In an effort to push Thailand Data Protection Rules The Ministry of Digital Economy (DE) and Society introduces the requirement of Data Protection Officers (DPOs). Every Thai organization handling personal data from EU citizens in their business will need to appoint a DPO. This call is an effort to comply with the kingdom’s Personal Data Protection Act (PDPA) and the General Data Protection Regulation (GDPR) of the European Union (EU).
The EU has maintained that it might impose hefty fines on companies outside of its member states that fail in properly processing and storing data of EU citizens under GDPR.
Chayathawatch Atibaedya, a senior adviser with the Digital Economy Ministry, says that only half of large corporations in Thailand have made preparations towards the implementation of data protection rules.
Small and medium-sized enterprises have voiced concerns about complying with data protection rules. Many smaller companies are worried about a lack of know-how as they struggle to understand how to facilitate the required changes and of course, any corresponding costs.
Apart from implementation costs for data procedure, the real looming matter in the background is steep, if not ruinous fines that data protection rules may impose for non-compliance. In the case of the GDPR, penalties may amount to € 20 million or 4% of the worldwide annual revenue of the financial year before infringements.
The GDPR includes the export of personal data outside the EU and the European Economic Area. It’s data protection rules aim at giving individuals control over their data and to also simplify the regulatory international business environment by consolidating regulations among EU countries.
Thailand’s PDPA has set the maximum fine at THB 5 million for the infringement of data protection rules.
The PDPA went into effect on May 27, but the law gives a one-year grace period for enterprises to prepare for compliance properly.
Mr. Chayathawatch says, ‘The data protection law is not an alternative for corporations but a mandatory condition that all players have to comply with because it protects the rights of individuals, especially in digital-driven economies.’
Having said this, however, Mr. Chayathawatch also suggests that companies should not consider the PDPA as an obstacle but rather as an opportunity to improve their data policies to international standards. Thai organizations that maintain business operations dealing with EU citizens are to designate a Data Protection Officer to oversee compliance in data processing activities.
The main tasks of these DPOs would include supervision of internal data protection, creating awareness and guidance on data protection necessities, assessing and advising on the impact of data protection implementation, as well as serve as the contact person for inquiries from data subjects and potential scrutiny from supervising authorities.
I will be interesting to see how data protection rules play out for doing business in Thailand. It’s a journey as they say.