People walking in Bangkok showing coming Thailand PDPA

Thailand PDPA Compliance: Is Your Organization Prepared for Enforcement?

According to the United Nations, 132 of 194 countries have implemented Data Protection and Privacy Laws globally as a result of the increasing importance of data and privacy as social and economic activities increasingly move online.

One such compliance regulation is Thailand’s Personal Data Protection Act (PDPA), which has been delayed until May 31, 2021 for a majority of organizations. Home to Asia’s eighth largest economy, the PDPA is Thailand’s first consolidated law on data protection and applies to all organizations operating in the country as well as those that handle Thai personal data. Originally set for May 27, 2020, Thailand’s Royal Decree on Agencies and Businesses Not Subject to the PDPA gives organizations more time to achieve compliance and adapt to the law. Organizations that are unsure if they are exempt from PDPA compliance until May 31, 2021 may seek advice from the Personal Data Protection Committee.

But the question on the minds of many remains – will the extension period make a difference? If history serves as any indication, probably not. According to research from Capgemini, only 28% of companies that must comply with the General Data Protection Regulation (GDPR) were compliant in 2019. This is a sharp decrease from the 78% of executives who expected to be compliant by the time the GDPR came into effect in May 2018. CCPA compliance is even more of a challenge to organizations, with just 14% of respondents having achieved CCPA compliance, according to a June 2020 TrustArc poll.

With less than a year until the new implementation date, how can organizations successfully prepare for Thailand’s PDPA enforcement come May 31, 2021?

Understand the ins-and-outs of Thailand’s PDPA

Published on May 27, 2019, the Thai PDPA aims to protect data owners within Thailand from the unauthorized or unlawful collection, use, or disclosure and processing of their personal data. Additionally, all organizations outside of Thailand that offer products and services in the country or monitor the behavior of individuals in the country are subject to its provisions.

Similar to the European Union’s GDPR, the Thai PDPA gives consumers the right to access, object, erase, and rectify personal data at their request. Once implemented, enforcement of the PDPA will fall under the power of a Personal Data Protection Committee (PDPC), established to enforce the regulation and provide organizations with advice or resources. Organizations found to be non-compliant after May 31, 2021 could face both civil and criminal penalties, with a maximum fine of up to THB 5 million ($165,000 USD) and criminal fines of up to THB 1 million ($33,000 USD). Once organizations know if they are subject to the Thai PDPA, they must turn their attention to securing data and achieving compliance.

Start by answering the five W’s

With the amount of data created over the next three years expected to outpace all data created in the past 30 years, compliance can no longer be ignored. Regardless of the security standard your organization is adhering to, there are common data-focused themes that exist across most of these standards. As a baseline, organizations should look to establish the five W’s of data security and compliance:

  1. Who are the relevant data subjects and the responsible personnel?
  2. What types of personal data are collected and processed, and what are the sources?
  3. When is the personal data collected and updated, and how long is it retained?
  4. Where is the physical and digital data stored and transferred to (i.e. within Thailand or overseas)?
  5. Why is the personal data being collected or processed?

These questions may seem simple, but for organizations with an earlier stage compliance posture, there may be multiple answers, creating more confusion and security/compliance concerns. In addition to this, if an organization cannot answer one or more of these questions, they may need to reconsider if they should even be storing the data in question. As a result of lower data storage costs, organizations have taken a laissez-faire approach to data, storing anything and everything they come across even without a clear use. But now, as the risk of keeping every piece of data increases and compliance fines rise in cost, they may have to decide what to keep and what to dispose of.

Understand the types of data you store and where

After determining where your organization falls in answering the five W’s, organizations must enact measures and standards to prioritize compliance and all other types of data security. This begins with discovering where the information is stored within the organization’s data ecosystem. It can be hidden anywhere, so start by scanning all employee devices and workstations including emails, cloud providers, desktops, and servers both on-premise and in the cloud to ensure that no stone has been left unturned.

Data security does not end once all personal or sensitive information has been located. With this newfound information, organizations can take what they have learned about their data environment to review and update organizational processes and current privacy protocols, as appropriate. Organizations should also take into account the new types of data they may be collecting now or down the line. As the line blurs between the physical and digital worlds, all existing and new forms of data will likely be subject to some form of compliance regulation. Taking this time to proactively establish a solid data management strategy will help organizations prepare for these emerging data sets and regulations, giving them an advantage over competition by showing a true commitment to customer protection.

Challenges created by increased regulation and tighter budgets

As a result of COVID-19, most organizations have had to make drastic switches to remote workforces, expediting the speed at which they undergo digital transformation. Furthermore, many organizations have been reducing or deferring available budgets in 2020 and asking technology and security teams to achieve more with less including a reduced headcount. As a result, businesses have expedited their transition from in-house managed infrastructure and platforms to consolidated, pay-as-you use cloud product suites and workflows to accommodate for dispersed employees and their subsequent data. However, these tools and processes bring new challenges to the already complex security and compliance framework spanning multiple countries and jurisdictions facing the modern-day organization.

No longer is an organization’s compliance and regulatory obligation dictated by the laws of the country and state where it is headquartered. Instead, many organizations must identify every location where they are doing substantial business across the world or even when they store a particular type of citizens data in any location.

What the future has in store

The Thai PDPA deadline extension gives organizations valuable time to achieve compliance and create the security measures necessary to help them succeed moving forward. Sensitive data is no longer limited to standard personal information such as National Identification Numbers, birthdates and emails, and the amount of data created every day means that organizations must understand both the data type and how it was collected. With more compliance regulations expected to come, organizations should take this opportunity to treat all data with the highest level of security, even if it isn’t required. These types of measures create a consistent data strategy across the organization, limiting confusion and risk.

Of course, even with the most advanced security posture, organizations will always be vulnerable to security breaches or fines. Organizations that view security as a true business imperative will be the most prepared for the Thai PDPA and future regulations. In summary it is not too late to begin working towards compliance, and it starts with a full data discovery scan.