Mage Data strengthens its data security posture with the ISO 27001 certification. READ MORE >

April 13, 2022

What is Thailand PDPA?

If you’ve helped a business comply with the CCPA in California or the GDPR in Europe, then Thailand’s new data security law, the Personal Data Protection Act (PDPA), will feel very familiar. However, suppose you do business in Thailand, Asia in general, or even just planning a business trip to Bangkok or Krabi. In that case, there are a few key differences that you and your business should be aware of.

The most significant difference is the penalty the law carries. Unlike the CCPA and GDPR, which can have heavy financial penalties for violation, the PDPA takes a new approach: Making a violation a criminal offense and calling for prison sentences of up to one year. Talk about deterrence!

Who does the PDPA apply to?

Given the heavy penalties faced by companies who violate the PDPA, you’re probably wondering if the law applies to you and your organization. Well, the law applies to no one right now. While the ordinance was first passed in 2019, a one-year grace period was put into place to give companies time to adjust. By mid-2020, the COVID-19 pandemic was in full swing, and the authorities decided to extend the deadline by an additional year.

And in 2021, the start date for enforcement was again pushed out, this time to June 2022. So, there’s still time to get into compliance with the law if you haven’t already done so. Like other privacy laws, the PDPA applies to all organizations that collect, use, or disclose personal data in Thailand or of Thai residents. Note that this law applies to a company even if it has no physical presence in Thailand or isn’t registered in that country. If you’re handling data from Thai residents, the law will apply to you.

What do companies need to do for PDPA compliance?

As with similar data privacy laws, one of the critical components of the PDPA is consent. Companies must inform users about how they’re collecting and using their personal data and provide those users with an opportunity to opt-out. Companies must also publicize a consent withdrawal method so that users who change their minds later can return and revoke their consent.

Another critical aspect of PDPA is the requirement to gain ongoing consent. If a company changes how it’s using data, it must gain consent from each user for any new activity—and so new consent agreements are required for each new activity.

Another caveat worth mentioning is that the law applies to data processed in Thailand, even if none of the data relates to Thai subjects. For example, if you collected data in Europe from residents of the EU, but sent the data to a branch office in Thailand, it would be subject to the PDPA, in addition to the GDPR.

Specific rights granted to users covered by the PDPA include:
● Right to be informed
● Right to access
● Right to rectification
● Right to erasure
● Right to object/opt-out
● Right to data portability
● Right not to be subject to automated decision-making

The list above has significant overlap with other data privacy laws, which means that if you’ve already prepared your systems to comply with legislation like the GDPR, you’ve likely already taken many of the steps required for basic compliance with the PDPA.

Advanced PDPA compliance actions

The number of new data privacy laws is growing every year, and some companies are struggling to keep up with the changes. The trend of increasing data privacy legislation isn’t going away. The companies that best handle the trend will shift from reacting to each new law to proactively crafting data privacy controls in their business. Being proactive about these issues helps companies build long-term resilience, as increased security policies now will result in less interruption in the future, even if laws get stricter.

The path to data privacy and security beyond what’s required by law isn’t always obvious, but here are a few methods and strategies that will help nearly every business be ready for the next round of privacy laws.

Anonymization and Synthetic Datasets

The sharing of data with third parties for storage or processing represents one of the most significant risks to businesses in terms of legal compliance. One of the best ways to ensure that data is protected when shared is to anonymize it, which involves erasing or encrypting personally identifiable information. Or, you can take things a step further and create a synthetic dataset using fuzzy logic and artificial intelligence, where the original data is completely replaced by new data that holds the same characteristics. Using either of these techniques helps keep your users’ data safe, even if the data is leaked or intercepted.

Automatic Personally Identifiable Information Detection

If you don’t know what data you’re holding, you’re going to have a hard time securing it. When datasets grow to contain thousands, millions, or even billions of data points, manually scrubbing for personally identifiable data becomes an impossible task. Businesses need an automated way to find this information to ensure it’s adequately protected. Sensitive Data Discovery Tool by Mage is a patented solution that finds sensitive data in even the most complex locations and uses natural language processing to find sensitive data even if it’s unlabeled or mislabeled.

Detailed Dynamic Data Masking System

But even if you’ve correctly identified all personal data in your system, you still have to protect it proactively. Masking your data is a great way to keep information out of the hands of employees and contractors who don’t need the full set but implementing it can be a pain. A system that lets you set access rules by role, user, program, or location, such as Mage’s Mage Dynamic Data Masking, can save companies a ton of time and frustration when dealing with the ever-shifting world of data.

Are you ready for PDPR?

The good news about PDPR is that most companies already dealing with the CCPA or GDPR will only have to make minor changes when dealing with Thai data. On the other hand, the continuing trend of countries adopting new data privacy and protection laws means that it’s only going to get harder to try and tackle each new law head-on. The best solutions will be those built with future needs in mind and take you beyond what laws demand today. If you’re looking for a solution for your business that prepares you for what comes next, schedule a demo with Mage today to see what our tools can do to keep your company and your users safe.