.svg)
After two years of delay, Thailand's first data protection law is set to come into force on Wednesday. Despite the intent to boost Thailand’s digital economy, small businesses are still struggling to prepare for full compliance.
The Personal Data Protection Act (PDPA) will come into force on June 1 and will address key issues regarding the collection, use or disclosure of personal data.
The law requires data controllers and processors that use personal data to receive consent from data subjects and use it only for expressed purposes.
Similar to the GDPR, the PDPA grants data subjects the right to request access to their personal data and ask for the deletion of their data. They also have the right to object to data collection, usage or disclosure.
In addition, the law mandates controllers to implement data security measures and notify data breaches to the Personal Data Protection Committee (PDPC) within 72 hours.
The legislation was adopted in May 2019 and originally granted a one-year grace period for businesses to prepare for compliance.
However, the government decided to postpone the enforcement date twice, due to the effects of COVID-19 and because of delays in setting up the PDPC, which held back the work required to pass secondary legislation for the act.
In preparation for the start of the enforcement, last month, the PDPC signed a memorandum of understanding with the country’s main financial regulators to ensure that supervision and the protection of personal data in the financial sector are consistent, and their activities do not overlap.
This collaboration “is the cornerstone of the development of the financial sector and supports the smooth transition of the Thai economy to the digital economy,” said Sethaput Suthiwartnarueput, governor of the Bank of Thailand.
Although the Digital Economy and Society (DES) Ministry says the data protection act will help the country to promote innovation and “take advantage of the full potential of digital technology”, the private sector is concerned about the significant compliance burdens of the act, which may particularly affect small and medium-sized enterprises (SMEs)
Both a challenge and an opportunity
Representatives of the private sector have spoken out several times against the high compliance burden that the legislation would impose on businesses.
According to a recent PDPA readiness survey carried out by the Thai Board of Trade and the University of the Thai Chamber of Commerce, only 8 percent of the respondents said they had taken measures to fully comply with the law, while 31 percent said they had not even started the process.
In addition to the regulatory burden, trade associations have also criticised the harsh level of penalties included in the act.
Under the provisions of the PDPA, non-compliant data controllers may face imprisonment of up to one year and penalties of up to 1m baht ($29,000) in a criminal case or an administrative fine of up to 5m baht ($146,000).
To ease the regulatory pressure on the private sector, Paiboon Amornpinyokiat, a member of the PDPC's legal subcommittee, said that in the first year of enforcement, the authorities will only hand out warnings to violators and may pass secondary legislation to exempt small businesses from compliance, the Bangkok Post reported.
The PDPC member stressed that the government's intention is to support the digital economy and not to collect money from fines.
Nonetheless, the DES Ministry remains committed to starting the enforcement.
"Data is the heart of the digital economy. The enforcement of the PDPA has been postponed twice and it is now the time to start," DES minister Chaiwut Thanakamanusorn said at an event.
According to Thanakamanusorn, full enforcement is crucial as it sets a clear standard for personal data usage and levels up personal data protection in the country, which could create confidence at the international level and ensure transparency.
"The PDPA will level up the standard of data protection in Thailand to be on par with other countries," such as the EU’s GDPR, Thienchai Na Nakorn, chairman of the PDPC said.
"It will also support Thai businesses in gaining international acceptance in terms of personal data protection standards", and “open the door to new opportunities on the world stage”, he added.
The PDPA is one of the dozen digital-related laws that the government adopted as part of its 20-year digital economy transformation roadmap.
The data protection law is a key part of supporting the digital-driven economy, which the government forecasts will generate 30 percent of the country’s GDP over the next five years.
