Is Your Organization Prepared For Thailand’s PDPA Laws?
The GDPR that came into full force, following years of preparation and debate by the European Parliament in April 2016, had a profound effect throughout the technology, advertising and corporate sectors. Personal data protection in the EU has been a hot topic and is becoming an ever more important agenda globally.
In Thailand, coverage of the Personal Data Protection Act (PDPA) was initially published on the 27th of May 2019 in the Royal Thai Government Gazette. The act is the very first consolidated law governing the protection of personal data in Thailand and will come into full force on its impending target date, the 27th of May 2021.
The initial scope and requirements within the act itself are complex and create fundamental compliance challenges for organizations doing business in Thailand. For the last year in its announcement, your designed Data controller must implement the required safety measures to protect personal data.
This act will require mandatory compliance applicable to all business sizes whether it is a startup, a small to medium-sized enterprise or a large multi-national cooperation, the regulatory framework of the PDPA requires businesses to take strict measures in compliance with the act for the use of personal data; the rights of data owners requires regulated technology, assets and internal procedures for;
The right to be informed
Data accessibility- Right to data portability
Right to object
Right to erase, deletion and to be forgotten
Right to restrict processing
Right to rectify
For organizations, this could be interpreted to a range of different challenges, many which stem from the use of internal yet sensitive employee information that covers personal data attributes such as gender, orientation, religion etcetera. This includes the commercial usage of data such as income, affiliate attributes, positions and the sensitive treatment of such data.
Both Foreign and local entities must follow the regulations laid out in Thailand’s PDPA act. However, unlike Europe’s GDPR framework, the PDPA contains no clause which prevents online businesses and platforms or entities from making decisions about user data based on any automated processing.
The first approach to establishing compliance and safeguarding your organization is the appointment of ownership. Within the framework of data privacy, organizations are required to establish internal expertise and ownership by appointing a Data Protection Officer ‘DPO’.
Implementing PDPA compliance is a costly project, one that requires expertise and the right technology partners for your online assets. The next step is to plan the right consent approach for the treatment of data being handled either offline and online, as well as setting up requests for receiving the consent for end-users to collect.
Using and transmitting personal data may at first seem like a task that can be done in a short amount of time, yet the steps required to be regulated under PDPA for safeguarding requires businesses to provide a data controller to monitor the company’s use of data collection and provide disclosure on the business’s measures of confidentially.
This appointed data controller is responsible for informing the Office of Personal Data Protection Commission within 72 hours upon any discovery of a breach or violation of personal data and can be held legally accountable if the company’s data collection or processing efforts fail to meet the requirements of law.
To mitigate such risks, companies need to revisit their internal frameworks, rules and data protection regulation, the procedures of processing, the technology and it’s service architecture, but most importantly the consumer-facing assets online.
As per the announcement made on 1st of February 2021, Morphosis Apps is appointed as the official reseller of Cookie Information, the world-leading provider of privacy management software is collaborating with Morphosis Apps to leverage privacy by design and digital transformation initiatives for enterprises across South East Asia & Europe.
The partnership intends to provide affordable, privacy compliance consultation and consent implementation, as well as providing universal consent management in ePrivacy, GDPR, LGPD, CCPA, PDPA regulations within the market.
The consent solution provided by Cookies information will allow 40+ different languages including PDPA consent solutions in Thai language, which is currently being used by over 2,000 clients across the globe with 15 billion consents being handled to date. Cookies Information’s mission is to to help organizations and companies comply with privacy laws in the countries in which they operate. At the same time, enabling organizations on meeting requirements on commercial data strategies and data ethical objectives.
The privacy solution is available from the 1st of February 2021, within South East Asia and Greater Europe, managed and implemented by Morphosis Apps, specifically with new PDPA laws in markets out of South East Asia, The Government of Thailand has outlined that the PDPA effective date is May 31, 2021.