THAILAND Trends and Developments Contributed by: Pranat Laohapairoj, Suphakorn Chueabunchai and Pitchaya Roongroajsataporn, Chandler Mori Hamada
In conclusion, as the PDPA enters its third year of full enforcement, it is evident that compli - ance efforts have become more widespread and sophisticated. Many operators are now focus - ing on fine-tuning their PDPA frameworks to ensure ongoing compliance and mitigate risks effectively. However, for organisations that have yet to prioritise comprehensive audits or proper compliance measures, the growing enforcement environment underscores the urgency of adopt - ing robust data protection practices. Action trends One positive note on the compliance action trend in Thailand is that regardless of what inter - nal due diligence methodology is used (whether in-depth and detailed personnel interviews, quick questionnaires, or template customisa - tion based purely on limited existing knowledge), many companies in Thailand have come up with data protection and privacy documents that are required by law. Some versions and forms are naturally more complete and more compliant than others, and some are more detailed due to larger amounts of information elicited from fact-finding processes; overall, though, these companies have done reasonably well in terms of moving in alignment with the law. Basic docu - ments that have been seen include: • data protection and privacy policies; • consent forms; • cookie-collection mechanisms; • data protection officer appointment announcements; • data processing agreements or data protec - tion clauses with counterparty; • specific protocols and standards of operation; and • complaint reports.
Another positive note on the compliance action trend in Thailand is the surge in data breach reports. The PDPA requires an entity to notify the PDPC of a known or discovered data breach that may have an impact on data owners, whether from accidental leakage (unintended transfer, loss of electronic storage device, system failure leading to loss or corruption of data, etc) or from intentional acts (unlawful access from hacking, phishing, ransomware, etc) within 72 hours of becoming aware of such incident. So far, hun - dreds of cases have been reported to the PDPC since the PDPA’s inception – many more than most anticipated. This surge in incident reports signifies two things. First, it shows a worrying trend of a rise in elec - tronic crime related to personal data, not just in Thailand but globally. In fact, most cases that have been filed with the PDPC in Thailand pur - suant to the PDPA were the results of offshore breaches or hacking activities that had nothing to do with Thailand, but filing had to be under - taken in Thailand as Thai citizens and residents were affected by such offshore incidents. Second, it shows a positive trend of self-learning and self-imposed compliance. Although there may be little communication between the PDPC and other data protection regulators from other countries (meaning that awareness of an inci - dent in one jurisdiction is unlikely to be com - municated to another jurisdiction), these local companies (whether subsidiaries of international corporations or otherwise) have chosen to vol - untarily comply with the legal requirements and to report their accidental failures, despite the risk of discovery being small. Part of this surge in willingness to comply with the requirements of the PDPA is due to the fact that the PDPC has provided fair and reasonable
470 CHAMBERS.COM
Powered by FlippingBook