Some 70% of SET-listed companies are prepared for the Personal Data Protection Act (PDPA) related to capital market compliance, according to a survey conducted by the Securities and Exchange Commission (SEC).
The most prepared groups of companies are those involved with asset management, credit ratings, initial coin offering portals and digital asset trading exchanges, said the SEC.
The PDPA, which has seven chapters and 96 sections, was published in the Royal Gazette in May 2019. The law was due to be enforced on May 27 following a one-year grace period, but the cabinet postponed the enforcement by an additional year to give the public and private sectors time to prepare their internal processes and ease the financial burden arising from the pandemic.
The legislation mandates data controllers and processors who use personal data must receive consent from data owners and use it only for expressed purposes.
Once implemented, listed firms must uphold personal data protections in accordance with the international law on personal data privacy.
Kaipichit Ruengsrichaiya, director of data management and analytics at the SEC, said there are still many businesses, including those outside the capital market, that still need to prepare for the PDPA.
The SEC sent a questionnaire to 276 companies making up 14 types of business under the market regulator's supervision. These included securities companies, asset management companies, funding portals, digital token portals, auditors and digital asset exchange operators.
Some 192 companies indicated they were prepared for the PDPA. There were 10 evaluation topics, including preparing top executives, notifying the details of personal data protection, preparing consent forms, exercising the rights of personal data owners and appointing personal data protection officers.