In May 2020, the Thai Cabinet approved a royal decree granting a one-year exemption from certain provisions of the Personal Data Protection Act 2019 (PDPA), which had been scheduled to take full effect on May 27, 2020. The new decree has extended the effective date for a number of the law’s provisions to May 31, 2021.
Key Elements of the Extension
Under the decree, certain critical provisions of the PDPA are not enforceable against exempted businesses (see list below) during the extension period, including the following:
However, as required by section 4, data controllers must still implement a minimum level of security protection measures for personal data in accordance with the standards to be prescribed by the Ministry of Digital Economy and Society, expected later this year.
It should also be noted that the requirement for the regulator to issue supplemental notifications and regulations is not within the scope of the extension. The Personal Data Protection Commission (PDPC) is therefore expected to continue issuing these supplemental measures during the extension period.
The list of exempted businesses, below, covers a wide range of sectors and industries, and applies regardless of location:
What to Do Now
In addition to staying up to date on the issuance and implementation of supplemental notifications and regulations under the PDPA over the coming year, businesses should make use of the additional time to prepare for compliance. A sample framework for doing so is provided below.
Step 1: Identify the personal data currently possessed by the company
Estimated timeframe: 1–3 months
In this stage, it is important to understand the PDPA’s requirements and conduct self-assessments to identify an entity’s current and anticipated personal data processing activities. To identify the main processing activities, companies should answer the five Ws:
This should be a reported in an internal assessment to aid widespread understanding of the practice—especially the original purpose for collecting or processing the personal data—within the organization.
Gaps and mitigation measures should also be identified, including:
Step 2: Close the gaps and monitoring for new subordinate regulations
Estimated Timeframe: 2-4 months for closing gaps, monitoring ongoing until May 31, 2021
In this stage, organizations should monitor the issuance and development of new subordinate legislation—including through public hearings—to ensure that they are aware of their compliance obligations. At the same time, it will be necessary to focus also on closing the gaps identified in Step 1 by implementing the necessary mitigation measures and putting measures in place to ensure operational compliance. This may include preparing the following:
Privacy policies for relevant data subjects. Where consent is identified as the lawful basis, consent forms must be prepared for the relevant data subjects (e.g. individual customers, employees, etc.).
When the subordinate laws on data subject rights become publicly available, it will be necessary to examine the requirements and set up a process for managing requests to uphold data subject rights, as well as data controller and processor obligations under the PDPA.
Achieving Compliance on Schedule
By following these steps, organizations can ensure that they will be fully compliant when the extension period ends on May 31, 2021. The estimated timeframes of the various steps listed above can give an idea of how long each step will take, but the actual schedules should be determined based on the level of PDPA readiness within the organization, the scale of implementation, and any future developments of the subordinate legislation under the PDPA. Companies should work closely with local legal counsel to ensure that their compliance measures are on track, and will be effective when the law comes into force.
Tilleke & Gibbins will continue to monitor the development of the PDPA and provide updates as they emerge. If you have questions about the PDPA, or any other aspect of data compliance in Thailand, please do not hesitate to contact any member of the PDPA team, including Athistha (Nop) Chitranukroh at [email protected] or Nopparat Lalitkomon at [email protected].