The Thailand PDPA data regulation which becomes law on the 27th May 2020 brings to an end, the grace period that the government allowed was created to bring as much uniformity into data protection as possible, giving control back to citizens and residents over their personal data and to simplify the regulatory environment for international business with a regulation that is far better suited to the challenges today’s digital world poses.
And before you say Thailand, it will also apply to non-Thai companies . Despite the fact that this is an Thailand regulation, PDPA will apply to any organization that is processing or holding Thai personal data, regardless of the location in which the organisations are situated.
How will hotels be impacted?
There are a number of requirements that hotels will need to provide and prove when it comes to the use of personal data such as:
- A hotel must provide very detailed information on why it needs to process personal data, and how long it plans to keep it. This procedure involves organized retention policies so that a hotel always knows the status of such information.
- A hotel must keep technical and organizational records to prove it is protecting data.
- A hotel must outline its guidelines for collecting and managing personal data.
- When it comes to digital marketing and collating of personal information, Hotels need a section on their website that permits “opting in,” thus allowing hotels to store personal data of its customers, vendors and staff. Hotels also must be able to prove that their audience has given consent for their data to be used for marketing purposes, must also specify which data they wish to be used, and explain the process, enabling guests to access, modify and delete information. If a list of potential customers has been purchased, the hotelier must also receive assurance from the data exporter that proves that consent has been given for the data to be used.
What are the Main Requirements For Compliance with the PDPA
In order for hotels to comply effectively with the PDPA they need to ensure they review their connections to data processors, their own security policies, and if they have the necessary qualified staff on hand to negotiate the new laws. This includes all departments including CCTV.
- Data Mapping: Hotels receive personal data details through multiple channels and touchpoints including email, fax, phone, website, forms, etc., and this data is often stored on multiple platforms across several departments, so one of the first issues a hotel needs to tackle is to complete a full data map to become aware of what data is captured, where this information is stored, who manages the data, how it is used, including where it ends up, before beginning the process of how to protect and monitor it moving forward.
- Data Security Assessment: Once data mapping is completed hotels need to decide how information will be stored and handled, and then tested and documented on how to secure the data is and identify any weaknesses. Hardware and software applications should also be reviewed along with hard copy files. If the information is stored electronically, a series of encryption codes, passwords or limitations on access may need to be implemented to protect access to, and the integrity of the data.
- Implementation of new PDPA policies: One of the key principles of the PDPA is not to retain personal data for longer than necessary. Although onerous, your current data records will need to be cleaned up – deleting what is not required and validating the data that is required.
- Ongoing compliance and monitoring: Maintaining GDPR will be an ongoing process. To ensure you continue to comply and reduce the risk of data breaches, hoteliers should:
- Invest in training of all relevant staff members to ensure they have a thorough understanding of the new procedures and the implications of the regulation.
- Provide regular refresher training for all staff to ensure an awareness culture exists and protect against possible breaches.
- Ensure employees know the processes in the event of a breach and to report any mistakes immediately to the DPO or the person or team responsible for data protection compliance.
Hotels, both large and small, often make mistakes when it comes to personal data but under the new PDPA, the penalties for doing so will now be far higher. A misuse or breach of personal data will carry the risk of administrative fines of up to 5 million Baht, a prison sentence of up to one year not only that but you also run the risk of tarnishing your reputation and end up paying out for damage claims.
No matter what you decide to do to achieve PDPA compliance if you haven’t already started, it is vital that you begin preparing for PDPA now. Becoming PDPA compliant will not only take longer than you realize, but failure to comply and update your data protection processes to safeguard guest data means you run the risk of severe financial penalties.