Upcoming Amendments to Thailand’s PDPA Law – What you should know

Thailand’s Personal Data Protection Act (PDPA) law is currently undergoing amendments even though it is not due to come into force until the delayed date of May 27th 2021

PDPA laws are being updated as we speak, with full compliance and implementation of the updates expected by June 1, 2021. So what does this mean for your business? Let’s discuss.

What businesses must know (and do) before the June 2021 deadline

In July, 2020, the Thai government issued a Notification which will act as a stop-gap to ensure that all personal data is fully protected until the currently deferred PDPA provisions become effective on may 27th 2021 – when PDPA compliance will be mandatory for every business working with customers’ personal information.

Under this Notification, your designed Data Controller must implement the required security controls and measures immediately – including but not limited to – technical, administrative and physical safeguards for protecting personal data and bringing staff awareness up to the required level.

The Notification outlines minimum standards for personal data security measures which cover technical safeguard, physical safeguard and administrative safeguard measures in regards to the access, use and control of personal data – referred to as “Measures”.

These Measures set out the following:

  • Personal data access control and the equipment procured for collecting and processing all such personal data must consider its use, safety and security;
  • Entities are now responsible for setting out the relevant criteria to be put in place in regards to authorization or rights for accessing personal data;
  • User access management protocols should be in place to control personal data access by authorized personnel only;
  • User responsibilities to be clearly outlined for preventing unauthorized access, disclosure, copying of or knowledge on personal data, and theft/stealing of equipment used to process personal data
  • Any retroactive inspections around personal data access, erasures, alterations or transfers are to be arranged in accordance with the appropriate methods employed for collecting, using or disclosing personal data.

Source:  Formiti article