Everything about PDPA that Startups need to know !
22 July 2022

#Let’s review, How does "Personal Data Protection Act" relate to business people?

In the era of Digital Business, many businesses have succeeded from driving the organization by using data to design products and services that satisfy the needs of consumers.

And it's certain that when information gets attention and being used as a business tool, it may result in some information being misused, e.g., personal information. As of November 2020, there were 8.8 billion data breaches worldwide, making data protection a concern in many countries, including Thailand where the PDPA has been enforced.

The Personal Data Protection Act or PDPA is a law established to protect the security of personal information, by not allowing the collection, use, disclosure and transfer of personal data without the consent of the data subject.

Also, those who are authorized to collect personal data has a duty to secure the information.Moreover, the data subjects are allowed to withdraw their consent at any time with simple and convenient method.

Personal Data is information that is so specific that it can identify the subject of those data. Whether in the form of documents, paper, books or electronic, e.g., name - surname, ID card number, address, telephone number, email address, LINE ID, etc. It also includes Personal Sensitive Data, such as ethnicity information, political opinions, mental health information, criminal records, etc.

In violation of PDPA will be liable to both criminal penalties, civil penalties and also administrative fines as well.

  • Criminal penalties: Imprisonment for up to 6 months to 1 year, or a fine up to 500,000 to 1 million baht, or both.
  • Civil penalties: Compensation + Punitive damages up to double the amount of the actual damages.
  • Administrative fines of up to 1/3/5 million baht.

PDPA, an important variable that makes startups have to adapt.

When digital technology and data are used as a tool for business competition, the data subject's personal information becomes an important matter of value and needs protection. This causes an impact, resulting in business people and startups having to adjust. "PDPA" has therefore become a new standard of doing business. Let's look at the main points where we need to pay attention and adjust.

- Obtain information rightfully

As a Data Collector, we will only be able to collect personal information from the data subject, and not collect or obtain from other sources. The data subject has the right to withdraw that consent at any time. And, the data collector must also inform the impact of the withdrawal of consent.

  • Always seek written consent from the data subject.
  • Inform the rights of the data subject and notify the purpose of collecting data.
  • Consent withdrawing is as easy as consent requests.

- Who's who in the use of personal information?

Any business that has internal and external data collection is all related to PDPA. There are 3 roles involved in all parties, which can be divided as follows:

  • Data Subject - the person whose information can be personally identifiable.
  • Data Controller - the person with decision-making authority about the collection, use, and disclosure of personal information.
  • Data Processor - the person who succeeds from the instructions of “Data Controller”, who use or process information, e.g., Market research company business or various cloud service companies.

What has changed after we used PDPA?

- Legal aspects: PDPA violations are not just the most severe fines, but the data subject can also lodge class action lawsuits to the data collector, if the data collection does not comply with the data security agreement or standards.

- Business partners aspects: After this, business collaborations with other partners require compliance with the same level of data security standards for both parties. Whether at the domestic or international level.

- Customer aspects: Consumers are becoming increasingly aware of the importance of personal data. Therefore, having a business pay attention to PDPA is something that builds confidence and demonstrates security, resulting in trust in using the service.

Checklist of PDPA readiness for startup businesses !

  • Collect a list of personal information that businesses need for both customers and employees, which has reasons for use and methods that can be used.
  • Know who your business is, a Data Controller or a Data Processor.
  • Study the business implications in violation of the PDPA, such as legal risks or the loss of business opportunity.
  • Provide appropriate methods for notification and consent request to collect customer data.
  • Publicize and raise awareness of PDPA in your organization.

The next step, after we have everything ready, let take a look at which aspects of the organization need to be adjusted or increased in operating methods?

People

- Establish a Data Protection Officer (DPO).

- Organize training to raise awareness and understanding of information security among personnel within the organization.

Process

- Prepare various Data Mapping covering the source of storage to the scope of use.

- Set Privacy Policy and personal information.

- Prepare legal documents such as consent request documents, documents for the rights of data subjects.

- Conduct a Data Protection Impact Assessment (DPIA) to identify and mitigate risks in data security.

Technology

- Install a Breach Notification system

- Use technology to enhance data protection according to the size and needs of the business.

We hope to be able to help everyone get ready and run their business smoothly, through understanding and implementing PDPA effectively. For those who are interested in becoming a partner with AIS The StartUp to receive great benefits and receive business advice, click www.ais.co.th/thestartup

Previous
Next


Lastest articles

Blog

{{blog_item.title_en_en}}

{{blog_item.date}}
Read more
View All