Many of you may have heard. Or familiar with these 4 acronyms. PDPA stands for Personal Data Protection Act or Personal Data Protection Act. Which can be said to be a very close story And should be studied Which will be fully effective on 27 May 2020!
Why do I have to do PDPA?
Data in the Big Data era is considered a valuable thing. Whether personal information Therefore, PDPA is required to help protect the personal information sufficient to protect the owner of that information. Not to violate privacy rights And there are measures to remedy the owner of the data in the case of personal information violation.
Who needs to do PDPA?
Can say that this law applies to both the private and public sectors (individuals or juristic persons) which are collected, used, disclosed and / or Transfer personal information of individuals in Thailand
Which must have established management measures To protect other people’s information from privacy violations, obtaining consent from the data owner before collecting, using or disclosing personal information security policies, including creating and maintaining records of processing activities. Personal information
Penalty of PDPA
– A fine of up to 5 million baht
– Imprisonment of up to 1 year
– Actual damages. Claims up to twice as much as actual damages.
P.S. If the offender is a juristic person, director Or the person responsible for the operation of the juristic person may also be liable
1. Personal information Information that can enable the identification of an individual Whether directly or indirectly, such as name, surname, telephone number, ID number, address, information, equipment or tools By not including information for those who have passed away
2. Sensitive personal information For example Sexual behavior data Health information Political opinion Beliefs in religion etc.
There is a risk of data security, whether it be identity theft, tracking, stalking, spam, or the sale of information to a third party without the consent of the data owner.
Rights of data owners
Personal Information Protection Act The main idea is to give the right to the owner of the information as follows
– Right to withdraw consent
– Right to request information
– Right to access, request a copy or disclose disclosure of personal information
– The right to object to collection, use Or disclose personal information
– Right to request removal Or destroy personal information =
– The right to request to suspend the use of information
– The right to file a complaint in case the controller Or the processor does not comply with this Act
– The right to not fall under automatic decisions alone.
– Right to transfer personal data
When there is a request for rights The organization must complete the request within 30 days.
How do we start PDPA?
– Assess Participating in PDPA
– Establish various responsibilities
– Establish contracts, agreements, and policies to ensure data security. Which must have content that is easy to read, concise, easy to understand and not misleading
– Prepared for system protection Various security
– Understand the employees in the organization. Both in terms of the effects of coping
Finally, it is the request for the data owner’s consent to process the data.
Person in charge / Moderator role
– The privacy control ( : Data the Controller ) : individuals / entities who have the power. The decision makers regarding collection, use, or disclosure have appropriate security supervision measures and regularly reviewed.
– The processing of personal data ( : Data Processor The ) : an individual / corporate archive, which disclosed the behest of the regulator. (Different person from personal data controller)
– Personal Information Protection Officer ( : Data Protection, Officer,: DPO ) : If the organizations have a lot of data processing. Or sensitive information It is necessary to appoint DPO personnel. At this time, it is not yet determined whether certificates or qualifications are required. But can be a person in the organization Which is responsible for coordinating, inspecting, providing advice and overseeing information security in particular
Impact if there is information leakage Or data is not secure
– Lose credibility
– Opportunity cost
– Unfavorable in trade market competition
– Confidence Customer’s sensitivity
Summary of PDPA
PDPA or the Personal Data Protection Act is the collection, use, disclosure and transfer of personal information. Must obtain consent from the data owner With the exception of other grounds that are permitted by law The consent must be free to choose, clear, specific, and the data owner can withdraw the consent at any time. Which the organization must act within 30 days if a violation of personal information Must notify the owner of the information within 72 hours