he latest country to follow in the EU’s data protection footsteps, Thailand is gearing up for the arrival of its first bill to protect individuals’ personal data rights, but what does this mean for your business? Relentless’ global data privacy experts have the answers.
Thailand’s relationship with the concept of privacy has always been a curious one to say the least. For years, the idea that individuals have a right to privacy was a key part of the country’s national constitution, albeit one without any kind of law or regulation forcing businesses to uphold that right.
Sure, certain rules and codes of practice were in place for Thailand’s health sector and other industries dealing in particularly sensitive personal data, but even still, the country had nothing like GDPR, nor anything which may have in any way resembled even the most basic of all-encompassing data protection laws, such as the UK’s Data Protection Act.
At least, that was the case until now.
After a lengthy process of drafting, consulting the public and revising, Thailand is finally set to roll out their own Personal Data Protection Bill (PDPA). Much like the raft of other new data laws which have come along in the past two years, this one takes many of its cues directly from GDPR.
On the face of it, this is good news for many businesses as the similarities between the two mean that a number of the processes, policies and procedures they already have in place for GDPR can prove equally as sufficient for PDPA eliminating any duplication of efforts.
Even so, in much the same way that business owners were left scratching their heads in the run-up to GDPR coming into force last May, PDPA’s arrival has left many with some serious questions about what exactly Thailand’s new data protection law means for them.
That’s where we come in.
At Relentless Privacy & Compliance, we specialise in helping businesses around the world to achieve frictionless compliance with global data protection laws in a way that provides long-term added value. Today, we answer your burning questions about Thailand’s Personal Data Protection Bill and how it may affect your business.
Who does PDPA apply to?
Just as GDPR applies to all data processors and data controllers who deal with the data of data subjects within the European Union, PDPA applies to all processors and controllers who deal with Thai data subjects, regardless as to where those processors and controllers are actually based. In other words, if you’re a UK business but you provide goods and services to people in Thailand (no matter whether you charge for them or not), then you need to ensure that your business is PDPA-compliant.
That’s not all.
The new law also applies in any instance where the behaviour of Thai data subjects is monitored. So, even if you don’t provide services directly to data subjects, but you carry out business-to-businesses services such as tracking people’s internet activity for the purposes of targeted marketing or user testing, then PDPA applies.
I outsource my data processing to Thailand, how does this affect me?
According to the Personal Data Protection Committee (PDPC) which oversees the creation, implementation and enforcement of PDPA in Thailand, the new requirements are applicable to personal data that is collected, used, or disclosed by a Thailand-based data processor or controller, regardless as to where that data is collected, used or disclosed.
To put that in simpler terms, if you only collect the data of EU data subjects but you use a firm in Thailand to do the collecting for you, then, yes, PDPA applies.
What do I need to do to ensure frictionless compliance with PDPA?
The most pressing issue for any business affected by Thailand’s new data protection bill is to ensure that you have a lawful basis for collecting, processing, or disclosing data. Much as with GDPR and similar regulations, explicit consent is typically the one lawful basis that is talked about the most, and often for good reason. It’s certainly the most straight-forward and uncomplicated method of collecting and processing data legally. Gain the express consent of data subjects, and you leave no doubt as to the validity and legality of your processing activities.However, many businesses tend to overlook the fact that explicit consent isn’t the only option they have at their disposal. There are others which are every bit as valid and every bit as legal.
Explicit consent is not required if the data processing activities are required to carry the terms of a contract your data subject has entered into with you, or to take certain steps requested of you by the data subject before entering into a contract.
Under vital interest, you do not need to gain explicit consent if processing is required to protect an individual’s life.
This lawful basis can be used if processing is required to carry out a task that is in the public interest, as long as that interest has a clear basis in law.
If you can prove that processing is required for the legitimate interests of your business or a third party, then you can forgo explicit consent. However, itis worth noting that this can be overruled in cases where the protection of a persona’s data is deemed to be more important than your legitimate interest.
What else do I need to know about consent?
It’s also important to point out that PDPA lays out extra conditions for gaining the consent of minors. Your compliance consultant at Relentless can advise you as to what these are and how you can best implement them should it be necessary.
What rights to data subjects have under PDPA?
Again, PDPA isn’t too dissimilar in this regard from other new regulations which have come along in the last few years. Individuals have a right to request a copy of the data that you hold about them and, in certain circumstances, also have the right to object to their data being processed.
In both cases, businesses affected by the bill are obligated to meet these requests.
Does my business have any other obligations?
In particular, you need t to ensure that sufficient physical and digital security measures are in place to prevent unauthorised or malicious access, use, or modification of any personal data you have. You’ll also need to be sure that, if you plan to transfer the personal data of Thai data subjects to businesses in other countries, that those countries have -and that those businesses are compliant with- sufficient data protection regulations such as GDPR, California CCPA, Brasil LGPD , Thailand PDPA or China’s National Standards on Information Security Technology.
What do I need to do in the case of a data breach?
Naturally, you’ll have done everything in your power to prevent a data breach. However, should the worst happen, your first and most pressing responsibility is to immediately inform the affected data subjects.If the data breach affects a certain number of data subjects, your next task will be to inform the PDPC.
What are the consequences of non-compliance?
Businesses who are found in violation of PDPA are liable to pay administrative, civil, and/or criminal penalties depending on the circumstances, though of course, your business never has to reach this stage.
As part of our comprehensive Global Data Privacy Service, Relentless Privacy & Compliance offer expert advice, guidance, and hands-on support to ensure that you’re not only fully compliant with PDPA and other international privacy regulations but that you achieve that compliance in a way that helps your business to grow.