On 5 May 2021, the Cabinet approved postponing the full enforcement of the Thai Personal Data Protection Act (PDPA) for one further year due to the recent and severe outbreak of COVID 19 in Thailand. This was the second time the Act has been postponed.
Pending the issuance of a new law to confirm the postponement, most provisions of the PDPA will become effective on 1 June 2022.
Business operators should still prepare themselves well to comply with the PDPA when it does eventually come into force. This is because Thailand cannot easily backtrack on the eventual passing of the PDPA, which has been influenced by the European General Data Protection Regulation (GDPR), and in the future COVID 19 may no longer provide sufficient reason for any further postponement.
However, the second postponement does give each business operator a good chance to review their PDPA compliance and minimize any significant liability risk due to PDPA violations (punishments can be accumulated for each of violation occurrence).
Those who have tried to prepare for PDPA compliance before might have faced the following key challenges:
- Needing more preparation time than expected – for a mid-size business the general timeline for PDPA compliance preparation ranges from between three to five months, depending on the complexity of business activities and amount of personal data involved.
- Not knowing how to start – the PDPA’s provisions are complicated and are mostly influenced by the GDPR, while several detailed regulations have not been issued yet.
- Facing difficulties when dealing with large amounts of personal data.
- Facing difficulties when building awareness and seeking the cooperation of all related personnel.
- Dealing with many PDPA legal documents requiring practical solutions for daily business operations.
We welcome any opportunity to discuss the relevance of the above for your business.
KPMG Thailand’s Legal Services Team offers a wide range of practical legal solutions. For more information, please visit Legal services.