the law, the Personal Data Act and the General Data Protection Regulation, including guidelines for interpretation and judgments of various agencies in the European Union, have provided opportunities for organizations to prepare for and comply with personal data protection laws. Therefore, the author would like to provide the steps to prepare for compliance with the Personal Data Act to create awareness, enhance understanding and identify related legal issues. The steps are as follows.

1. Data Discovery to determine whether the organization collects, processes or discloses “personal information”, and to be able to identify the status and roles of data controllers or data processors as defined under the law to determine different obligations and liabilities as required by the law.

2. Data Classification to categorize the types of personal data that exist, including sensitive personal data under the Personal Data Act, and determine whether personal data has a high risk of causing damage to data subjects.

3. Purpose Identification to evaluate and review the purposes for the collection, processing or disclosure of personal data, and attempt to reduce the unnecessary storage of personal data (data minimization).

4. Legal Basis by obtaining consent to process the personal data of the data subject above, or have other legal bases that allow the collection, processing or disclosure of personal data.

5. GAP Analysis by assessing whether the organization has performed its duties in full compliance with the law as well as the extent that activities related to personal data have exposed it and the impact on data subjects in order to determine the proper safeguards.

6. PDPA Compliance by preparing the relevant documents, policies, procedures and guidelines for compliance with the law by providing complete documentation and procedures as required by the law such as privacy notice, consent forms, data processing agreements with personal data processors and practice guidelines to reduce risks by establishing policies, regulations or guidelines within the organization and arranging training for employees or related personnel.

Understanding the Personal Data Act, analyzing potential legal issues and establishing guidelines for preparing to comply with personal data protection laws are very important and useful to both lawyers and law enforcement agencies in reviewing the readiness of organizations and the award of penalties, including business operators who are obliged to comply with the law either as data controllers or data processors and most importantly all data subjects who are protected under the Personal Data Act.

The above article is an abstract. In the event you would like to read the full article (in the Thai language), please visit the website of the Office of Judicial and Legal Affairs.

Disclaimer:

The article above is general information only and is not intended to be relied on or be a substitute for specific professional advice. Blumenthal Richter & Sumet Ltd. will not accept responsibility for any losses or damages that are incurred by any person taking an action because of the information in this article.

In the event you have any questions regarding the above regulations or PDPA compliance, please contact Anuwat Ngamprasertkul, Partner as well as Head of Litigation and Dispute Resolution and Co-Head of Tech-Media-Telecoms (TMT) at Blumenthal Richter & Sumet, at [email protected] or +662-022-1022.