PDPA

The Personal Data Protection Act, B.E. 2562 (2019), also known as the PDPA, establishes a comprehensive legal framework for the protection of personal data in Thailand1. It ensures that organizations handle personal information responsibly and securely, providing individuals with greater control over their data. The PDPA outlines the rights of data subjects, the obligations of data controllers and processors, and the penalties for non-compliance. By implementing this act, Thailand aims to enhance privacy protection and align with international data protection standards.

The PDPA also includes provisions for cross-border data transfers, requiring organizations to implement appropriate safeguards when transferring personal data outside Thailand2. Additionally, it mandates the appointment of a Data Protection Officer (DPO) to oversee compliance with the act and handle data protection-related inquiries. The act came into full effect on June 1, 2022, and has since been instrumental in promoting data privacy and security in the country.

• Audit Scope

1. Regulatory Compliance: Avoids legal penalties and fines by adhering to local data protection laws.
2. Enhanced Customer Trust: Builds confidence among clients and customers by demonstrating your commitment to data privacy.
3. International Alignment: Aligns with global data protection standards, facilitating smoother international business operations.
4. Competitive Edge: Differentiates your organization in the market as a trustworthy and responsible entity.
5. Improved Data Management: Encourages better practices in handling and securing personal data.

1. Understanding the requirements PDPA B.E. 2562 (2019).
2. Establish the scope, objectives and context of the organization in accordance with PDPA B.E. 2562 (2019) requirements
3. Get Management Buy-in.
4. Perform IT risk assessment activities.
5. Implement controls to mitigate risks.
6. Organize training for all relevant parties.
7. Review and update mandatory documentation according to the PDPA B.E. 2562 (2019) requirements.
8. Choose a non-accredited certification body, e.g., TUV NORD Thailand to conduct a regulatory compliance audit against OIC Announcement - Governance and Management of IT Risks of Life Insurance Companies, B.E. 2563 and/or Governance and Management of IT Risks of Non-life Insurance Companies, B.E. 2563.