PDPA News - the Personal Data Protection Committee (PDPC) has been officially established

On 18 January 2022, the appointment of the Personal Data Protection Committee (PDPC) consisting of ten members was officially announced and published in the Royal Gazette, effective from 11 January 2022. 

In addition to the announced ten members, the Personal Data Protection Act (PDPA) designates that to form the PDPC, the Permanent Secretary of the Ministry of Digital Economy and Society shall act as a Vice-Chairperson of the PDPC, and the Secretary-General of the PDPC shall act as a committee member and secretary of the PDPC. An additional five people will sit on the PDPC, in accordance with their existing positions as designated under the PDPA.

The PDPC has been established under the PDPA. The committee’s main responsibility and authority is to issue subordinate regulations under the PDPA. This includes inspections and monitoring business organizations by issuing the announcements and orders in compliance with the PDPA.

We expect that subordinate regulations will be considered and issued by the PDPC in the near future. 

Preparation for PDPA compliance is estimated to take between two and four months. Business operators who have not yet started PDPA compliance preparation should begin as soon as possible. The PDPA is expected to be fully enforceable from 1 June 2022 and is expected to have no further postponement. 

For business operators who have already started preparing for PDPA compliance, it is important to ensure that all of the personal data processing activities and the responsible personnel continue to comply with the PDPA. To ensure this, business operators should consider taking the following actions:

• Raise awareness within the organization by arranging for refreshment PDPA trainings to ensure that all the responsible and relevant personnel are aware of the importance of PDPA and the obligations under such law.

• Ensure that information in the record of processing activities (ROPA) is correct and up to date. This could include revisiting the prepared ROPA, especially when the organization has new business activities or has minimized certain personal data after the first version of the ROPA has been prepared and ensuring that the lawful basis of each processing activity is in line with the updated ROPA. 

• Ensure that the prepared PDPA documents are correct and up to date, reflecting the actual operations of the organization. 

• Undertake a PDPA compliance audit to ensure that overall PDPA compliance of the organization is on track.

KPMG Law has extensive experience with PDPA compliance and supporting services. We provide full PDPA services from the data identification stage to completion of PDPA implementation. Our services include subsequent PDPA support such as trainings, PDPA document review, ad-hoc advisory services, Data Protection Officer support and advisory services. 

We welcome any opportunity to discuss the relevance of the above for your business.

KPMG Thailand’s Legal Services Team offers a wide range of practical legal solutions. For more information, please visit Legal Services.