Rules for the Thai PDPA published ahead of masterplan

On 1 June 2022, the Thai Personal Data Protection Act (PDPA) was finally enforced.

Four months into enforcement, we hear again from Dr Prapanpong Khumon, Associate Dean of Academic Affairs at the Faculty of Law, University of the Thai Chamber of Commerce, about updates on the additional PDPA guidelines released by the Thai authorities and developments on the data protection landscape.

To catch up on the background and development of the Thai PDPA, check out our earlier two-part Q&A or our Thai PDPA video series.

It has been four months since the Thai PDPA has been fully in force. What updates have there been to the law during this time?

The public has become more aware of the law and data protection in general since the law has been enforced – which is a good sign. The Office of the Personal Data Protection Committee (PDPC) has also been fully established not just to regulate, but also to promote compliance with the PDPA and help organisations to utilise data.

Next year, the Personal Data Protection Masterplan will be implemented to help organisations better comply with the PDPA, with programmes including capacity building, research and development grants, and training opportunities. While the Masterplan will be fully implemented next year, the PDPC so far has launched a series of supplementary rules to provide clarity for organisations.

Have any new supplementary rules been published?

The supplementary rules that have been published as of October 2022 are:

• Regulation on exemption for small data controllers to keep and maintain records of activities
• Regulation on the requirements to keep and maintain records of processing activities for data processors
• Regulation on security measures for data controllers
• Regulation on administrative liability measures
• Regulation on complaint process regarding violation and non-compliance
• Regulation on appointment and duty of Expert Committee to handle complaints
• Guidelines on privacy notices
• Guidelines on consent requirements

There are also some supplementary rules that are in the pipeline, to be published by the end of 2022. This includes regulation on types of organisations that are required to appoint Data Protection Officers (DPOs), qualifications of DPOs, and regulations on cross-border data transfers.

Have there been any other developments – data breaches, investigations and even administrative warnings or fines levied – so far?

Within the Office of PDPC, an Expert Committee was appointed in August 2022 to handle and investigate claims, and the Committee has received a number of claims since June 2022, which indicate that the public has been aware of their rights.

The majority of the claims are not serious breaches. The ones that are considered by the Committee to be serious breaches will be handled within a three-month timeframe before the Committee issues a warning or an administrative fine, depending on the severity of the breach.

So far, no administrative fines have been imposed.

Is there currently a strong demand for DPO training and certification courses in Thailand?

There are many training providers that are currently offering DPO training courses, and the demand is rising. It is expected that there will be more demand once the PDPC publishes the highly anticipated rules on DPO qualifications, as well as the types of organisations that are required to appoint DPOs.

The University of the Thai Chamber of Commerce (UTCC) and Straits Interactive are partnering to offer a course to help professionalise the DPO role. How will the course cater to the needs of participants and organisations?

The partnership between UTCC and Straits Interactive will benefit organisations that are looking for a DPO training course that focuses on operational perspectives, and that is what makes this course unique from most of the other courses.

While most courses provide understanding of the PDPA and how to comply with the law, this course enables participants to apply solutions in each step of a business process. This is an important angle when we talk about DPO as a profession, because the role of a DPO requires not only legal skills, but also operational skills.

Looking into the future of data governance, there are more courses to be expected from this partnership that will embody data management and data governance, which are skill sets required in today’s environment and also in the future.

Check out our Data Protection Officer - Hands-on Workshop for Thailand, held in partnership with the UTCC.

Besides training courses, how else could current and aspiring data protection professionals gain the necessary knowledge to plan their career training and progression?

Thailand is at a very early stage of implementation of data protection. However, on the positive side, data protection professionals in Thailand have the liberty to learn from mature markets such as Singapore, the Philippines, and Malaysia.

A community such as the Data Protection Excellence (DPEX) Network can provide useful resources because there are inputs from experts from all over ASEAN. Also, there are publications, research reports, webinars, forums and videos that are available to enhance the knowledge and skills of data protection professionals.

While Thailand is still focused on PDPA compliance, there are a lot of resources at DPEX Network that publish trends, statistics and cases from all over the world. All of these will keep data protection professionals up to date with current and future trends, which will be useful for their career in the long run.

Is there anything else you would like to share about the Thai PDPA or the developing data protection landscape in Thailand and the rest of ASEAN?

The Thai PDPA already embraces the universal principles of data protection. That is an advantage for international standardisation and adherence to global standards, but what remains to be seen is how it is going to be enforced.

There has been a focussed discussion at ASEAN on capacity building, which I think is very important when we take into consideration the cost of compliance of small and medium enterprises.

It is a promising sign that the Personal Data Protection Masterplan in Thailand, which will be implemented next year, resonates with ASEAN and focuses on promotion and support on capacity building, research and technologies that would help small and medium enterprises protect personal data.

Therefore, looking from a policy perspective, this is a good sign.

Liked this story? Sign up for a FREE membership at the Data Protection Excellence (DPEX) Network and get regular data protection and data governance news, industry updates, and resources.