THAILAND Trends and Developments Contributed by: Pranat Laohapairoj, Suphakorn Chueabunchai and Pitchaya Roongroajsataporn, Chandler Mori Hamada
through comprehensive audits and evalua - tions of their data protection frameworks. The authors have observed a clear and consistent trend toward stricter compliance and increased efforts to address the requirements of the PDPA. For instance, numerous companies, especially medium-sized and large organisations, have conducted PDPA compliance audits to assess and enhance the effectiveness of their existing frameworks. These companies have invested substantial resources into data analysis, due diligence, and mapping exercises, including conducting structured personnel interviews across various business units. Such interviews, particularly those targeting departments heavily involved in personal data handling (eg, human resources, sales, administration, and IT), have proven to be highly effective. When correctly implemented using ethnographic methods, these interviews provide comprehensive insights into: • specific personal data items being used; • the rationale for their use; • timing and processes for collection, use, and storage; • data transfer practices; and • data deletion or destruction processes. These interviews also serve a dual purpose by inadvertently providing training for both inter - viewees and internal data protection teams. Issues identified during the process often lead to discussions of legal principles and rationale, enhancing overall awareness of the PDPA. The insights gathered allow companies to create precise and tailored documentation, such as policies, consent forms, protocols, and impact assessments, addressing specific data protec - tion needs.
Companies often discover risks associated with their data utilisation processes during these audits. Many have realised that high-risk pro - cesses previously considered acceptable must now be terminated, while others can be justified and retained with proper documentation under the PDPA framework. While interviews remain a robust method for gathering detailed data, some companies have opted for a more economical approach using questionnaires. Custom ques - tionnaires are distributed to key business units to collect data on utilisation processes, including points of collection, storage locations, access limitations, transfers, and deletion. While this method is quicker and less expensive than inter - views, it tends to produce less detailed results, thereby increasing the likelihood of oversight. Companies relying solely on questionnaires often struggle to notify data subjects compre - hensively or obtain appropriate consent, leading to gaps in compliance. Notably, many businesses initially favoured questionnaires as a “quick fix”, given the incom - plete supplemental rules under the PDPA. How - ever, some later realised that the resulting PDPA documentation lacked the necessary depth and specificity, prompting them to undertake more thorough interviews – a costly and time-inten - sive process in hindsight. Smaller companies, often constrained by budgetary concerns, have adopted even simpler approaches, such as using off-the-shelf templates with minimal cus - tomisation. While this strategy requires less time and financial investment, it carries significant risks. Generic templates often fail to capture the unique data utilisation processes of an organisa - tion, leaving gaps that heighten the likelihood of legal breaches, such as inadequate notifications or consent failures. Consequently, this method is generally discouraged.
469 CHAMBERS.COM
Powered by FlippingBook