sdecoret -

Thailand gets ready for data protection law

Thailand’s personal data protection law comes into effect in May 2020, subjecting organisations to new rules that safeguard the personal data of individuals

Thailand has joined Singapore and Malaysia in Southeast Asia to enact a personal data protection law to protect the privacy rights of individuals.

The country’s Personal Data Protection Act (PDPA), modelled on the European Union’s General Data Protection Regulation (GDPR), will come into effect on 27 May 2020.

Among other provisions, the PDPA also requires organisations to seek consent to collect personal data, with data owners given the right to revoke access to their data at any time.

Like the GDPR, Thailand’s PDPA is extraterritorial, applying to any organisation outside the country that collects the personal data of Thai citizens and residents.

Those that contravene the PDPA risk administrative fines of up to THB5m, as well as criminal penalties including imprisonment and fines of up to THB1m.

According to Baker McKenzie, a global law firm with offices in Bangkok, civil damages under the PDPA can also be multiplied as Thailand now allows data subjects to bring a class action lawsuit. “The director of a company could also be subject to penalties under the PDPA,” it said.

Thailand’s ministry of digital economy and society has conducted outreach efforts to raise awareness of the new law among businesses, and a guidebook on best data protection practices is also in the works.

The compliance rate of new data protection laws is often low at the start, even though organisations are typically given at least a year to get their data protection processes in order before the legislation kicks in. Thailand’s PDPA was gazetted in May 2019.

As regards the GDPR, a Talend survey recently showed that 58% of businesses worldwide failed to address requests made from individuals seeking to obtain a copy of their personal data, as required, within the one-month timeframe.

Read more about data protection in ASEAN

In September 2018, Talend released the results of its first GDPR research benchmark, which aimed to assess organisations’ ability to achieve right to access and portability compliance with the European regulation.

At that time, 70% of the companies surveyed said they had failed to provide an individual’s data within one month.

A year later, Talend surveyed a new population of companies, as well as those that had reported a failure to comply in the first benchmark, to map improvement. Although the overall percentage of companies that reported compliance has increased to 42%, the rate remains low 18 months after the regulation came into force.

“These new results show clearly that data subject access rights are still the Achilles’ heel of most organisations,” said Jean-Michel Franco, senior director of data governance products at Talend.

“With several data protection regulations coming into force, organisations need to start a data governance transformation to deliver a 360-degree view of customers and empower the people in charge of data protection with more automated data processing and delivery.

“Organisations must do more to regain the trust of their data subjects and be aware that they risk very significant fines and significant reputational damage in the event of non-compliance and especially through class actions – both of which could prove to be severely detrimental to a business.”

Read more on Data protection regulations and compliance

Data Center
Data Management