Asian-mena Counsel: Data + Cyber Security Special Report 2020Published in
By Kwang-Wook Lee, Helen H. Hwang, Chulgun Lim and Keun Woo Lee, Yoon & Yang
The Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”) was enacted on May 27, 2019. Prior to the end of the original one-year grace period for full enforcement of the PDPA, a Royal Decree was issued which prescribed a list of organisations and businesses that would be temporarily exempted from enforcement. The list was so extensive and the choice of words so overarching that all legal practitioners agreed that it was designed for all business operators and other types of entities as well. Hence, we were effectively given a second grace period which will end on May 31, 2021. Although the enforcement was postponed for another year, all business operators are required to arrange and maintain security and protection of personal data as prescribed by the Ministry of Digital Economy and Society (“MDES”).
The MDES issued the Ministerial Notification Re: Standards of Security Protection of Personal Data, B.E. 2563 (2020), with an effective date from July 18, 2020 until May 31, 2021. The descriptions therein regarding notification and safety requirements are comparatively generic and do not prescribe specific standards, applications, or technical measures. Furthermore, the notification itself is thought to be effectively unenforceable given the grace period that has already been announced. It, therefore, is seen as a hybrid message to the operators to remind them to be mindful of this law and that the regulatory environment will be tougher in the coming months. Therefore, operators should start to plan their compliance.
Nevertheless, due to the current lack of specific guidelines, rules, and other regulations, only some business operators have commenced an internal process to prepare themselves for the law. Preparation would include undertaking internal due diligence and gap analysis to learn about how personal data comes into each of their business arms, where such data is stored and transferred to, and how each entity within their commercial loop treats and utilises such data. This would also require instituting use of internal and external documents, including many types of personal data policies, consent forms, ad hoc notices, and specific-purpose standards of operations, guidelines, and protocols. Some operators, however, have stated that they want to wait for more supplementary regulations from the Personal Data Protection Committee, as they feel that the PDPA will need supplementary regulations to make it whole and fully functional. This would include supplementary regulations about country and organisation white lists, categorical exemptions, thresholds for necessity to have a data protection officer, guidelines on offshore transfer rules, etc.
Based on our experience working with numerous clients to achieve compliance with data protection laws and regulations, one of our key takeaways is to avoid being over-complacent. The operators should note that the internal preparation process to comply with the PDPA will take several months. Firstly, the process to undertake self-due diligence or gap analysis may take one to three months. Pinpointing the issues found during the self-due diligence or gap analysis and deciding how to plug the gaps with suitable documentation (with the appropriate facts included therein), and subsequent creation and revision of documents takes at least one or two months. Then the operators will have to deal with implementation, which will necessitate training in order to allow management and operators to familiarise themselves with the new processes. Lastly, it may be necessary to recalibrate how the different IT applications and systems work. Given the time required to complete these steps, the remaining time until the end of the grace period on May 31, 2021 is short. The operators should further note that although it is true to say that that the law will not be fully functional without supplementary regulations, however, a majority of the provisions of the law can, and certainly will, be fully or at least partially enforceable on their own. For example, the requirements on notification, attainment of lawful basis, consent, liaison with data subjects, and safety of storage. Even certain sections that currently seem to be less than clear may be quickly completed by official consultation and approval by the Personal Data Protection Committee, such as those related to offshore transfer.
We, therefore, do not recommend that operators wait, and suggest that they undertake internal preparations to the extent that they can as soon as possible. This would eliminate risks posed by certain provisions becoming immediately enforceable on June 1, 2021, and avoid the operator being scrutinised or prosecuted by the authorities for such breach.