In May 2020, the Thai Cabinet approved a royal decree granting a one-year exemption from certain provisions of the Personal Data Protection Act 2019 (PDPA), which had been scheduled to take full effect on May 27, 2020. The new decree has extended the effective date for a number of the law’s provisions to May 31, 2021.
Key Elements of the Extension
Under the decree, certain critical provisions of the PDPA are not enforceable against exempted businesses (see list below) during the extension period, including the following:
- General requirements and obligations on data controllers. Specifically, the postponed enforcement covers consent requirements, notification requirements, establishment of lawful basis, requirements on the collection of personal data from other sources, and processing of minors’ personal data. The enforcement of a second list of requirements is also postponed, including observance of data subjects’ rights and data erasure or destruction requirements, the implementation of appropriate internal security measures to prevent unauthorized access (section 37 (1)), provision of data breach notifications, appointment of data protection officers (DPOs), filing complaints, and penalties.
- The grandfather provision (section 95) is also within the scope of the extension. This means that personal data collected or processed during the extension period will not be subject to the requirements enumerated in the second list above when they come into force in 2021. Furthermore, this data can be retained and used after the extension period has lapsed, provided that doing so is within the original purposes stated for collecting and processing the personal data. It is especially important to note that the scope of the grandfather provision does not include disclosure of personal data or processing of personal data outside of the original purposes stated.
However, as required by section 4, data controllers must still implement a minimum level of security protection measures for personal data in accordance with the standards to be prescribed by the Ministry of Digital Economy and Society, expected later this year.
It should also be noted that the requirement for the regulator to issue supplemental notifications and regulations is not within the scope of the extension. The Personal Data Protection Commission (PDPC) is therefore expected to continue issuing these supplemental measures during the extension period.
The list of exempted businesses, below, covers a wide range of sectors and industries, and applies regardless of location:
- Industrial businesses
- Medical and public health businesses
- Energy, steam, water, waste disposal, and related businesses
- Repair and maintenance
- Transportation, logistics, and warehousing
- Communication, telecommunications, computers, and digital enterprises
- Financial, banking, and insurance enterprises
- Real estate
- Professional practice
- Administration and support
- Science and technology, academia, social welfare, and arts
- Entertainment and recreation
- Household operations and SMEs that cannot be classified
- Government agencies
- Foreign government agencies and international organizations
- Foundations, associations, and religious and nonprofit organizations
What to Do Now
In addition to staying up to date on the issuance and implementation of supplemental notifications and regulations under the PDPA over the coming year, businesses should make use of the additional time to prepare for compliance. A sample framework for doing so is provided below.
Step 1: Identify the personal data currently possessed by the company
Estimated timeframe: 1–3 months
In this stage, it is important to understand the PDPA’s requirements and conduct self-assessments to identify an entity’s current and anticipated personal data processing activities. To identify the main processing activities, companies should answer the five Ws:
- Who are the relevant data subjects and the responsible personnel?
- What types of personal data are collected and processed, and what are the sources?
- When is the personal data collected and updated, and how long is it retained?
- Where is the physical and digital data stored and transferred to (i.e. within Thailand or overseas)?
- Why is the personal data being collected or processed?
This should be a reported in an internal assessment to aid widespread understanding of the practice—especially the original purpose for collecting or processing the personal data—within the organization.
Gaps and mitigation measures should also be identified, including:
- processing activities that require consent as the lawful basis;
- processing activities that can rely on another lawful basis (e.g. “legitimate interest”);
- relevant retention periods pertaining to the various types of personal data; and
- list of data processors, the scope of their data processing activities, and relevant personal data pertaining to the activities.
Step 2: Close the gaps and monitoring for new subordinate regulations
Estimated Timeframe: 2-4 months for closing gaps, monitoring ongoing until May 31, 2021
In this stage, organizations should monitor the issuance and development of new subordinate legislation—including through public hearings—to ensure that they are aware of their compliance obligations. At the same time, it will be necessary to focus also on closing the gaps identified in Step 1 by implementing the necessary mitigation measures and putting measures in place to ensure operational compliance. This may include preparing the following:
Privacy policies for relevant data subjects. Where consent is identified as the lawful basis, consent forms must be prepared for the relevant data subjects (e.g. individual customers, employees, etc.).
- A data processing agreement (or addendum) template to be arranged, proposed, and countersigned by the relevant data processors.
- A record of processing activities.
- A record of internal assessments where legitimate interest is to be relied upon as the lawful basis (noting that these should be carried out in consideration of organizational conflicts of interest).
- Plans for a DPO or DPO team, depending on the size of the operation and quantity of personal data involved, and in accordance with the DPO qualifications prescribed by the PDPC.
- A custom internal training program, addressing current gaps and relevant parties in the context of the new legal requirements.
- Internal rules forbidding collection of personal data without justification or lawful basis, or that is not necessary for business operations. Any personal data of this type that is currently being processed should also be deleted at this time.
When the subordinate laws on data subject rights become publicly available, it will be necessary to examine the requirements and set up a process for managing requests to uphold data subject rights, as well as data controller and processor obligations under the PDPA.
Achieving Compliance on Schedule
By following these steps, organizations can ensure that they will be fully compliant when the extension period ends on May 31, 2021. The estimated timeframes of the various steps listed above can give an idea of how long each step will take, but the actual schedules should be determined based on the level of PDPA readiness within the organization, the scale of implementation, and any future developments of the subordinate legislation under the PDPA. Companies should work closely with local legal counsel to ensure that their compliance measures are on track, and will be effective when the law comes into force.