As personal data protection and privacy have in recent years emerged as a major topic of concern, people have grown increasingly wary of technologies that may be invading their privacy, including big data, data tracking, and facial recognition surveillance. In response, the European Union has issued the General Data Protection Regulation (GDPR) followed by other countries and governing bodies issuing similar types of regulations, while Thailand has passed the Personal Data Protection Act B.E. 2562, set to become effective from May 27, 2020.

With increased protection over personal data, coupled with a shift in consumer behavior, it appears that people are becoming more aware of their rights to privacy than ever.

For instance, when a company calls consumers to introduce new promotions, not only can they say they’re not interested, but now they can also ask where the company obtains their personal information, how the company uses this information, and can even lodge a complaint. Therefore, it is vital that businesses exercise greater caution when utilizing personal data.

Who should be concerned about this law?

Any businesses that store, use, or publish personal data, i.e. any information that can be linked to any specific individual, such as their first name, last name, address, email address, IP address, fingerprints, and religion, must all comply with this law.

What are the changes?

The new personal data protection law entails the following changes in the personal data usage protocol for the business sector.

1. The storage, usage, and publication (processing) of personal data can no longer be conducted freely and is permissible only on a legal basis.
2. Personal data must be processed transparently. That is, sufficient information about personal data processing must be provided to consumers or data subjects as required by the law, such as the type of data stored, data usage, storage duration, and the legal rights of the data subjects.
3. Personal data can no longer be stored forever and must be deleted once there is no need for it anymore.

How to comply with the law?

1. Identify the legal basis with which to process any personal data. For instance, when you are making a delivery to a customer, the legal basis for processing their name and address is the performance of a contract.
2. Create and show a privacy notice to the data subjects before storing their data. The privacy notice must include items required by the law, such as what categories of data are obtained, what the data is used for, and when it will be deleted.
3. Create a “Record of Processing” (RoP) that is accessible to data subjects and relevant authorities and contains all items required by the laws.
4. Provide channels through which data subjects may contact to exercise their legal rights.
5. Report any data leakage or breach to the Office of Personal Data Protection Commission within 72 hours.
6. Comply with other legal requirements, such as putting in place appropriate security measures, signing an agreement with third-party data handlers, and abiding by the law upon transferring personal data to an overseas party.

As shown above, full compliance with the personal data protection law requires not only effective personal data management systems but also the awareness of all employees of the company. Any violation can result in a fine of 1-5 million baht as well as criminal penalties.