IDC Names Securiti a Worldwide Leader in Data Privacy

View

Thailand PDPA Compliance

Operationalize PDPA compliance with the most comprehensive PrivacyOps platform

Last Updated on November 19, 2023

Privacy Center
Fully Functional In Minutes

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere.

 

The Personal Data Protection Act, B.E. 2562 (2019) ('PDPA') is Thailand's first consolidated data protection law, published in the Thai Government Gazette on 27 May 2019. This law was said to go into effect on 27 May 2020. However, in May 2020, the Thai Cabinet, through a Royal Decree, deferred the enforcement of specific data protection provisions of the PDPA until 31 May 2021. After three years of delays, Thailand's PDPA went into effect on June 1st, 2022.

The PDPA aims to protect individuals' personal data and impose obligations on businesses to collect, use, and disclose personal data. The PDPA is primarily based on the EU’s GDPR. Therefore, there are several similarities, such as the legal provisions for processing personal data, data subject requests, and other security measures requirements.

The Solution

Securiti enables organizations to comply with the Thai PDPA regulations through AI-driven PI data discovery, DSR automation, documented accountability, enhanced visibility into data processing activities, and AI-driven process automation.

Thailand PDPA Compliance Solution

Securiti supports enterprises in their journey toward compliance with the Thai PDPA through automation, enhanced data visibility, and identity linking.

See how our comprehensive PrivacyOps platform helps you comply with various sections of Thailand’s PDPA.


 

Customize a data subject rights request portal for seamless customer care

Simplify your DSR request format by building web forms customized for your brand image to accept verified data subject rights requests. Automate the initiation of fulfillment workflows when verified requests are received.

dsr portal
dsr handling

Automate data subject access request handling

PDPA Sections: 23, 30

Data subjects need to be notified about their data privacy rights, and organizations are required to simplify the initiation of verified DSR requests. Automating the delivery and generation of secure data access reports will significantly reduce the risk of compliance violations and the workforce required to comply with all the requests.

Secure fulfillment of data access and port requests

PDPA Sections: 23, 30, 31

Organizations must disclose the information to the data subjects within a limited time frame of receiving a verifiable data request. This will be free of charge and delivered through a secure, centralized portal.

data access request
data rectify request

Automate the processing of rectification requests

PDPA Sections: 35, 36

Seamlessly fulfill data rectification requests with the help of automated data subject verification workflows across all appearances of a subject’s personal data.

Automate erasure requests

PDPA Section: 33

Quickly fulfill data subject's erasure requests through automated and flexible workflows.

data erasure request
processing request

Automate objection and restriction of processing requests

PDPA Sections: 23, 32, 34

Build a framework for objection and restriction of processing handling based on business requirements with the help of collaborative workflows.

Continuous monitoring and tracking

PDPA Sections: 37(1)(3), 39, 40

Keep track of risks involved by continuously monitoring and scanning data against non-compliance to subject rights, security controls, or data residency. Surface new Personal Data categories, types, and data flow risks continuously.

personal data monitoring tracking
personal information data linking

Automate People Data Graph

PDPA Sections: 39, 40(3) 

Discover personal information stored across all your systems within the organization and link them back to a unique data subject. Visualize personal data sprawl and identify compliance risks.

Meet cookie compliance

PDPA Sections: 19, 20, 25, 26

Automatically scan the organization’s web properties and categorize tags and cookies. Also, build customizable cookie banners, collect consent and provide a preference center.

Thailand PDPA Cookie Consent Compliance
Universal Consent Management

Monitor and track consent

PDPA Sections: 19, 20, 24, 25, 26, 27

Track consent revocation of the data subjects to prevent the processing or transfer of data without their consent. Demonstrate consent compliance to regulators and data subjects.

Assess PDPA readiness

PDPA Sections: 37, 39, 40

With the help of our multi-regulation, collaborative, readiness, and privacy impact assessment system, you can measure your organization's posture against PDPA requirements, identify the gaps and address the risks. Seamlessly expand assessment capabilities across your vendor ecosystem to maintain compliance against PDPA requirements.

Thailand PDPA Readiness Assessment
Data Flow Mapping

Map data flows

PDPA Sections: 39, 40(3)

Keep track of data flows in your organizations, trace this data, and catalog data collection and transfer. Document business process flows internally and to service providers or 3rd parties.

Manage vendor risk

PDPA Sections: 37(2), 39

Track, manage, and monitor privacy and security readiness for all your service providers from a single interface. Collaborate instantly, automate data requests and deletions, and manage all vendor contracts and compliance documents.

Vendor Risk Management
breach response notification

Breach Response Notification

PDPA Section: 37(4)

Automates compliance actions and breach notifications to concerned stakeholders concerning security incidents by leveraging a knowledge database on security incident diagnosis and response.

6 Key Data Subject Rights Under Thailand’s PDPA

Right to be Informed: Data subjects have a right to be informed regarding how their personal data is being collected and used. Businesses are required to inform data subjects of any data they may have of them and any data processing that is taking place.

Right to Access: Data controllers and processors have a legal obligation to provide data subjects with access to and copies of their personal data. This right must be honored without delay and no later than one month after receiving the data subject's request.

Right to Data Portability: Data subjects also have the right to ask for data to be sent from one controller to another in a readable format that can be used or disclosed automatically.

Right to Rectification: Data subjects have the right to have erroneous data corrected and incomplete data about themselves rectified.

Right to Erasure: Data subjects have a right to erasure available where the controller or processor must delete the data of the data subjects if they withdraw their consent, where data is no longer necessary for the purpose it was collected or processed for, or where data was collected unlawfully.

Right to Object/opt-out: When data subjects' data is gathered without their consent, their data is processed for direct marketing purposes, or their data is processed for scientific, historical, or statistical research, they will have the right to object.

Quick Facts about Thailand’s PDPA

1

The PDPA is Thailand's first data protection legislation.

2

Under the PDPA, the data controller will have to guarantee the rights of the data subjects.

3

A violation of the PDPA may result in civil liability, criminal liability, and administrative fines, ranging from a few thousand Thai baht to 5 million Thai baht.

4

PDPA contains no detailed rules regarding the use of automated processing of individuals’ personal data for decision making.

5

PDPA does not apply to foreign public authorities, international organizations, and public entities, including those engaged in duties concerning the prevention and suppression of money laundering, forensic sciences, or cybersecurity.

IDC MarketScape

Securiti named a Leader in the IDC MarketScape for Data Privacy Compliance Software

Read the Report

Follow