Preparing and implementing PDPA compliance policies in Thai companies

4 important obligations for businesses to oblige before PDPA come into effect include:

1. Duty to collect ion , use, or disclose of personal data

  • Set a Records of Processing Activity (ROPA) to help analyze data minimization and purpose limitation
  • Set a privacy notice to notify customers to show transparency in collection, usage or disclosure of personal data. Customers’ consent will also be required.
  • Select data processor according to the duties and issue data processing agreement
  • In the event that the data controller sends or transfers personal data to third countries, Binding Corporate Rules (BCR) or standard contractual clauses must be provided.

2. Duty to secure the data

  • Data controllers have to determine measures or policy within the organization to standardized data management, if a data breach occurs, there may be problems.

3. Duty to grant rights to data owners

  • The company must prepare a process for data owners to exercise their rights. For example, the preparation to oblige by users’ requests such as to view their data collection and amend their consent.

4. Duty to designate a data protection officer (DPO)

  • The DPO is responsible for advising how organizations should comply with PDPA Act
  • DPO must understand the organization, the PDPA act, and IT & security very well
  • DPO can be either a team or an individual
  • Internal policy
  • Data breach
  • Data subject rights
  • Data processing agreement
  • Standard contractual clauses, in case you transfer the personal data to third countries



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store