A Royal Decree (Decree) to postpone enforcement of the substantive provisions of Thailand's Personal Data Protection Act (PDPA) by one year was approved by the Cabinet of Thailand (Cabinet) on May 19, 2020. The Decree will now need to be signed by the King of Thailand and published in the Royal Thai Government Gazette (Gazette), which will mark its official passage. This news comes at the 11th hour as the PDPA was scheduled to come into force in a few days.
The PDPA was officially published in the Gazette on May 27, 2019 and became effective on May 28, 2019. All grace periods in the PDPA began from the May 28, 2019 date, so full compliance with the new requirements was to become mandatory on May 28, 2020.
The Decree defers most of the chapters of the PDPA by one year, except for chapters 1 and 4 prescribing the appointment of the members of the Personal Data Protection Committee (PDPC) and the establishment of the Office of the Personal Data Protection Committee. The Ministry of Digital Economy and Society is in the process of nominating the members of the Personal Data Protection Committee and preparing regulations addressing specific requirements of the PDPA.
Although the effective date of the PDPA may be delayed until May 2021, companies should not view this new development as an opportunity to stand down on developing their PDPA compliance programs. The delay will not change any of substantive requirements under the PDPA.
In addition, the increasing use of online channels by consumers to purchase everything from face masks to take-out meals and the increased collection and use of employee data as more employees continue to work from home or begin to return to offices means that companies need to incorporate these new pandemic-related changes into their current privacy and data governance programs. It also means that companies need to remain vigilant in protecting consumer, employee, and other sensitive information. Cyber-criminals never stand down and many are exploiting the current environment to target companies and their employees to gain access to personal and other information. A significant data breach at your company can result in adverse publicity in normal times. Any such news during the current pandemic may prove to be even more damaging to your company's reputation and invite regulatory scrutiny.
Companies should not wait until 2021 to develop personal data inventories, draft PDPA-compliant privacy notices, operationalize the PDPA's new data subject consent requirements, implement the PDPA's new data subject rights, and adopt the myriad of other new processes and procedures that will be needed to ensure compliance with the PDPA. Companies should also begin preparing now to be able to notify the PDPC as of the new PDPA effective date of any data breach affecting personal data within 72 hours after discovery of the breach. The delay of the PDPA may have happened at the 11th hour, but your company's PDPA compliance program should not be developed at the 11th hour.