The Organization’s Duty Even before the Effective Date of PDPA

Counting down to 1st June 2022, several organizations in Thailand have started the compliance process of PDPA. However, with today’s challenges, many organizations are struggling to comply with PDPA. While this may be understandable, there is an effective legal duty that the organization needs to be aware of. 

‘The Security Standards for Personal Data Notification’ was issued by Thailand’s Ministry of Digital Economy and Society to set out the minimum security standards for personal data protection under PDPA. The notification has been extended the effective period and is in full effect from July 2020 until the end of 31 May 2022.

The organizations as data controllers are required to do mainly two things.

– Arrange their security measures related to access control of personal data covering from administrative safeguard, technical safeguard to physical safeguard.

The minimum requirement of security measures should include practical access control method and necessary equipment, user access management, setting of user responsibilities, and history log of personal data activities.

– Notify the security measure to their employees and whom it may concern and create awareness among these people to ensure their understanding of data protection.

While PDPA is still in postponement period, the organizations are after all required to maintain their security measure to meet requirements under this ‘’The Security Standards for Personal Data Notification.’ 

Author: Punsuree K., Legal Technology Counselor.