DES Ministry upbeat on rollout of PDPA
Full enforcement of law from June 1
The Ministry of Digital Economy and Society (DES) has expressed confidence there will be no further delay in the full enforcement of the Personal Data Protection Act (PDPA), slated to take place on June 1, while the Personal Data Protection Committee is expected to be finalised this month.
"We don't see any major reasons to postpone the full enforcement of the PDPA following two years of delay due to the pandemic, apart from some legal technical problems, though the chance of this remains minimal," Wetang Phuangsup, deputy permanent secretary for the DES and secretary-general of the Office of Personal Data Protection Committee, told the Bangkok Post.
The DES Ministry is aware that the PDPA may cause some burden for related parties in terms of compliance but the ministry is trying to ensure the impact will be minimal with better personal data protection.
"This law will create transparency and accountability for personal data handling," he said.
The DES Ministry considers data as a key element for the country's development strategy while businesses are capitalising on data to create revenue.
"We will make sure the PDPA will not become an obstacle for businesses," Mr Wetang said.
Over the past two years of the PDPA's postponement, the DES Ministry has been drafting 29 regulations aligned with the PDPA, including 10 treated as priority.
By the end of this month, the Personal Data Protection Committee is expected to be established, he said.
"We have to select another person to fill the position in the committee as the one who we previously selected decided to leave," Mr Wetang said, adding the list of members of the committee is expected to be published in the Royal Gazette this month following cabinet approval.
The committee will be responsible for considering all related regulations linked to the PDPA.
The 10 urgently needed regulations include consent format for personal data usage, process of data usage and data protection measurements.
There will also be the personal data protection guidelines for personal data controllers and personal data processors in seven sectors, covering healthcare, retail and e-commerce, education, logistics, travel, property and asset management as well as state agencies and administration.
A public hearing of up to 4,000 stakeholders on the issue has been conducted, Mr Wetang noted.
In terms of penalties, there could be a reprieve in some groups, such as those with personal data of less than 100 people, but this needs to be considered by the new committee.
According to Mr Wetang, once the committee is established, there must be a clear practice on how people can lodge a complaint with the PDPA office when their data is misused.
Organisations handling personal data are obliged to report leaked data within 72 hours and inform data owners.
Wetang Phuangsup, deputy permanent secretary and acting secretary general of the Office of Personal Data Protection Committee.
The organisations responsible for data leakage could face a fine by the PDPA office and a civil suit filed by those affected.
The PDPA will require minimum security measures to protect personal data.
Under the PDPA, data protection officers must be appointed by organisations as a contact person with authority and they are obliged to contact the authorities within a stipulated time when the incident occurs, said Mr Wetang.
"As the PDPA is scheduled to come into force on June 1, this will be a wake-up call for firms to gear up for data protection," he said.
"Consumers will have more confidence in using services while small businesses with small record of personal data would get a reprieve."
- Personal Data Protection Act