Thailand PDPA Delay: Take Action Now to Stay Ahead

Thailand’s Personal Data Protection Act (PDPA) has been delayed until May 31, 2021 for a majority of organizations. Home to Asia’s eighth-largest economy, the PDPA is Thailand’s first consolidated law on data protection and applies to all organizations operating in the country, as well as those that handle Thai personal data. Originally set for May 27, 2020, Thailand’s Royal Decree on Agencies and Businesses Not Subject to the PDPA gives organizations more time to achieve compliance and adapt to the law. Organizations that are unsure if they are exempt from PDPA compliance until May 31, 2021 may seek advice from the Personal Data Protection Committee.

With less than a year until the new implementation date, how can organizations successfully prepare for Thailand’s PDPA enforcement come May 31, 2021? Let’s explore through a step-by-step, proactive approach:

Education is Key: Understanding Thailand’s PDPA

Published on May 27, 2019, the PDPA aims to protect consumers in Thailand from the unauthorized or unlawful collection, use, or disclosure and processing of their personal data. Additionally, all organizations outside of Thailand that offer products and services in the country or monitor the behavior of individuals in the country are subject to its provisions. 

Similar to the European Union’s GDPR, the PDPA gives consumers the right to access, object, erase, and rectify personal data at their request. Once implemented, enforcement of the PDPA will fall under the power of a Personal Data Protection Committee (PDPC), established to enforce the regulation and provide organizations with advice or resources. Organizations found to be non-compliant after May 31, 2021 could face both civil and criminal penalties, with a maximum fine of up to THB 5 million ($165,000 USD) and criminal fines of up to THB 1 million ($33,000 USD). Once organizations know if they are subject to the PDPA, they must turn their attention to taking the steps to achieve compliance. 

Answering the Five W’s

With the amount of data created over the next three years expected to outpace all data created in the past 30 years, compliance can no longer be ignored. Data security is being pushed to the forefront of the C-suite’s agenda, and as more compliance regulations are expected in the years to come, now is the time to proactively enact data security initiatives that apply to all organizational information. When putting this into practice, organizations should look to answer the five W’s of data security and compliance: 

• Who are the relevant data subjects and the responsible personnel?
• What types of personal data are collected and processed, and what are the sources?
• When is the personal data collected and updated, and how long is it retained?
• Where is the physical and digital data stored and transferred to (i.e. within Thailand or overseas)?
• Why is the personal data being collected or processed?

The First Step to Thailand PDPA Compliance: Data Discovery

Organizations must put in place measures and standards to prioritize compliance and all other types of data security. This begins with discovering where and what information is stored within the organization’s data ecosystem, a concept known as data discovery. Data can be hidden anywhere, so start by scanning all employee devices and workstations including emails, cloud providers, desktops, and servers both on-premise and in the cloud to ensure that no stone has been left unturned. Utilize mapping to find out where personal data is, where it came from, who has access to it and what it’s being used for.

Come to the understanding that as the line blurs between the physical and digital worlds, all existing and new forms of data will likely be subject to some form of compliance regulation. Taking this time to proactively establish a solid data management strategy through data discovery will help organizations prepare for these emerging data sets and regulations, giving them an advantage over the competition by showing a true commitment to customer, employee and partner protection.

Ground Labs is Here to Help

The Thai PDPA deadline extension gives organizations valuable time to achieve compliance and create the security measures necessary to help them succeed moving forward. The best way to achieve this is with Ground Labs’ award-winning data discovery solution, Enterprise Recon. Ground Labs makes finding and remediating sensitive data simple and allows your organization to start the process of achieving PDPA compliance and remain proactive ahead of the enforcement date. Powered by GLASS™ technology, Enterprise Recon enables the quickest and most accurate data discovery across the broadest range of platforms – ensuring that you always know where your data resides and that your business can continue to flourish and keep personal and sensitive data secure, regardless of its location.

Interested in learning more about how to achieve compliance under Thailand’s PDPA regulations with Enterprise Recon? Schedule a demo with a data discovery expert today.