The Personal Data Protection Act (PDPA) came into effect on June 1, 2022, amid expectations the country will improve its standards for personal data protection, in line with the international community.
The Personal Data Protection Committee (PDPC) insisted it would not resort to punishment for the first year of implementation, giving the public and businesses time to prepare and understand the law.
The legislation mandates that data controllers and processors who use personal data must receive consent from data owners and use it only for expressed purposes.
Siwaruk Siwamogsatham, secretary-general of the PDPC, said after one year of enforcement, the focus will shift to finding a balance between people's data protection and organisations' related practices.
Organisations are encouraged to follow the law to earn trust from users and create unique value for businesses, he said.
The regulation on rules and principles for personal data breach notification, under the PDPA, were published in the Royal Gazette on Dec 15, mandating organisations that are aware of data breaches must notify the authorities within 72 hours.
Regarding concerns over punishment, Mr Siwaruk said the severity of the punishment depends on intent.
If organisations intend to sell people's personal data or lack proper security measures to protect very sensitive personal data, such as health records, the punishment could be prison sentences, he said.
Regarding fines, the PDPC will not resort to maximum fines, but will consider incidents case-by-case, taking into account the degree of damage and how many times the offences occurred, said Mr Siwaruk.
Organisations need to have data protection officers (DPO) as a contact point to report incidents and oversee the data protection process, he said. They can assign IT managers or outsourced firms to run the services.
In 2023, Mr Siwaruk said the PDPC will devise a regulation that mandates organisations handling sensitive data have DPOs, such as those in health and insurance businesses. He said organisations must have a clear data protection policy and data storage process, as well as proper measures to control the access of personal data to fend off hackers and prevent human errors that can cause breaches.
Mr Siwaruk said the PDPA focuses on measures to prevent personal data breaches rather than punishment.
In the first quarter of 2023, the PDPC will prepare complaint channels, including digital methods, with complaint forms to fill in, he said.
