Since the start of 2021, the situation in Thailand has been unsteady due to an increase in the number of confirmed cases of COVID-19. Coping with the third wave of the COVID-19 pandemic is paramount; other matters that are unimportant or difficult to implement have been put aside. Unfortunately, it has been considered that the enforcement of the Personal Data Protection Act (PDPA) (BE 2562) is unnecessary at this time in light of current circumstances. Therefore, the authorities have decided to postpone the enforcement of the PDPA for another year.
On 23 May 2020 a royal decree was issued to postpone the effective date of the PDPA for one year, to 1 June 2021. The government recently opined that the criteria, measures and conditions for PDPA compliance are detailed and complicated and therefore that the implementation thereof would require advanced technology to support the security of personal data. This would result in businesses, the public sector and other organisations regulated by the PDPA having to bear a higher burden when taking into consideration the COVID-19 situation in Thailand.
To ease this burden, on 8 May 2021 the government issued another royal decree to postpone the effective date of the PDPA for another year. Therefore, subject to any further amendments, the PDPA will fully take effect on 1 June 2022.
The royal decree lists 22 types of business that need not comply with the PDPA for another year, including:
- government agencies;
- foreign state agencies or organisations;
- foundations;
- non-profit organisations; and
- other private businesses.
It can be determined that the PDPA compliance waiver applies to all types of business in Thailand, whether operated by the government, public bodies, non-government organisations, non-profit organisations or the private sector.
Action pending PDPA postponement
While the PDPA remains partially effective (ie, until 1 June 2022), the royal decree imposes certain duties on data controllers which fall under the 22 types of business listed therein to put in place appropriate security measures to protect personal data. The Ministry of Digital Economy and Society (MDES) has been appointed to be in charge of this matter during the PDPA's postponement. A recent MDES notification determines and elaborates the details of the minimum standard of appropriate security measures that data controllers must implement.
The MDES defines 'security of personal data' as the maintenance of confidentiality, integrity and availability of personal data to prevent the loss, unauthorised access, use, amendment or disclosure thereof. In implementing the security of personal data measures, data controllers' employees, staff and personnel and other relevant people must be informed of such security measures and ensure that they strictly comply therewith.
Further, the MDES set the minimum standard of security measures to cover administrative, technical and physical safeguards regarding access control of personal data to include:
- having access control of personal data and the devices used to collect and process personal data;
- determining the permissions or rights to access personal data;
- having user access management to ensure that only authorised people may access personal data;
- determining user responsibilities to prevent the unauthorised access, disclosure, realisation or copy of personal data, including stealing devices used for collecting or processing personal data; and
- providing monitoring methods to check whether personal data has been accessed, altered, erased or transferred.
The MDES does not oblige data controllers to strictly comply with the security measures specified in its notification. Data controllers may determine and implement their own security measures, which may be different from those specified in the notification. However, such security measures must have a minimum security standard that is no less than the minimum security standard set out in the notification.
The minimum standards set out by the notification align with the concepts and principles in the International Organisation for Standardisation and the International Electrotechnical Commission standard 27001 (ISO/IEC 27001), an international standard for information security management systems.
Even though the security standards set forth in the notification are recommended during the postponement period, the same standards are expected to be determined by the Personal Data Protection Committee once the PDPA fully takes effect. Therefore, businesses may wish to consider implementing their own personal data security measures to meet the MDES's minimum standards to ensure a seamless transition when the PDPA becomes effective.
The security standards set forth in the notification are identical to the security standard principles of ISO/IEC 27001. Businesses that are certified as compliant with ISO/IEC 27001 will be considered to have met the personal data security standard required by MDES's notification.
