Home Business Tech

2 Years Delayed, Personal Data Privacy Act Takes Effect Today – And No One Is Ready

Computer Hacker Data Privacy PDPA Thailand Personal Data Act

After a two-year delay, Thailand’s Personal Data Protection Act comes into force today and more than 90% of online websites and apps aren’t ready.

The PDPA is intended to assure the public that their personal data will be protected and not used by unauthorized people.

Under the law, people or entities responsible for controlling or processing personal data must obtain consent from the data’s owner for its collection, use or disclosure. They must also inform the data’s owner about the reason their personal information is being used and how it will be used.

Additionally, the law gives individuals the right access their personal data, correct errors, object to its use and demand its deletion if use goes against the principles of personal data protection or related laws.

Organizations which control or process personal data are required to have standard measures in place for the safe-keeping and management of the data.

But neither the public nor government is fully ready for the law. The National Digital Economy and Society Commission is still developing a platform to accommodate the law that won’t be ready until later this year.

Once online, the platform will have systems for the collection and processing of data, management of the consent of the data’s owner, management of the rights of the data’s owner and the handling of any breaches of personal data privacy or use.

Meanwhile, a survey by the Thai Board of Trade and the University of the Thai Chamber of Commerce found 92% of almost 4,000 businesses interviewed said they are not compliant with the new law, with 69% saying they haven’t even started the process of compliance.

There are two types of personal data: that which includes general information, such as name, date of birth and phone number; and sensitive data, such as racial, sexual, religious, health, political and biometric information.

There are both criminal and civil liabilities for breaches of personal data privacy. For example, collection, use or disclosure of sensitive personal data illegally is liable to a fine of five million baht on conviction.

Collection, use or disclosure of general personal data without a legal basis is liable to a three million baht fine on conviction and failing to get consent from data’s owner or refusing the data’s owner access to their personal data is liable to a one million baht fine on conviction.

If the unauthorized use or disclosure of personal data causes damage to other people or subjects other people to hate, shame or contempt, violators may face six months in prison and/or a fine of 500,000 baht on conviction.