On May 27, 2019, Thailand passed a law specifically dedicated to the protection of the personal data of Thai people: The Personal Data Protection Act B.E. 2562, known as "PDPA".
The Personal Data Protection Act (PDPA)
Personal data protection laws in Thailand and worldwide
Today, every company handles and processes personal data: Those of its employees, customers and prospects, in particular. And the number of companies that are confronted with controls by national regulatory authorities or complaints from individuals is increasing as the "data-driven economy" emerges.
Data protection legislation is complex and changing, but it is fully binding on any company operating in the Thai (with the PDPA) or European market (with the GDPR), as well as with any government authority (although there are still many exceptions). It is therefore vital for any economic entity to be fully aware of its obligations regarding the protection of personal data of individuals, and to comply with them at all times.
Both the legal and economic news are full of examples of the consequences of insufficient protection of personal data.
The Data Protection Officer (DPO)
The recent adoption of the PDPA confirms the acceleration of the legal approach to personal data, with the advent of the "Data Protection Officer" (DPO) and the adoption of a dynamic and evolving concept of corporate compliance with its obligations. The issue of personal data is inseparable from all the innovations of the digital economy, be it the model of free sites, social networks, big data or the Internet of Things. What used to seem like an ungrateful chore has become one of the most sensitive aspects of a company's activities, which is at great risk if it does not take the necessary precautions.
JUSLAWS INTELLECTUAL PROPERTY...
Audits files and automated data processing within the company to ensure that they fully comply with legal requirements (in particular the obligations to inform individuals and declare processing to the competent government authority, but also to adapt the systems to market innovations such as "privacy by design", and to changes in Thai regulations);
Analyses data flows and data processing, particularly when these are exchanged with third parties located outside Thailand or entrusted to offshoring subcontractors, deploying editorial precautions to validate these flows (standard contractual clauses, binding corporate rules, etc.);
Identifies data that require special precautions and allows companies to choose the processing they wish to implement (hosting "sensitive" data: health data, banking data, specific legislation, and anticipating the concepts of "accountability" and "security by default" promoted by the Personal Data Protection Act, etc.);
Assists data controllers in their relations with the competent government authority, whether it is a question of declaring the processing operations implemented, a guarantee of legality, or responding to the investigations that this administration may conduct.
Make your company compliant now
Faced with this vast paradigm shift, which is both cross-functional and mandatory, companies must build a genuine internal project and involve all the departments concerned. JUSLAWS INTELLECTUAL PROPERTY offers extensive support to enable the company (i) to identify what exists in terms of data protection, (ii) to investigate its practices and objectives, (iii) to define the changes to be made (structural, organisational, marketing and of course legal), and (iv) to support the company in implementing these changes.
Our compliance services
JUSLAWS INTELLECTUAL PROPERTY offers in particular the following services, to be agreed with the company according to its market sector, its data processing, its projects, and the availability of its teams:
Awareness training and/or kick-off meetings on the innovations and requirements of the new Personal Data Protection Act as well as their general consequences, carried out on the company's premises;
Note presenting the impacts of the PDPA and the new features to be taken into account within the company, including a presentation of the measures to be implemented and the methodological roadmap;
Analysis workshops conducted with the company's departments using tables to iteratively and specifically analyze the company's practices, in order to establish the Mapping of existing treatments and target treatments that will continue tomorrow under the PDPA;
Plan of recommendations setting out, as appropriate, (i) the legal bases for processing and any regulatory exemptions from which the company benefits, (ii) all the recommendations resulting from the analyses of the audit stage, (iii) the specific alerts and recommendations, particularly in the case of processing of "sensitive" data, (iv) the possible need to carry out the prior impact assessment (AIPD) required by the PDPA in certain situations (processing of big data, processing of sensitive data, profiling, etc.), (v) the recommendations to be made by the company in the case of processing of "sensitive" data, and (vi) the recommendations to be made in the case of processing of "sensitive" data, and (vii) the possible need to carry out the prior impact assessment (PIA) required by the PDPA in certain situations (processing of big data, processing of sensitive data, profiling, etc.), (viii) the modalities for regulating cross-border data flows, or (ix) the designation of the technical and organisational measures to be implemented (DPO register, internal controls, requirements to be transferred to the R&D department or technology providers, etc.);
Drafting of the new Mandatory Legal Notice and the methods for collecting the consents to be deployed, in correlation with the restructuring of the company's tools and in compliance with the new requirements of the PDPA;
Contractual clauses to be inserted in contracts, whether they are customer contracts of the company, contracts with its suppliers and service providers (IT or not), etc., as well as the necessary assistance in the negotiation of these new clauses;
Assistance to the project owner on the tasks of technical compliance and integration of the principles of "privacy by design" and "security by default" by the technical teams (R&D or IT services). The assistance is carried out in "project mode" in the form of workshops, where the technical teams outline the specifications and management rules that will be implemented in the company's tools in order to validate that they meet the structural protection requirements formed in the PDPA;
Assistance in carrying out a Preliminary Impact Analysis (PIA) if the processing implemented by the company requires such an analysis within the meaning of the Personal Data Protection Act. The analysis is conducted in the form of workshops, with a lawyer of the Firm and a partner expert in information systems security audit, in order to identify the risks, threats and precautions to be taken and certifications to be obtained ;
Mission of outsourced DPO constituting and managing the Processing Registry, and ensuring compliance monitoring, management of requests from individuals, management of alerts and violations of personal data, relations with the competent government authority, audit of new projects or new acquisitions of the company, etc.;
Intervention in assisting or steering the negotiation of IT acquisitions (specific solutions or cloud services on the market), by discussing with suppliers in order to verify their level of compliance with PDPA requirements and the depth of their contractual commitments to this effect;
Intervention in the validation of the company's internal training or awareness-raising documents (participation in the development of an internal training plan in collaboration with the DPO, drafting or updating of IT charters, etc.);
Assistance to the internal DPO in the event of complaints from natural persons claiming the rights they have over their personal data (rights of access, rectification, deletion, opposition, right to portability, withdrawal of consent) by defining the actors and modalities;
Assistance in dealing with personal data breaches (preparation of notifications to the competent government authority within the PDPA's time limit from the time of personal data leakage or fraudulent intrusion into the company's information system).