GDPR Monitoring and Demonstrating GDPR Compliance

GDPR Monitoring and Demonstrating GDPR Compliance

Whatever your feelings about it are, the GDPR exists to ensure companies Get Data Protection Right. It’s not there to tyrannize companies or threaten them. Rather, it acts as a guiding set of principles that helps to ensure companies are good custodians of the personal data they use. We’ve identified nine pillars of data protection which work together to form an effective data protection framework. Most elements of compliance relate to accountability, from the policies a company adopts, to the security measures it implements, to how it responds to data breaches. This article looks at our eighth pillar of data protection: monitoring and demonstrating GDPR compliance.

The way you demonstrate GDPR compliance (or your journey towards it) is through a system of record-keeping and documentation. Unless you maintain registers containing the details pertaining to personal data processing,  you can’t be fully accountable. GDPR compliance is a never-ending process, since the personal data a company holds and the way it is processed changes constantly. All records must be regularly reviewed and kept up to date.


GDPR Compliance Depends on Documentation


Keeping detailed records of data-processing activities can help a business to operate more efficiently. It can improve data governance. You should think of your record keeping in these terms rather than seeing them as an onerous task. Supervisory authorities, like the ICO in the UK, may request documentation at short notice. An example of this is when a serious data breach occurs. For many breaches you only have 72 hours after finding such a breach to file a report with the supervisory authority. An efficient process for recording and evaluating breaches helps in gathering the required information quickly. It also reduces a lot of potential stress. Another instance where detailed documentation helps is when an individual or data subjects makes a request access to their data (these are know as as subject access requests, or SARs). Ideally, you should have a process to simplify and record your responses and in a couple of mouse clicks be able to see where the requested information is – whether inside your organisation or with a third party. Unless a request is particularly complex, companies have one month to deal with a DSAR. Furthermore, under Article 30 of the GDPR, record-keeping of processing activities is an explicit requirement of compliance. Thus, as well as helping in the timely execution of GDPR tasks, it is necessary in and of itself. Using the right tools, can reduce the burden of record-keeping to inform you of your progress in compliance and help you stay on top of it. We’ll look at that next.


Monitor and Prove Your Compliance


Article 5 of GDPR sets out the chief responsibilities of a data controller with regard to processing personal data. It also requires controllers to prove they’re complying with these responsibilities, which is achieved mainly through record keeping and documentation. Having established the importance of documentation and how it’s necessary under GDPR, – how to you use your records to gauge progress in compliance? One way is to use GDPR compliance software with built-in monitoring tools.


Monitoring Compliance Example


Imagine a company that aims for GDPR compliance but isn’t sure whether or not it has achieved it. By using software like Relentless GDPR-247, which features a compliance dashboard, allows you to get a quick overview and see the tasks needed for maintaining compliance. A workflow management tool for allocated and tracked progress lets the company see at any point in time what needs to be done when and by whom. Furthermore, Relentless GDPR-247software gives feedback on any compliance gaps . These are just some of the areas of GDPR compliance monitored by Relentless GDPR-247 include the following:

Data subject access requests**: a case management and workflow tool for simplifying the process of responding to individual’s requests in relation to their data.

  • Processing risk management: You’re able to do risk assessments either through DPIAs or on core data protection areas related to the GDPR and attach thorough documentation relating to your mitigation efforts.
  • Legitimate interests: When legitimate interests are being used as the legal basis for processing personal data you can indicate and defend your reasoning.
  • Information use and cybersecurity controls: all aspects of cyber security can be recorded, including technical measures, company policies and practices, and staff training.
  • HR practices: employees also have data rights under the GDPR, so the handling of staff data must be monitored to ensure GDPR compliance.


An example of how documentation helps proving compliance


A debt collection agency holding sensitive personal data on EU subjects needs to prove its GDPR compliance in order to build trust. To achieve that, the agency might subscribe to the FENCA code of conduct in data protection. GDPR Article 40 encourages creation of codes of conduct within various trades. These codes of conduct can often clarify some of the regulation’s more abstract requirements and give guidance on specific industry problems. They also install confidence in potential customers.


Getting Data Protection Right


There are several ways a business can make itself accountable to it’s data protection practices, one of them is through meticulous record-keeping. Documentation brings the various elements of GDPR together and surfaces tasks that need to be completed for full compliance. By using Relentless GDPR-247 as the foundation of your data-protection framework, the path towards compliance becomes clear. You’ll be able to set goals, gauge progress and manage data-processing tasks efficiently. Why not begin a free trial today?

Data Breaches Root Cause Trends

Data Breaches Root Cause Trends

Introduction: data Breaches how can organisations improve?


With the new focus on digital privacy and data privacy regulations, data breaches are increasingly in the news. Global data privacy regulations have outlined the types of data that are considered sensitive and the penalties for a breach. Global data protection laws, as well as the number of high-profile data breaches, have caused organizations to commit to a greater focus on privacy. Organizations are actively working to decrease their potential exposure to a data breach by enhancing their cyber-security defenses.


When trying to design and implement a strategy for protecting against data breaches, it’s useful to understand what the most common causes of these breaches are. This article looks at the data from the first quarter of 2019 and classifies breaches into several common categories.


Common causes of data breaches


Data breaches involve the release of sensitive data to unauthorized parties. While most people’s first thought when hearing of a data breach is that external attackers have gained access to the organization, data breaches can be caused by a variety of different reasons.


Here we define seven different causes of data breaches:


  1. Accidental Web/Internet Exposure:Sensitive data is accidentally placed in a location accessible from the Web. The news stories about improper usage of Amazon S3 permissions (and other cloud storage) fall into this category
  2. Data on the Move:Securing data in transit is often a challenge for companies. Using HTTP and other insecure protocols is a common cause
  3. Employee Error/Negligence/Improper Disposal/Lost:This category covers all data breaches caused by employee negligence. Data security policies that are weak and/or unenforced can lead to unintentional data breaches
  4. Hacking/Intrusion:Data breaches involving an external party (i.e., a hacker) are what most people expect when they hear of a data breach. This category includes phishing, malware/ransomware and skimming
  5. Insider Theft:This category also deals with employees, but covers cases where insiders are intentionally breaching sensitive data
  6. Physical Theft:Laptops and mobile devices commonly store sensitive or valuable data. These devices can easily be lost or stolen when brought to public areas
  7. Unauthorized Access:Poorly designed or implemented access controls can allow people to access data that they are not authorized for

Data breaches involving external parties gaining access to an organization’s network are only one of several different types of breaches.


Causes of large data breaches


Data breaches occur practically every day. According to statistics there were 264 breaches in Q1 2019, or almost three breaches per day on average.

However, we don’t hear about most of these breaches on the news. Only the “huge” breaches make the headlines. In this section, we’ll break down the major causes of breaches in two ways: based on the number of records exposed in a single breach and based on the number of records in exposed in Q1 2019 by each breach type.


Causes of the largest breaches


In Q1 2019, the ITRC recognized eight breaches that exposed at least 100,000 records. These breaches are summarized in the following table.


OrganizationPublication DateExposed RecordsRoot Cause
Centerstone Insurance and Financial Services d/b/a Benefitmall1/4/2019111,589Hacking/Intrusion
Columbia Surgical Specialist of Spokane2/18/2019400,000Hacking/Intrusion
UConn Health2/21/2019326,629Hacking/Intrusion
University of Washington Medical Center2/19/2019973,024Accidental Web/Internet Exposure
Health Alliance Plan3/7/2019120,344Hacking/Intrusion
Navicent Health3/22/2019278,016Hacking/Intrusion
Federal Emergency Management Agency (FEMA)3/15/20192,300,000Employee Error
ZOLL Services LLC3/18/2019277,319Not Disclosed


You can see that while Hacking/Intrusion may be the most common cause of data breaches, that doesn’t make it the most damaging. The FEMA breach exposed more records than all Hacking/Intrusion breaches put together, but it was caused by employee negligence. The second-largest breach (UW Medical) was also not caused by hacking.


Causes of most lost records in March 2019


In March 2019, ITRC began including additional information in their breach reports. This information included a breakdown of the number of records breached in that month, based on the cause of the breach.


Root causeExposed Records (%)
Employee Error/Negligence/Improper Disposal/Lost2,313,460 (69.6%)
Unauthorized Access427,356 (12.9%)
Accidental Web/Internet Exposure381,812 (11.5%)
Hacking/Intrusion178,038 (5.4%)
Physical Theft21,221 (0.6%)
Data on the Move2,088 (0.1%)
Insider Theft0 (0%)

As shown, employees were the cause of the majority of breached records in March 2019. While this information is skewed by the fact that 2,300,000 of the breached records were included in a single breach, the fact that the top three causes of breaches can all be considered internal errors means that organizations need to focus on fixing internal process errors as much as they need to devote time and resources to keeping attackers out.

Many Organizations  purchase generic online training materials and privacy awareness materials. Whilst these can be informative they are generalized and often do not reflect your organisations data processing operations. Bespoke training for your organization ensures your employees fully understand the importance of data privacy, enhance their data handling processes, leading to high levels of customer satisfaction

Global Data Privacy Enquiry


11 + 4 =


The Relentless  GDPR  Data Privacy  model   can be used to set benchmarks for organizations starting out can be used by organizations that have an existing privacy function and some components of a privacy program. The Relentless  GDPR  Data Privacy  model​ provides structured means to assist in identifying and documenting current privacy initiatives, determining status and assessing it against the Global privacy maturity model criteria. Complete the enquiry form for more details 

Thailand PDPA Embedding Privacy by Design and Default

Thailand PDPA Embedding Privacy by Design and Default

What is data protection by design exactly?


PDPA  guides that  consideration of the impact of any processing activities when developing a new product, technology or service should be taken into account and from the beginning  and throughout the life cycle of the product. Security and privacy measures should be integrated into the project, rather than an afterthought in a post design “checkbox” exercise. Companies and organisations who act  quickly and proactively to implement the new regulatory requirement, will be in pole position to ensure their products and services are compliant for the new, world PDPA era.


The origins of data protection by design and it’s seven principles


The concept of data protection by design is far from a new concept, with some of the initial discussion and considerations for the topic extending back as far as the 1970’s. What is new is the fact that the Thailand Data Protection Regulation – PDPA) now provides  organisations an opportunity to take privacy by design into account from the conception of a new product, technology or service

The modern version of data protection by design (and default) can be traced back to seven principles of privacy by design,


Proactive not reactive, preventative not remedial


Being proactive means that data privacy risk should be foreseen, be at the center of planning and mitigated before they can manifest rather than rectified on a reactive basis. This ancillary benefit of this type of approach is potential protection from public exposure of data privacy issues which could cause reputation harm (e.g., Marriott Hotel Group breach  From the initial conception design of developing a new product, technology or service, organisations should begin to plan the implementation of data-protection-enhancing measures

  • A clear commitment, at the highest levels, to set and enforce high standards of privacy − generally
    higher than the standards set out by global laws and regulation.
  • A privacy commitment that is demonstrably shared throughout by user communities and stakeholders,
    in a culture of continuous improvement.
  • Established methods to recognize poor privacy designs, anticipate poor privacy practices and
    outcomes, and correct any negative impacts, well before they occur in proactive, systematic, and
    innovative ways.


Privacy as the default


The highest settings of privacy should be enabled by default for the user when they utilize  any system or access any service or system. This means that if the user does nothing to change the standard settings, their protection remains full. This guarantees that no action is required on the part of the user to protect their privacy.

Privacy by default also expands to data retention periods: personal data should only be kept and stored as long as it is necessary for the operation of the product or service, and this often translates into creating the mandated data retention schedule and the design and testing of  processes for the operation of executing retention periods. Products, technologies and services should by default protect individuals’ data to the maximum, even if organisations may still want to include options where the data subject can disable these measures. Presenting data subjects with choice over what happens with their data is the cornerstone  of any new data protection administration within a forward thinking organisation.

  • Purpose Specification – the purposes for which personal information is collected, used, retained and
    disclosed shall be communicated to the individual (data subject) at or before the time the information
    is collected. Specified purposes should be clear, limited and relevant to the circumstances.
  • Collection Limitation – the collection of personal information must be fair, lawful and limited to that
    which is necessary for the specified purposes.
  • Data Minimization − the collection of personally identifiable information should be kept to a strict
    minimum. The design of programs, information and communications technologies, and systems
    should begin with non-identifiable interactions and transactions, as the default. Wherever possible,
    identifiable, observability, and link-ability of personal information should be minimized.
  •  Use, Retention, and Disclosure Limitation – the use, retention, and disclosure of personal
    information shall be limited to the relevant purposes identified to the individual, for which he or she
    has consented, except where otherwise required by law. Personal information shall be retained only as
    long as necessary to fulfil the stated purposes, and then securely destroyed.


Data protection embedded into the design 


Privacy measures should form the foundation stone upon which the whole system/service is built upon rather than being glued  on at the end of the development cycle. The advantages to “securing” these   measures are that data protection becomes an essential part of the product, technology or service, affording the highest degree of protection from the very start.

  • A systemic, principled approach to embedding privacy should be adopted − one that relies upon
    accepted standards and frameworks, which are amenable to external reviews and audits. All fair
    information practices should be applied with equal rigor, at every step in the design and operation.
  • Wherever possible, detailed privacy impact and risk assessments should be carried out and published,
    clearly documenting the privacy risks and all measures taken to mitigate those risks, including
    consideration of alternatives and the selection of metrics.
  •  The privacy impacts of the resulting technology, operation or information architecture, and their uses,
    should be demonstrably minimized, and not easily degraded through use, reconfiguration or error.


Full functionality, positive-sum, not zero-sum


Functionality of a product or service should not be compromised as a result of trade-offs from “false disagreements” such as privacy vs security, but rather an approach should be adopted where both can be  achieved in a “win-win” situation.

  • When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired, and to the greatest extent possible, that all requirements are optimized.
  • Privacy is often positioned in a zero-sum manner as having to compete with other legitimate interests,design objectives, and technical capabilities, in a given domain.Privacy by Design rejects taking such an approach – it embraces legitimate non-privacy objectives and accommodates them, in a innovative positive-sum manner.
  • All interests and objectives must be clearly documented, desired functions articulated, metrics agreed upon and applied, and trade-offs rejected as often being unnecessary, in favor of finding a solution that enables multi-functionality.


End-to-end security for the life-cycle of the product


Privacy by design must consider security from the “cradle to the grave”. Information is always afforded the appropriate security throughout the life cycle of the product (from collection to processing and finally  destruction). There should be discrepancies  where security measures are not applied to data processed. Choosing and implementing the correct levels of data security measures are applied to the product, technology or service from the beginning of the project is essential to meeting this requirement.

  • Security − Entities must assume responsibility for the security of personal information (generally
    commensurate with the degree of sensitivity) throughout its entire life cycle, consistent with standards
    that have been developed by recognised standards development bodies.
  •  Applied security standards must assure the confidentiality, integrity and availability of personal data
    throughout its life cycle including, inter alia, methods of secure destruction, appropriate encryption,
    and strong access control and logging methods


Visibility and transparency


Data subjects who are having their information processed are entitled to be fully informed  of what is actually happening with their personal data from the point it is collected to the point it is deleted.
The PDPA takes an active role in heightening visibility and transparency for data subjects by increasing the rights over their personal data. Having strong processes for rights such  as  Data Subject Access Requests or Right to Erasure requests is a vital step for the privacy by design approach.

  • Accountability – The collection of personal information entails a duty of care for its protection.
    Responsibility for all privacy-related policies and procedures shall be documented and communicated
    as appropriate, and assigned to a specified individual. When transferring personal information to third
    parties, equivalent privacy protection through contractual or other means shall be secured.
  • Openness – Openness and transparency are key to accountability. Information about the policies and
    practices relating to the management of personal information shall be made readily available to
  • Compliance – Complaint and redress mechanisms should be established, and information
    communicated about them to individuals, including how to access the next level of appeal. Necessary
    steps to monitor, evaluate, and verify compliance with privacy policies and procedures should be


Respect for user privacy

Privacy for the user should be a central  concern for the product, technology or service. The goal is to provide a user-centric experience, rather than one which harbors illicit data processing practices such as mass collection of data or invasive profiling.Having the data subject feel like they are king of the product, technology or service, rather than just a number, is also a good way to increase consumer confidence. Big-data is ever coming under increased attack for treating individuals like cattle, milking them for personal data which is then commoditised.

  • Consent  The individual’s free and specific consent is required for the collection, use or
    disclosure of personal information, except where otherwise permitted by law. The greater the
    sensitivity of the data, the clearer and more specific the quality of the consent required. Consent may
    be withdrawn at a later date.
  • Accuracy – personal information shall be as accurate, complete, and up-to-date as is necessary to
    fulfil the specified purposes.
  • Access  Individuals shall be provided access to their personal information and informed of its
    uses and disclosures. Individuals shall be able to challenge the accuracy and completeness of the
    information and have it amended as appropriate.
  • Compliance   Organisations must establish complaint and redress mechanisms, and
    communicate information about them to the public, including how to access the next level of appeal



PDPA Consultation Request


7 + 1 =

Privacy by Design and by Default, what is not to like?

Mandating Privacy by Design and by Default is the formalization of a good idea. The PDPA aims to give data subjects more power over their personal data. Implementing Privacy by Design and Privacy by Default clearly reflects that aim.

Relentless Privacy and Compliance advise and train project and  development teams to embed privacy by design and default into everyday operations


Relentless Outsourced PDPA DPO Service

Relentless Outsourced PDPA DPO Service

Are you tired of experiencing inadequate protection support for your organization data?

Our PDPA outsourced Data Protection Officer (DPO) is waiting for that role


Don’t get stranded from lacking protection, support, or advice for your organization data. We provide all of our clients with a knowledgeable and experienced Data Protection Officer (DPO) that tackles your organization’s challenges.

Using the service of our Data Protection Officer will show that your organization takes data protection seriously. In the view of your clients, it assurances them that there’s a dedicated person available to maintain compliance and handle privacy-related tasks.

With our impeccable outsourced DPO services, your company can get access to both expert guidance and practical support for board-level data privacy tasks, including:

  • Monitoring, management, and reporting of issues concerning data breach.
  • Data Protection Impact Assessments assistance.
  • Design and creation of policies and procedures.
  • Development and maintenance of your Personal Data Processing Register.
  • Maintenance of Data Mapping
  • Maintenance Record of Processing Activities
  • The organization of policy and contract reviews
  • Designing a data governance structure
  • Serving as your organization’s official point of contact to data
  • Manages all data protection issues.

Even with the above-mentioned services from our Data Protection Officer, there are still lots of benefits attached when you use Relentless Data privacy, which includes:

  • 1 day per month of dedicated support working solely for your organization onsite/ virtually.
  • Unlimited Support Calls.
  • Unlimited Email Support.
  • Monthly C board-level report.

At Relentless, our Data Protection Officer (DPO) has the correct qualifications and expertise in international and European -data protection laws, with an in-depth understanding of business practices that will allow them to secure and control both data security and data protection of any organization. Whether you are running a larger or small enterprise, outsourcing the role of the Data Protection Officer (DPO) will allow your organization to deal with complex, multinational data protection legislation and other regulatory demands.

Free One Hour Consultation


4 + 12 =

Relentless we are here for you

With the use of centralized technology, and streamlined structure we strive to serve all clients with the highest level of efficiency. It’s this improved determination along with modern resources that aid us in providing a unique model and approach to clients. We have received many compliance and assurance based on our experience for being committed throughout the past 20 years because of the personalized and responsive service we provide.


We make sure that all clients project is completed successfully according to the initial requirements to build long-term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.

Thailand PDPA Planning for the New Regulations

Thailand PDPA Planning for the New Regulations

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA“) will come into full force on 27 May 2020. In view of the impending target date, this article provides a concise overview of the new law.


Scope of Enforcement – The PDPA applies to the collection, use or disclosure of personal data by a data controller or data processor located in Thailand, regardless of whether or not such acts occur in Thailand. If a data controller or data processor is located outside of Thailand, the PDPA applies if the data subject whose data is collected, used or disclosed is located in Thailand, provided that the data controller’s or data processor’s activities are:

(i) the offering of goods or services to a data subject who is located in Thailand (irrespective of whether or not the payment for such goods/services is made by the data subject); or

(ii) the monitoring of the data subject’s performance, where such performance takes place in Thailand.


Personal data is not subject to PDPA if collected for:

    • personal benefit or household activity.
    • operations of public authorities having duties to maintain state security.
    • activities of mass media, fine arts or literature which are in line with professional ethics or public interest.
    • consideration by House of Representatives, Senate, Parliament or their appointed committees under their duties and power.
    • courts’ trial and adjudication and officers’ work operations in legal proceedings, legal execution and deposit of property.
    • credit bureau companies’ and its members’ operations under relevant law; and
    • of deceased persons.

Definition of Personal Data – Section 6 of the PDPA defines “personal data” as information pertaining to a natural person which enables the identification of such natural person whether directly or indirectly. There are two types: (i) “Non-Sensitive Personal Data” (e.g., name, surname, home address, email address, bank account number, etc.); and (ii) “Sensitive Personal Data” (e.g., race, political opinions, religion, sexuality, criminal records, disability, etc.).


Definition of Data Controller – Section 6 defines “data controller” as a person or juristic person having the power to make decisions regarding collection, use or disclosure of personal data.


Definition of Data Processor – Section 6 defines “data processor” as a person or juristic person operating in relation to collection, use or disclosure of personal data further to orders given by or on behalf of a data controller.


Basic Elements of Collection, Use and Disclosure 

    • Consent of data subjects must be obtained in writing or electronic form by data controllers prior to or at the time of collection, use, processing or disclosure of personal data (unless otherwise permitted by law);
    • collected personal data must be used in accordance with intended purpose that was informed to data subjects;
    • collection is limited to extent necessary for the lawful purpose;
    • personal data must be collected directly from data subjects (unless otherwise permitted by law); and
    • transfer of personal data to a foreign country, destination country or international organization is only permitted if recipients have adequate data protection standards.

Details Required to be Informed to Data Subject 


    • Data to be collected (e.g., name, surname, email address, etc.);
    • purpose of collection, use or disclosure (e.g., for human resources management);
    • reasons why personal data shall be collected;
    • possible effect of not providing personal data;
    • estimated data retention period;
    • persons or entities to whom the collected personal data may be disclosed;
    • contact information of data controller or its representative / data protection officer (who must be an employee of the data controller); and
    • rights of the data subject.


Exemption of Consent Requirement – Section 24 (General Personal Data) and Section 26 (Sensitive Personal Data) collectively set out ten exemptions where no consent is required from a data subject for collection, use or disclosure of personal data, such as for performance of a task carried out for the public interest.


Personal Data Previously Collected – Section 95 allows data controllers to continue collecting and using personal data collected prior to the effective date of the PDPA for the original intended purpose.


Rights of a Data Subject – A key element of the PDPA are the rights protecting data subjects, such as Section 19 which grants data subjects the right to withdraw consent at any time, Section 32 the right to object to collection, use or disclosure of personal data and Section 73 the right to file a complaint in case of violation, among others.


Obligations of a Data Controller – Chapter III of the PDPA sets out specific obligations of a data controller, such as the obligation to ensure that personal data remains accurate, up-to-date, complete and not misleading and to provide appropriate security measures to prevent unauthorized access to personal data, among others.


Obligations of Data Processor – In case the data processor is not a data controller, obligations of data processors apply such as to collect, use or disclose personal data only pursuant to instructions given by a data controller and to provide appropriate security measures, among others.


Data Protection Officer – Under Section 41, a data controller and data processor shall appoint a data protection officer in circumstances, such as their core activity is the collection, use or disclosure of sensitive personal data.


Obligations of Data Protection Officer – To give advice to data controller or data processor including employees and service providers on compliance with the PDPA and to monitor their performance, among others.


Penalties – Violation of or failure to comply with the PDPA may incur penalties including civil liability, criminal liability and administrative liability.


The PDPA is very new to Thailand and further regulations and guidelines will be issued to supplement the implementation and enforcement of the PDPA. As the PDPA will come into full force soon, appropriate measures should be taken to prepare for and ensure compliance with the new law.


Relentless Privacy and Compliance Services are experts in Global data regulations and can help organisations achieve PDPA compliance before 27th May 2020

Free One Hour Consultation


15 + 5 =

Relentless is here for you

We are there for you

With the use of centralized technology, and streamlined structure we strive to serve all clients with the highest level of efficiency. It’s this improved determination along with modern resources that aid us in providing a unique model and approach to clients. We have received many compliance and assurance based on our experience for being committed throughout the past 20 years because of the personalized and responsive service we provide.

We make sure that all clients project is completed successfully according to the initial requirements to build long-term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.

Thailand PDPA and it’s Effect on the Hotel Industry

Thailand PDPA and it’s Effect on the Hotel Industry

The Thailand PDPA data regulation which becomes law on the 27th May 2020  brings to an end, the grace period that the government allowed was created to bring as much uniformity into data protection as possible, giving control back to citizens and residents over their personal data and to simplify the regulatory environment for international business with a regulation that is far better suited to the challenges today’s digital world poses.

And before you say Thailand, it  will also apply to non-Thai companies . Despite the fact that this is an Thailand  regulation, PDPA will apply to any organization that is processing or holding Thai personal data, regardless of the location in which the organisations  are situated.


How will hotels be impacted?


There are a number of requirements that hotels will need to provide and prove when it comes to the use of personal data such as:

  • A hotel must provide very detailed information on why it needs to process personal data, and how long it plans to keep it. This procedure involves organized retention policies so that a hotel always knows the status of such information.
  • A hotel must keep technical and organizational records to prove it is protecting data.
  • A hotel must outline its guidelines for collecting and managing personal data.
  • When it comes to digital marketing and collating of personal information, Hotels need a section on their website that permits “opting in,” thus allowing hotels to store personal data of its customers, vendors and staff.  Hotels also must be able to prove that their audience has given consent for their data to be used for marketing purposes, must also specify which data they wish to be used, and explain the process, enabling guests to access, modify and delete information. If a list of potential customers has been purchased, the hotelier must also receive assurance from the data exporter  that proves that consent has been given for the data to be used.


What are the Main Requirements For Compliance with the PDPA


In order for hotels to comply effectively with the PDPA they need to ensure they review their connections to data processors, their own security policies, and if they have the necessary qualified staff on hand to negotiate the new laws. This includes all departments including CCTV.

  1. Data Mapping: Hotels receive personal data details through multiple channels and touchpoints including email, fax, phone, website, forms, etc., and this data is often stored on multiple platforms across several departments, so one of the first issues a hotel needs to tackle is to complete a full data map to become aware of what data is captured, where this information is stored, who manages the data, how it is used, including where it ends up, before beginning the process of how to protect and monitor it moving forward.
  2. Data Security Assessment: Once data mapping is completed hotels need to decide how information will be stored and handled, and then tested and documented on how to secure the data is and identify any weaknesses. Hardware and software applications should also be reviewed along with hard copy files. If the information is stored electronically, a series of encryption codes, passwords or limitations on access may need to be implemented to protect access to, and the integrity of the data.
  3. Update Data Policies: Hotels now have an obligation to make individuals aware of their rights under the PDPA as part of the data collection process. As such, hotels will need to review all current data protection policies, such as privacy policy, retention etc. as well as policies relating to third-party data contractors and updated accordingly.
  4. Implementation of new PDPA policies: One of the key principles of the PDPA is not to retain personal data for longer than necessary. Although onerous, your current data records will need to be cleaned up – deleting what is not required and validating the data that is required.
  5. Ongoing compliance and monitoring: Maintaining GDPR will be an ongoing process. To ensure you continue to comply and reduce the risk of data breaches, hoteliers should:
    1. Invest in training of all relevant staff members to ensure they have a thorough understanding of the new procedures and the implications of the regulation.
    2. Provide regular refresher training for all staff to ensure an awareness culture exists and protect against possible breaches.
    3. Ensure employees know the processes in the event of a breach and to report any mistakes immediately to the DPO or the person or team responsible for data protection compliance.

Hotels, both large and small, often make mistakes when it comes to personal data but under the new PDPA, the penalties for doing so will now be far higher. A misuse or breach of personal data will carry the risk of administrative fines of up to 5 million Baht,  a prison sentence of up to one year not only that but you also run the risk of tarnishing your reputation and end up paying out for damage claims.

No matter what you decide to do to achieve PDPA compliance if you haven’t already started, it is vital that you begin preparing for PDPA now. Becoming PDPA compliant will not only take longer than you realize, but failure to comply and update your data protection processes to safeguard guest data means you run the risk of severe financial penalties.

Free One Hour Consultation


12 + 1 =

We are there for you

With the use of centralized technology, and streamlined structure we strive to serve all clients with the highest level of efficiency. It’s this improved determination along with modern resources that aid us in providing a unique model and approach to clients. We have received many compliance and assurance based on our experience for being committed throughout the past 20 years because of the personalized and responsive service we provide.

We make sure that all clients project is completed successfully according to the initial requirements to build long-term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.

Thailand PDPA Compliance is Still Achievable for 27th May 2020

Thailand PDPA Compliance is Still Achievable for 27th May 2020

In search of secured controls for asset or data protection?.

Don’t miss the 27th of May!


Are you curious about missing the 27th May deadline without implementing PDPA or complaint? Well, with you adjusting your schedules, the 27th May privacy program is still achievable from now. We Relentless data privacy has designed a PDPA assessment with a positive strategy for every department level to meet the complex needs of operations for businesses and educational schools.


The impeccable Relentless PDPA 27th May privacy program includes:

  • PDPA Privacy assessment built on internationally recognized standards.
  • Full gap analysis and remediation report.
  • Full data discovery and data mapping of all personal data processing activities.
  • Record of processing activities including lawful basis and retention periods.
  • PDPA Training Customised to school operations.
  • Ongoing Outsourced DPO (Data Protection Officer) services available.
  • Native Thai speaking staff available for adequate communication.
  • GDPR is available for the recruitment of UK staff and EU Alumni data processing.

Even with the above benefits included in the 27th May privacy program, we the Relentless Privacy and Compliance Services provide quality, cost-effective compliance, assurance and global privacy maturity assessments to companies of all sizes. Relentless Privacy and Compliance Services is different from other traditional compliance firms that use four or five layers of management.


With the use of centralized technology, and streamlined structure we strive to serve all clients with the highest level of efficiency. It’s this improved determination along with modern resources that aid us in providing a unique model and approach to clients. We have received many compliance and assurance based on our experience for being committed throughout the past 20 years because of the personalized and responsive service we provide.


We make sure that all clients project is completed successfully according to the initial requirements to build long-term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.

Complete the form below and choose the PDPA service of interest from the drop down field and we will be in touch with you within 24 hours

Thailand PDPA Service Enquiry


13 + 2 =

Thailand PDPA 5 Key Provisions to Deliver

Thailand PDPA 5 Key Provisions to Deliver

PDPA Key Provisions

(1) Notice & Consent: Controllers and Processors must obtain consent from each Data Subject prior to or at the time of any collection, use or disclosure of person data. The intended purpose of the data collection must also be notified to the data subject.


Organisations are permitted to use personal data collected before the effective date of the PDPA for the purposes for which the data was collected. To do so, organisations through their Data Controllers must notify its data subjects of its intention to do so and permit data subjects to opt-out. This process is likely to be costly for large organisations that hold vast volumes of personal data, such as healthcare service providers, telecommunications services, financial institutions and government departments.


(2) Limitations to Collection, Use and Disclosure:

 a: Purpose limitation.

The Controller cannot collect, use or disclose personal data for any purpose other than the intended purpose as notified to and consented by the data subject.


The Controller cannot collect, use or disclose more personal data that is necessary to achieve the intended purpose.

 c: Source limitation.

Personal data may only be collected directly from the data subject, subject to only a few exceptions.

 d: Retention limitation.

The Controller cannot keep personal data for longer that is necessary to achieve the intended purpose.

 e: Transfer limitation.

Personal data cannot be transferred to countries having  adequate data protection standards, except for a transfer under a data privacy policy verified and certified by the OPDPC.


(3) Access, Correction and Portability:

The Controller must ensure that personal data is up to date, accurate and not misleading by allowing the data subject to access to and ask the

Controller to correct his or her personal data collected by the Controller. The Controller must ensure that each data subject can obtain his or her personal data in a format possible to be used with ease by other Controllers.


(4) Security:

The Controller must provide appropriate security measures to prevent any loss, access, use, modification or disclosure of personal data without authorization.


(5) Openness:

The Controller must disclose personal data of a data subject for him or her to examine and verify.


Compliance with the Thailand PDPA cannot be bought via a template. Data privacy needs to be built from the ground up with a framework that delivers on all aspects or your operations.

Find Out More

Privacy Preference Center