9 Useful Steps to Becoming Compliant with the Personal Data Protection Act (PDPA)

Here are 9 useful steps to become compliant with the Personal Data Protection Act (PDPA)

1 Policy by Management
Determine personal data protection policies within the organization. Both the data protection policy and the data security policy.

2 Data Protection Officer (DPO)
Appoint a “Personal Data Protection Officer” of the organization (Data Protection Officer: DPO) to provide knowledge and understanding about the Personal Data Protection Act for a group of personnel who must respond to the processing of personal data within the organization. However, DPO could be internal staff or external.

3 Record of Processing Activities
Review the organization of processing personal data such as descriptions, collection, usage, transfer, and data subject rights what types of data it collects, both Personal Data and Sensitive Data. Including IT systems and software related to the management, storage, and processing of all personal data within the organization.

4 Data Subject Rights
Inform data subject about any new uses of personal data before start the processing including various rights as prescribed by law.

5 Consent
Obtain consent from the data subject If sensitive data is processed or when the personal data is used more than necessary.

6 International Data Transfers
Verify the destination country to which the personal data will be transferred to have adopted the standards in the law of data protection that match with the PDPA or better.

7 Data Processing Agreement
Draft the agreement between the Controller and the Processor (Data Processing Agreement: DPA) to define rights, duties, and responsibilities regarding data processing

8 Data Breach Notification
Provide notifying the personal data breach to the Office of the Personal Data Protection Commission (PDPC) within 72 hours after having become aware of it.

9 Channels to exercise the right of the data subject
Arrange various channels which not require any fees and are easy to access for exercising rights of the data subject.

Author: Jurarat F., Legal Technology Counselor