Thailand’s Data Protection Law in a Nutshell

August 9, 2019

If you are living or working in Thailand, you have probably heard about the new Personal Data Protection Law sometimes referred to as PDPA. A long time in the making, the Personal Data Protection Act has now been approved and will come into effect on May 27th, 2020. This law applies to and has implications for every company and organization that processes or stores any kind of personal information, whether of customers, members, or even of employees, etc. To get to the point, here are some straightforward short answers to some questions you’re probably asking.

What does this law require we do?

  1. Define what data is collected, how it is to be used, and obtain documented consent from the owner of the personal data to collect and use it.
  2. Respect the newly defined rights of the owner of the personal data (unless it contradicts other Thai laws or court orders).
  • Allow them access to their personal data.
  • Upon request, keep confidential, suspend, or delete their personal data.
  1. Restrict third country data transfers unless consent is given or a law or a contract requires it.
  2. Protect all personal data by:
  • Appointing a qualified Data Protection Officer in charge of making and enforcing policy.
  • Taking responsible measures to protect against breaches of personal data. E.g. Use data encryption and access controls, maintain a firewall and network security, and conduct security audits.

What happens if we’re not compliant?

  1. Administrative fines of up to 5 Million Thai Baht.
  2. Criminal fines of up to 1 Million Thai Baht.
  3. Damages of up to two times the damage caused.
  4. Imprisonment for up to 1 year.

How do I become compliant?

Making sure you have or get consent to have and use any personal data from its owners is the first step. But as you would imagine from the name “Personal Data Protection Act”, the biggest challenge is protecting the data that you store and use. This takes the expertise of qualified IT Security professionals. Hiring on full time staff who are specialized in IT security is quite expensive and poses a risk should they ever resign. A reliable and cost-effective alternative is to contract part or all of your IT security operations to a Managed Security Services Provider (MSSP). Even large companies with their own IT departments can benefit from expert outside help, especially when it comes to security auditing and specialized IT security services and solutions augmentations to their IT operations. As an MSSP with a reliable team of qualified IT professionals and years of experience, Movaci can help bring and/or keep you in compliance with this new law.


For more information, visit our website here, or contact us here.

Share this post to your social media:

Related Posts

PCI DSS Standard

PCI DSS Standard

What is the PCI DSS Standard? The Payment Card Industry Data Security…