Around 20,000 enterprises and state agencies are required to have data protection officers (DPOs) this year to help them avoid possible compliance failure with the Personal Data Protection Act (PDPA).
The PDPA took effect on June 1 last year and governs data protection. It sets requirements for data controllers and data processors, including both public and private entities, on how to receive consent from data subjects before processing, collecting or disclosing personal data.
The law also requires organisations subject to the law to have DPOs, or they could face a fine of up to 1 million baht.
The Personal Data Protection Commission (PDPC) in July issued an announcement requiring certain state agencies to have a DPO. The announcement took effect on Oct 15.
The commission also announced on Sept 14 organisations were required to have a DPO, with the measure taking effect on Dec 13.
Udomtipok Phaikaset, founder of PDPA Thailand Co and chief executive of DBC Group, said DPOs have a role to play in helping organisations, as described in Section 42 of the PDPA.
DPOs provide knowledge and advice to organisations to ensure their compliance with the PDPA, while also checking an organisation's collection, use or disclosure of personal data to ensure it complies with the law.
These officers also coordinate with the PDPC if there are problems related to the collection, use or disclosure of data, while maintaining the confidentiality of personal information.
PDPA Thailand Co is a provider of consulting, review, training and testing to manage personal data risks for businesses.
The company is an affiliate of the DBC Group.
REQUIREMENTS
Among the three groups of organisations that must have a DPO are government agencies. The second group includes agencies or corporations that need to regularly check personal data, or those that hold a lot of personal information.
The third group is organisations that use sensitive information or special information, according to Section 26 of the PDPA, such as providers of healthcare services.
Mr Udomtipok said the PDPC office announced a list of 65 state agencies that fall into the first category.
He said at least 10,000 enterprises fall into the second category.
In addition to government agencies, other organisations that must have a DPO include medical facilities, life insurance companies, insurance agencies, job recruitment companies, agencies that provide all types of personal loans, companies with electronic membership systems, department stores, companies that sell products online, and companies that provide data or information services in an electronic system.
Mr Udomtipok said the law does not specify the required qualifications for a DPO, such as level of education or depth of knowledge.
As a DPO helps organisations comply with the PDPA, they should have good knowledge and understanding of the laws, he said.
These officers should also understand what kind of personal data an organisation collects and uses, as well as knowledge of information technology systems related to their work and data security, said Mr Udomtipok. DPOs should also be able to communicate with internal and external parties.
"The DPO does not have to be a lawyer or an IT professional, but they must not have a conflict of interest in terms of their job responsibilities," he said.
In some organisations, a DPO cannot work alone because they have many tasks. Therefore, a competent DPO must have interdisciplinary knowledge, Mr Udomtipok said.
Many organisations may create a new DPO position or may have several staff form a working group to carry out the task, or even outsource the task to a third party, he said.
Mr Udomtipok said around 300 complaints related to PDPA compliance had been recorded at the PDPC office over the past year, with 70 cases resolved through administrative orders.
Sukris Koyakradej, chief of data protection consultants at DBC Group, said the group teamed up with PDPA Thailand and the Digital Skills Development and Testing Institute (DDTI) to create a "DPO in Action" course to meet the needs of all organisations.
The course prepares DPOs to have in-depth knowledge and compliance with the PDPA, reducing the possibility of risks or mistakes.
The course was designed to provide participants with knowledge and understanding of the principles, theories, laws, practices and case studies through e-learning formats and classroom lectures and exchanges.
Personal practice is also encouraged to truly develop the necessary skills required to perform as a DPO, according to DBC Group.
The course content refers to the DPO training course announced by the PDPC office.
The DBC Group also has a DPO online service to meet the needs of organisations that are not ready to employ a full-time DPO, or whose DPO still lacks knowledge or expertise during the initial stages.
PDPA Thailand has a cooperation network of more than 50 experts in the field of personal data protection, a so-called "Core Trainer Team" from the DDTI.