A royal decree drafted to postpone the enforcement of most sections in the Personal Data Protection Act (PDPA) by a year will be tabled before the cabinet for approval next week, says the Digital Economy and Society (DES) Ministry.
The PDPA was published in the Royal Gazette in May last year, but was scheduled to come into force on May 27 after a one-year grace period.
Once implemented, the PDPA is expected to change the landscape of personal data protection in Thailand. The legislation mandates that data controllers and processors who use personal data must receive consent from the data's owners and use it only for expressed purposes.
Putchapong Nodthaisong, deputy permanent secretary for DES, said the ministry will ask the cabinet on Tuesday to approve the decree.
The legislation will defer almost all the chapters in the PDPA act by one year, except for chapters 1 and 4, which involve the appointment of the members sitting in the Personal Data Protection Committee and the establishment of the Office of the Personal Data Protection Committee.
The drafted decree is under consideration by the Office of the Council of State.
The deferral would ward off complaints, especially among small and medium-sized enterprises that might not be prepared for the legislation, he said. Major enterprises, telecom and SET-listed companies are mostly aware of the law.
According to Mr Putchapong, the DES has appointed members for the PDPA Committee, but still requires cabinet approval.
“We hope to see the first meeting of the PDPA committee by this June,” he said.
The committee will have to set up a sub-panel to iron out related standards and other regulations, expected to be wrapped up one year after the PDPA committee is formed.
“The DES Ministry also intends to carry out public hearings on matters pertaining to the regulations,” said Mr Putchapong.
Paiboon Amonpinyokeat, legal expert and founder of P&P law firm, said businesses still need to get ready for three important issues regardless of the delay.
First, consent platforms where firms can inform data owners about the purpose of the usage of their data and get consent need to be set up, he said.
Second, businesses need to appoint data protection officers and adjust their organisational structure by gathering a team of IT, legal and human resources to cope with the PDPA.
Third, they need to prepare a notice to inform data owners how they used their data prior to the enforcement of the PDPA.
The government needs to urgently iron out related regulations to serve as guidelines for businesses to comply with, Mr Paiboon said.