Translation and Legalization Services

Ensure Your Business is in Compliance with the PDPA

Thailand’s Personal Data Protection Act 2019, commonly known as the PDPA, outlines strict data security requirements for any person, organization, or website that collects and handles "Personal Data" from individuals in Thailand. If you operate a business that collects and stores the personal data of customers in Thailand, regardless of whether they are citizens or not, you are responsible for staying compliant with the PDPA.

Noncompliance with the PDPA can result in financial penalties of up to millions of baht and damage to your business’s reputation. In extreme cases, such as if you experience a data breach that exposes customer data to cybercriminals, you could lose your business and even face jail time if you are convicted.

While the PDPA represents a complex set of strict regulations, you don’t have to figure it out alone. The experienced lawyers and consultants with Siam Legal’s Cyber Crime and Data Protection team will educate you on the PDPA’s finer points, inspect your business’s IT network to determine if you are in compliance, and provide training to your workforce to ensure you stay protected from infractions and penalties.

What are the Risks of PDPA Noncompliance?

The PDPA is regulated and enforced by the Personal Data Protection Committee (PDPC), a government entity. This body sets PDPA regulations, promotes data security, and prescribes penalties for noncompliance.

The PDPC allowed a grace period for organizations to comply with the PDPA after the law was enacted, but that time is over. In 2024, the PDPC announced its first punitive measures and that it had fined a company found to be in violation of the PDPA to the tune of 7 million baht. Furthermore, the organization was ordered to do a full review of its compliance efforts and enact the required changes within 7 days or face a further fine of 500,000 baht.

Failing to comply with PDPA regulations not only leaves your business open to steep fines but also increased scrutiny from the PDPC moving forward. Ensuring PDPA compliance pays for itself by ensuring you are safe from data breaches and expensive fines.

Does Thailand’s PDPA Apply to Your Business?

The PDPA was created to ensure the security of personal data for individuals in Thailand, including citizens, expats, and tourists. It applies to organizations and individuals globally, so even if your company is based abroad and incorporated in a different country, you are obligated to comply if you collect or store personal data originating from Thailand.

To understand the PDPA, you must be aware of three key terms as defined by the PDPC:

• Personal Data: This is defined by the PDPA as information relating to a person that enables the identification of said person, either directly or indirectly.
• Data Controller: An organization or individual with the authority and duty to make decisions on the collection, usage, or disclosure of Personal Data. For example, if you require customers to input Personal Data into your website or app and you use that data to provide goods or services, you are a Data Controller.
• Data Processor: An organization or individual that collects, uses, or discloses Personal Data on orders from or on behalf of the Data Controller. For example, if you partner with another company and handle Personal Data that they collect, you are a Data Processor and subject to the PDPA even if you did not request or initially collect said data.

Both Data Controllers and Data Processors must comply with the PDPA; otherwise, they will face penalties or even criminal charges in certain extreme circumstances. If your business meets the description of either a Controller or Processor, complying with the PDPA is vital to the survival and success of your business.

Types of Data Covered by the PDPA

"Personal Data" is a broad concept and encompasses many kinds of identifying data. Here are the types of data that typically fall under the PDPA’s definition of Personal Data. According to the PDPC, if your business collects or handles any of these kinds of data, you must be PDPA compliant.

• Contact Information – name, address, phone number, email address, etc.
• ID Information – passport number, national ID number, driver’s license, etc.
• Financial Data – credit card number, bank account number, crypto wallet information, etc.
• Work-Related Information – employer, job/position, tax identification number, union membership, etc.
• Biometric Data – fingerprints, facial scan, genetic data, etc.
• Health Data – information about physical and/or mental health, prescriptions, past medical treatments, etc.
• Sensitive Personal Data – religious views, sexual orientation, criminal record, race or ethnicity, political opinions/affiliations, etc.

As the definition of Personal Data by the PDPA is broad, most types of data fall under this category. If you collect data of any kind from customers or partners, it is best to assume you are obligated to comply with the PDPA, as the Thai government will not take ignorance as an excuse.

PDPA Consulting Services to Ensure Your Business is Compliant

To avoid costly penalties, a damaged reputation, and potential criminal charges, partner with Siam Legal for PDPA compliance consulting services. Our Cyber Crime and Data Protection team is comprised of seasoned lawyers and legal advisors with deep knowledge of Thailand’s computer crime laws and with the PDPA specifically.

With our guidance and advice, you can align your business’s IT infrastructure, data security policy, and business operations with the most recent PDPA regulations without the need to hire full-time cybersecurity staff. Our services take a holistic approach and include consulting for your leadership, auditing for your IT, and training for your workforce.

Guidance and Compliance Advice from Professional PDPA Consultants

To ensure PDPA compliance, your core business operations must be rebuilt from the ground up. Significant changes may not be needed, but compliance considerations must be incorporated where Personal Information is involved, whether it belongs to customers, employees, or partners.

When, how, what kinds, and from whom you collect data must be considered, and your business operations and policies must be altered to reflect this. It could be as simple as adding a disclaimer to your website, or it could require more significant changes to your data collection and storage methods. To know for sure, you need expert guidance from Siam Legal’s PDPA specialists.

Our consultants will meet with you, online or in person, to advise on a broad range of PDPA considerations, including:

• Data Controller vs Data Processor Obligations: Find out which definition applies to you and what it means for your business.
• Consent Management and Documentation: How to correctly inform individuals of the kinds of data you are collecting and easily acquire their legally required consent to do so.
• Data Storage and Disclosure: How and when you are allowed to keep Personal Data or share it with third parties.
• Compliance-Related IT Solutions: Find out which software and hardware solutions will help you maintain PDPA compliance and how to implement them.
• Cross-Border Data Transfers: What to do if you transfer data to other legal jurisdictions, such as from Thailand to the United States.
• Appointment of a Data Processing Officer (DPO): Depending on the scale of your business, you may need to appoint a DPO.
• Data Processing Records: How to keep detailed records of your Personal Data processing activities as required by the PDPA.
• Data Breach Procedures: How to inform the public and authorities when Personal Data is illegally accessed by cybercriminals.
• PDPA vs GDPR Compliance: Learn the difference and how to easily stay in compliance with both regulations.
• Data Privacy Policy Development: How to set and enforce data security policies to keep your business compliant.
• And Many More: Your unique compliance considerations depend on your location, industry, online operations, and other factors. Siam Legal’s PDPA consultants will assist you in determining your precise responsibilities.

Instead of hiring a full-time cybersecurity specialist with knowledge of the PDPA to keep your business in compliance, you can get the services of an entire team of experts from Siam Legal for a fraction of the cost. If your operations change or the PDPA is updated, we stand ready to help you again, so you only pay for compliance assistance when you need it.

PDPA Audits and Testing

An official audit from the PDPC is not the time when you want to discover if you are actually compliant or not. You want to assess your business processes and IT infrastructure as soon as possible to ensure you are in compliance and not at risk of fines or other penalties.

Siam Legal’s Cyber Crime lawyers and PDPA consultants are well-versed in not just the details of the law, but also the audit methods used to enforce it. Our advisors will assess your business’s data protection policies and collection/storage methods to determine if you are in line with PDPC guidelines.

With our PDPA auditing services, you can get a clear picture of your data security posture as well as learn what exactly you need to do to avoid noncompliance and the associated consequences.

PDPA Training for Employees

Ensuring your policies, operations, and IT infrastructure are PDPA compliant is only the beginning. Your entire workforce must understand PDPA regulations and how to follow them to ensure you stay compliant and don’t fall victim to a data breach.

From C-level executives to interns, if someone in your business handles or interacts with personal data in any way, they must be trained on the proper methods of doing so. A single mistake can lead to an audit, a lawsuit, or even criminal charges.

Siam Legal’s PDPA consultants have extensive experience running employee training seminars to educate workers in all industries on how to maintain compliance in their day-to-day operations. Regardless of the size or sector of your business, we can provide a personalized training curriculum that covers all the necessary PDPA topics and best practices.

The topics covered include, but are not limited to:

• Understanding the PDPA, its importance, and the consequences of noncompliance
• Personal Data handling best practices
• Data governance training
• The role and responsibilities of the DPO
• DPO training
• Data classification best practices
• How to create and utilize effective consent forms
• Managing third-party vendor data agreements
• How to set, enforce, and follow data retention and deletion policies
• Managing the full data lifecycle from request to deletion
• How to best utilize compliance-focused IT solutions
• What to do in the event of a data or privacy breach to mitigate the damage and comply with customer notification requirements
• And many more

Siam Legal’s PDPA awareness training programs are flexible and can be customized based on your business’s size and industry. We don’t provide "one-size-fits-all" training; each program is tailored to your needs and schedule.

With a trained and certified workforce, you can minimize the risk of PDPA infractions and strengthen your business’s reputation as a secure organization that is committed to the safety and privacy of its customers.

Minimize Your Risk with Professional PDPA Consulting Services and Policy Guidance

Don’t operate your business with the fear of data breaches, PDPC fines, and criminal charges hanging over you. Partner with Siam Legal’s Cyber Crime lawyers and consultants to swiftly and smoothly align your operations with PDPA data security regulations.

With guidance from Siam Legal’s compliance consultants and a well-educated workforce, you can operate with peace of mind knowing your business is secured against privacy breaches and noncompliance penalties. Contact Siam Legal today to get started.

Have any questions?

If you have any questions that need answering, please do not hesitate to reach out to a professional for assistance. At Siam Legal, we have staff on hand with a full spectrum of knowledge on Personal Data Protection and can help point you in the right direction.

For more information, feel free to contact us: