A royal decree drafted to postpone the enforcement of most sections in Personal Data Protection Act (PDPA) by a year will be tabled before the cabinet for approval next week, says the Digital Economy and Society (DES) Ministry.
The PDPA was published in the Royal Gazette in May last year, but comes into force on May 27 after a one-year grace period.
Once implemented, the PDPA is expected to change the landscape of personal data protection in Thailand. The legislation mandates data controllers and processors who use personal data must receive consent from data owners and use it only for expressed purposes.
Putchapong Nodthaisong, deputy permanent secretary for DES, said the ministry will ask the cabinet on Tuesday to approve the decree.
The legislation will defer most of the chapters in the PDPA act by one year, except for chapters 1 and 4, which involve the appointment of the members sitting in the Personal Data Protection Committee and the establishment of the Office of the Personal Data Protection Committee.
The drafted decree is under consideration by the Office of the Council of State.
The deferral would ward off complaints, especially among small and medium-sized enterprises that might not be prepared for the legislation, he said. Major enterprises, telecom and SET-listed companies are mostly aware of the law.
According to Mr Putchapong, the DES has appointed members for the PDPA Committee, but they still require cabinet approval.
"We hope to see the first meeting of the PDPA committee by this June," he said.
The committee will have to set up a sub-panel to iron out related standards and other regulations, expected to be wrapped up one year after the PDPA committee is formed.
"The DES Ministry also intends to carry out public hearings on matters pertaining to the regulations," said Mr Putchapong.
Paiboon Amonpinyokeat, legal expert and founder of P&P law firm, said businesses still need to get ready for three important issues regardless of the delay.
First, consent platforms need to be set up, where firms can inform data owners about the purpose of the usage of their data and get consent, he said.
Second, businesses need to appoint data protection officers and prepare their organisation structure by gathering a team of IT, legal and human resources to cope with the PDPA.
Third, they need to prepare a notice to inform data owners how they used their data prior to the enforcement of the PDPA.
The government needs to urgently iron out related regulations to serve as guidelines for businesses to comply with, Mr Paiboon said.