PDPA Compliance Program

Importance

What is the PDPA?

• PDPA is Thailand’s first consolidated data protection law. It applies to all organizations that handle THAI personal data — including customer, employee, and vendor information — regardless of size or industry.

• The PDPA came into full enforcement on 1 June 2022 and is overseen by the PDPC

Why It Matters

to Your Business

• Legal Requirement — Non-compliance may result in penalties, including fines (up to THB 5 million), civil liability, and criminal charges.

• Client & Partner Expectations — Large customers, banks, and vendors increasingly expect SMEs to show PDPA compliance before doing business.

• Operational Clarity — Clear policies and data handling processes reduce errors, protect your team, and improve daily operations.

• Reputation & Trust — Customers are more aware of their privacy rights. Businesses that respect and protect personal data earn long-term trust.

Scope of Applicability

What is the PDPA?

• All organizations established in Thailand — whether large corporations, SMEs, or startups

• Organizations outside Thailand that collect, use, or transfer personal data of individuals in Thailand

This includes businesses that handle data from customers, employees, vendors, or third-party platforms — in any format, online or offline.

Who will have to comply?

Why It Matters

to Your Business

• To comply with the PDPA, organizations should be able to demonstrate the following:

  • Maintain a personal data inventory that shows what data you collect, how it’s used, stored, and shared.

  • Collect personal data only when necessary, with a clear legal basis (e.g. consent, contract, legal obligation).

  • Consent (if required) must be freely given, specific, informed, and unambiguous — and can be withdrawn at any time.

  • Provide a clear notice at the time of data collection, explaining the purpose, use, and disclosure of personal data.

  • Enable individuals to access, correct, delete, or object to the use of their personal data in line with PDPA Data Subject Rights.

  • Implement reasonable and appropriate Security Measures to protect personal data from loss, unauthorized access, or misuse.

  • Ensure that vendors, processors, and international data transfers meet PDPA requirements.

  • In case of a data breach, notify the regulator within 72 hours and the data subject if the risk is high.

PDPA Key Compliance Areas

Deliverables

What are the deliverables?

• Gap Analysis & Roadmap : Risk assessment, Data flow mapping, Action plan

• Documentation Kit: Privacy notices, Consent forms, Breach notification templates, Data inventory template, DPA agreement template, Policy localization

• Awareness Training: Training slides, Staff handbook, Case-based Q&A

• DPO Advisory (optional): Role setup, Compliance checklist, Reporting templates, Regulatory updates