At pimaccounting, our Data Privacy, Data Protection, and PDPA consultants offer cutting-edge, practical and effective solutions for all your PDPA, privacy and cyber security challenges – no matter how small or large your organisation.
Pre-audit with our PDPA consultant (FREE) Assessing current data collection practices Gaining consent Be ready for data breaches Make a plan and seek support if needed
Define & Mesure
Review processes, procedures & policies Detailed Project Action Plan and Schedule Communication Kick-Off material High-Level PDPA Gap Analysis & Advisory Data Classification and Mapping Conduct interviews with key staff impacted
Improve to future state
Process Flows for Data Subject Rights Execution, Data Breach Management, Data Retention Monitoring and Outsourced Vendors Review Amendment of Process flows related to PDPA integrated into existing Processes/SOP Data Subject Rights Request Form Vendor Due Diligence Checklist DPO and Committee Establishment Plan PDPA IT Compliance Report
The Electronic Transactions Development Agency (ETDA) has issued guidelines on best practices to protect personal data as follows
Identify Personal Data
Establish an understanding with the overall strategy of personal data protection, both the company’s sensitive data and personal data, according to PDPA. Thereafter, identify the scope of data to be protected and develop a model data structure and categorize data.
Identify how data is being used
Search, analyze, and categorize data into different types regularly. Establish an understanding about the data environment, structure, and lifecycle to determine the most effective data protection measures.
Identify the baseline of sensitive data protection
Set up a baseline to protect sensitive data of the company and personal data, according to PDPA. Evaluate the control processes and measures required, as well as perform risk assessment and gap analysis to identify solutions and risk mitigation.
Plan, design, and implement data protection
Plan and prioritize measures to protect sensitive data of the company and personal data, both technical and strategic data. Thereafter, design and implement preventive measures for such data securely. Most importantly, the protective measures must be aligned with business growth targets.
Monitor and protect sensitive data
Develop data governance framework, risk metrics, and monitoring processes to ensure that practice guidelines and control measures are working properly to achieve objectives. In addition, review the strategy and data protection measures regularly.
Smart PDPA Solutions for Smart Companies
For any questions, queries or advice about our data protection and PDPA services, please do not hesitate to contact us in English, French, German or Thai.
With Thailand’s Personal Data Protection Act set to come into effect on May 27th, organisations across the country must ready themselves to comply with the new regulations. Being adequately prepared entails understanding the PDPA and effectively communicating its implications with everyone in the organisation who has access to personal data. but due to the pandemic, the effective date of Thailand’s PDPA is postponed until 1 June 2021.
What are the penalties?
The PDPA imposes penalties for non-compliance. It is punishable with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages. Furthermore, civil damages under the PDPA can be multiplied as Thailand now allows data subjects to bring a class-action lawsuit. The director of a company could also be subject to penalties under the PDPA.
What are considered as a personal data & sensitive data?
The PDPA provides stringent requirements for the collection and storage of sensitive personal data that refers to any information relating to a person, which enables the identification of such person including personal data pertaining to:
Racial or ethnic origin
Religious or philosophical beliefs
Trade union memberships
Sexual orientation or preferences
The collection of sensitive personal data without the express consent of the data owner is prohibited, except in certain circumstances, such as medical emergencies or as required by law.
What is a cross border data transfer?
In the event that a data controller sends or transfers Personal Data to a foreign country, the destination country that receives such Personal Data shall have adequate data protection standards, unless an exemption is met (e.g. a consent from the data subject is obtained for the transfer of the Personal Data to a country which the data protection standard that is not adequate, or the transfer is for compliance with the law). The guideline on adequate data protection standard is yet to be issued.
What is a Data Processor?
A person or entity that collects, uses, or discloses personal data in accordance with the orders of the data controller.
What is a Data Controller?
A person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.
What is a Data Protection Officer?
The Data Protection Officer (DPO) ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data. The designation, position and tasks of a DPO within an organization are described in Sections 5, 6, 30-41 of the Thai Personal Data Protection Act law (PDPA). Many other countries require the appointment of a DPO, and it is becoming more prevalent in privacy legislation.
About our PDPA expert
Our experienced and certified DPO, GDPR and PDPA consultants help you to make the transition process to Pimaccounting extremely easy. With your consent, our liaison team will deal directly with your previous service provider during the transition to Pimaccounting. All you need to do is contact us so that we can take care of the rest.
Any questions or specific request Please contact us.
We provide outsourcing data protection, PDPA consultation, statutory auditing, bookkeeping, payroll and BOI consulting