PDPC preps further minor regulations

PDPC preps further minor regulations

Move aims to allay compliance concerns

Mr Chaiwut pointed out that the Personal Data Protection Act is meant to protect people from the misuse of their data and level up data security.
Mr Chaiwut pointed out that the Personal Data Protection Act is meant to protect people from the misuse of their data and level up data security.

The Personal Data Protection Committee (PDPC) is set to roll out more subordinate regulations to clearly define the practices for Personal Data Protection Act (PDPA) compliance to ease concerns among businesses.

Meanwhile, businesses are urging the government to consider issuing tax incentives that would support their compliance.

They shared their views at a seminar on compliance with the PDPA jointly organised on Monday by the Thai Chamber of Commerce (TCC), the Board of Trade, the Digital Economy and Society (DES) Ministry and University of the Thai Chamber of Commerce (UTCC).

The PDPA was enforced on June 1 following two years of postponement partly due to the pandemic.

Speaking at the seminar, DES Minister Chaiwut Thanakamanusorn said the PDPA and Cybersecurity Act are important pieces of legislation to level up confidence among foreigners doing business with Thailand and drive the economy.

"We believe within the next 4-5 years, the digital economy will contribute 30% of GDP, making us the digital 'Silicon Valley of Asia'," he said.

The PDPA is meant to protect people from misuse of their data and level up data security, Mr Chaiwut said. "It does not intend to create a burden for businesses," he added.

Wetang Phuangsup, deputy permanent secretary for the DES Ministry and acting secretary-general of the PDPC, said six subordinate laws have been implemented since the PDPA came into force last month.

Another two regulations are set to be rolled out in early August, he said. One concerns a guideline on how to seek consent from data subjects and another involves a guideline on how to notify data subjects about the purposes and details of personal data collection.

Udomtipok Phaikaset, secretary-general of the Federation of Thai SMEs, said the government needs to consider providing tax incentives for small and medium-sized enterprises that have to invest in PDPA compliance.

SMEs seeking to comply with the PDPA should be entitled to double tax deduction, he added.

Paiboon Amornpinyokiat, an advisor for the PDPC secretary-general, said businesses no longer need to seek consent to use data from data subjects once they have such a written agreement in contracts with customers.

However, if the businesses need to use personal data for new purposes, they need to seek new consent.

The law goes against people who intend to expose the "sensitive data" of others, such as information regarding their health conditions, religion and sexual preference, and the court of justice will deliberate their intentions.

Regarding administrative fines of up to 5 million baht for PDPA violations, Mr Paiboon said a reprieve is being given at present during the transitional period.

"The PDPA is not intended to overrule other specific laws, such as those used in the banking and financial sectors, security authorities and media, which already have their code of practices," he said.

He insisted the PDPA aims to facilitate the digital economy rather than erect hurdles for businesses.

Atip Bijanonda, vice-chairman of the Board of Trade, said accelerated efforts should be made to roll out subordinate laws to ease concerns among businesses in terms of PDPA compliance.

They are afraid of being abused from non-compliance, he said.

He said the criteria for the punishment could be made clear in the written guidelines without the need to use discretion as business executives are now concerned about imprisonment.

He also threw support behind the issuance of the double tax deduction for businesses investing in order to comply with the PDPA.

Supakorn Kungpisdan, managing director of Cyber Elite, a cybersecurity solution provider, said businesses need to comply with the PDPA to level up their data security defence and risk assessment for data breaches.

"Businesses need to have procedures in place to respond to incidents in line with the PDPA and Cybersecurity Act," he added.

Prapanpong Khumon, deputy dean of the UTCC's School of Law, said a PDPA readiness survey conducted by UTCC and TCC in March showed only 8% of 3,000 organisations said they had fully complied with the PDPA.

Businesses now need to make sure their call centres and frontline staff understand the PDPA so they can respond to customers' requirements based on the PDPA, including demanding to revoke businesses' right to use their personal data.

"The PDPA is about data protection management, making sure the operators secure data. This can also show businesses' intention of pursuing legitimacy and responsibility," Mr Prapanpong added.

Do you like the content of this article?

J&J to end all sales of talc-based baby powder

Johnson & Johnson says it will stop selling talc-based baby powder globally in 2023, more than two years after it ended US sales of a product that has drawn thousands of consumer safety lawsuits.


Australian pleads not guilty at Myanmar junta trial

An Australian economist detained by Myanmar's junta has pleaded not guilty to breaching the colonial-era official secrets act, a source close to the case said on Friday.


Public warned against fake government websites

People are being warned to remain vigilant against websites imitating the homepages of government agencies with the intent to steal sensitive data and carry out financial scams.