On 21 May 2020, the Thai government issued a Royal Decree exempting 22 business categories from the operation of the Personal Data Protection Act B.E. 2562 (“PDPA”) until 31 May 2021 (“Exempt Businesses”). The Personal Data Protection Commission is empowered under the Royal Decree to make a determination if there is any uncertainty as to whether a business is exempt, and business operators in Thailand should already have obtained legal advice on whether they are an Exempt Business.
Prior to the issuance of the Royal Decree, news reports suggested that there were concerns among businesses that they were not ready for implementing the required measures to comply with the PDPA. The Royal Decree was the Thai government’s response to these concerns.
“Exempt Businesses are now required to implement personal data security measures.”
The Royal Decree required Exempt Businesses to implement personal data security measures in line with the standard specified by the Ministry of Digital Economy and Society (“Interim Standards”). The Interim Standards were published on 17 July 2020, and Exempt Businesses are now required to implement personal data security measures that comply with those standards.
The Interim Standards set out the following minimum level of action to be taken by data controllers (“Required Measures”):
- restricting access to personal data, data storage and processing devices;
- determining the persons and the conditions for the authorisation of access to personal data;
- restricting access to personal data to authorized persons only;
- establishing procedures to prevent unauthorized access, removal of personal data, data storage or processing devices; and
- establishing procedures to retroactively verify access to personal data.
Data controllers must implement administrative, technical and physical safeguards for the Required Measures. Data controllers may opt to use personal data security standards which differ from the Required Measures, provided those standards are not lower than the Required Measures.
In addition to implementing the Required Measures, Data Controllers must also:
- notify their employees, staff and related persons of the personal data security measures it has introduced; and
- build awareness on the importance of personal data protection among their employees, staff and related persons to ensure strict compliance with the Required Measures.
“Data controllers must implement administrative, technical and physical safeguards for the Required Measures.”
As a result, merely introducing personal data protection arrangements that satisfy the Required Measures is not enough to satisfy the Interim Standards: Exempt Businesses also need to ensure that their employees are aware of those arrangements in order to satisfy the Interim Standards.
Exempt Businesses therefore need to include their personal data protection arrangements in their employee compliance training programs, and those that are unable to demonstrate employee awareness of their personal data protection arrangements face potentially open-ended liability for negligence claims for data breaches that occur before 1 June 2021.
Exempt Businesses that properly implement the Interim Standards will reduce their liability for data breaches but should not lose sight of the fact that their personal data security measures will need to be completely compliant with the PDPA from 1 June 2021 onwards.
Rather than leaving full PDPA compliance until 2021, Exempt Businesses should use the remainder of the interim exemption period to expand their interim personal data security measures into fully compliant data privacy measures that satisfy the PDPA.
For further information on the PDPA in general, see our previous article.