A grace period is going to be offered to small businesses trying to meet the minimum security requirements of the Personal Data Protection Act (PDPA), which is scheduled to be fully enforced starting in June, according to the Personal Data Protection Committee.
"The PDPA will come into force on June 1, but some sectors will receive a grace period to comply with the law to minimise the impact on their operations," said Thienchai Na Nakorn, chairman of the committee, which held its first meeting on Feb 10.
"We are in the process of appointing a legal subcommittee to consider subordinate regulations under the PDPA."
At least four subordinate laws have been categorised as a priority to ensure smooth enforcement, including minimum security requirements.
Minimum security requirements will be determined according to sectors and a grace period will be given to small businesses, Mr Thienchai said, without elaborating on the criteria for eligibility for the grace period.
Wetang Phuangsup, acting secretary-general of the Office of the Personal Data Protection Committee, said other necessary subordinate regulations cover the qualifications and roles of data protection officers and cross-border data transfers. The committee office still needs a secretary-general and staff, while another panel needs to be set up to oversee the office's operations, he said.
Mr Thienchai stressed the principle of the PDPA is to combat personal data misuse, as people's consent is required before their personal information is used. The act must be properly explained to allow for compliance as more than 1,000 queries about the law have sought consultation, he said.
For consumer protection, there needs to be tools or measures that can track who sells user data to third parties, said Mr Thienchai.
Individuals who see their personal data used publicly without permission can file civil lawsuits against violators instead of the committee taking action, he said. The committee is focused on data processers and controllers of organisations.
"Careful legal interpretation of enforcement is required to prevent the creation of an incorrect standard," Mr Thienchai said.
He said the main principle of the act balances rights and freedom, personal data protection and business operations.
"We have to acknowledge data is important for business, marketing and the economy today, but we need to ensure personal data is neither misused nor exploited," Mr Thienchai said.
The PDPA will make it easier for foreign firms to invest in Thailand as Europe already has the General Data Protection Regulation, he said.
Data collected by many online service operators is stored outside the country and it is important to determine how to enforce the PDPA against the violators with offices overseas, said Mr Thienchai.