Tag :
Cyber Security

Thailand has enforced its very own Personal Data Protection Act – or PDPA – which essentially provides individuals with control over how their data is collected, processed, and used. Sangfor has already created a comprehensive guide to the PDPA Thailand exploring its components and how it functions. However, in this blog article, we focus on the comparison between the Thai PDPA law and the European General Data Protection Regulation (GDPR).

Established in 2018, the GDPR is considered one of the toughest privacy and security laws in the world. While it was drafted and passed by the European Union, the law imposes obligations onto organizations anywhere that target or collect data related to people in the EU. Generally, the law issues mandatory rules for how organizations must use personal data in a way that conserves its integrity.

On the other hand, the Personal Data Protection Committee – or PDPC – is the official regulator of the PDPA law in Thailand. The PDPA website defines the law as being helpful in enforcing policies, keeping personal information safe, and reducing privacy violations. Now, let’s take a look at how it compares to the newer PDPA of Thailand.

PDPA vs. GDPR

The Thai PDPA law draws inspiration from the European GDPR and is mostly based on the EU privacy regulations. While the two legislations are similar in many aspects, they do also differ across many as well. For example, the PDPA was drafted with consideration for Thailand’s diverse landscape of businesses – with certain exemptions in place to support small- and medium-sized enterprises in mitigating the compliance burden. With assistance from One Trust Data Guidance Regulatory Research, we’ve outlined some of the key similarities and differences between the EU GDPR and the Thai PDPA.

Concept of European GDPR vs PDPA Thailand

Legal Basis for Data Processing

Similarities: Both laws have similar provisions regarding the legal basis of processing, Both the GDPR and PDPA list consent, performance of a contract, legal obligations, legitimate interests, or vital interests as a legal basis.

Differences: None.

Extraterritorial Scope

Similarities: Both laws can be applied to controllers and processors outside of their respective countries. Organizations outside of Thailand that process personal data, offer goods and services to, or monitor the behavior of people in Thailand must abide by the law.

Differences: None.

Controllers and Processors

Similarities: The GDPR and the PDPA are similar concerning the scope and responsibilities of data controllers and data processors. Both laws include corresponding definitions and obligations regarding compliance with data subject rights, data breach notifications, record keeping, security measures, and appointing a data protection officer ('DPO'). Both also require data controllers to implement appropriate security measures and notify supervisory authorities of data breaches.

Differences: While the GDPR specifically provides for Data Protection Impact Assessments ('DPIAs') in certain circumstances, the PDPA outlines that data controllers are obliged to provide appropriate security measures and review them when it is necessary, or when the technology has changed to effectively maintain the appropriate security and safety standards.

User Rights

Similarities: Both laws provide user rights - including the right to erasure, the right to be informed, the right to object, the right to data portability, and the right to access. They also allow data subjects to request for their personal information to be deleted in specific cases.

Differences: The application of these rights is what differs for the laws – this includes the forms of request and response timelines. The GDPR also states that data controllers must be replied to within one month - with a two-month extension if necessary. However, the PDPA has no extension period. Furthermore, under the right to erasure, the GDPR states that data controllers must reply to the data subject’s request for erasure within one month of the receipt, but the PDPA provides no timeline.

Definitions

Similarities: The GDPR and PDPA both have a broad definition of personal data - referring to any information relating to an identifiable or identified person. Both laws also define a Data Controller as a person or entity that determines the purposes and means of processing personal data, and a Data Processor as a person or entity that processes personal data on behalf of the controller.

Differences: The definition of 'personal data' in the GDPR is much more detailed - specifically including IP addresses and cookie identifiers. While the PDPA states that a data subject has the right to anonymize their personal data, it does not define anonymized or pseudonymized data – as the GDPR does. The GDPR explicitly excludes anonymized data from its scope and defines pseudonymized data as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.’ - clarifying that such data is subject to the obligations of the GDPR.

Personal Scope

Similarities: Both the GDPR and the PDPA laws protect living persons concerning the use of their personal data, and apply to data controllers, as well as data processors.

Differences: While the GDPR applies to public bodies, the PDPA excludes public authorities that maintain state security from its scope. This includes financial security and security of the state or public safety - counting the duties for the prevention and suppression of money laundering, forensic science, or cybersecurity.

Penalties

Similarities: Both the GDPR and the PDPA provide monetary and administrative penalties for violations.

Differences: Unlike the GDPR, non-compliance with the PDPA could result in imprisonment for a term not exceeding one year. The PDPA also outlines both criminal and non-criminal penalties, whereas the GDPR only outlines administrative penalties for non-compliance. PDPA penalties include a possible prison sentence of up to 6 months and administrative fines of up to THB 5 million. GDPR penalties, however, could incur an administrative fine of up to €20 million or 4% of annual turnover, whichever is greater.

Research

Similarities: Under the GDPR, the processing of sensitive data is not prohibited when necessary for research purposes – given that measures have been taken to safeguard the fundamental rights and interests of the data subjects. Similarly, the PDPA outlines that any collection of certain types of data is prohibited without explicit consent except where it is for scientific, historical, or statistical purposes – given that measures have been taken to safeguard the fundamental rights and interests of the data subjects.

Differences: The GDPR provides specific rules for the processing of personal data for research purposes. This involves data minimization and anonymization. The PDPA, on the other hand, does not include specific rules for the collection, use, and disclosure of personal data for such purposes – requiring only that 'suitable measures are put in place.’ Additionally, the GDPR provides a definition of scientific research, while the PDPA does not.

Data Transfers

Similarities: Both the GDPR and the PDPA provide restrictions and exceptions to the cross-border transfer of personal data to a third country or international organization. These transfers must be made based on legitimate grounds or following an adequate level of data protection as prescribed by the relevant authority.

Differences: While the GDPR states that cross-border transfers are allowed based on international agreements, the PDPA does not specifically address these transfers to comply with a court judgment or another country’s authority. The GDPR further recognizes cross-border transfers that include transfers being made from a register with the intent to provide information to the public. However, the PDPA does not recognize cross-border transfers made from a register.

Data Protection Officer Appointment

Similarities: The GDPR and the PDPA both require data controllers and data processors, including their representatives, to designate a Data Protection Officer. The nature and scope of the DPO's tasks are included under both the GDPR and the PDPA.

Differences: While the GDPR says that the DPO must be appointed when a public body is carrying out data processing, the PDPA only requires that specific public bodies be required to appoint a DPO.

Data Security and Breaches

Similarities: Both the GDPR and the PDPA include an obligation for data controllers and data processors to adopt strong security measures to mitigate security breaches.

Differences: While the GDPR states that data processors must notify the data controller of a breach without undue delay, the PDPA does not specify a timeline for notification.

Data Processing Records

Similarities: Both the GDPR and the PDPA have imposed an obligation on data controllers and data processors to record their processing activities. For both laws, this obligation also applies to the representative of a data controller.

Differences: The GDPR prescribes a list of information that a data controller must record international transfers of personal data, with the identification of third countries or international organizations, and the documentation of adopted suitable safeguards. However, the PDPA does not specify a list of processing information that a data processor must record.

While it’s important to know the differences in regard to the PDPA vs. GDPR, it’s also crucial to know how you would end up in hot water with the PDPA Thailand.

What Violates the Thailand PDPA?

The PDPA is very straightforward when it comes to the penalties imposed by violations. Typically, any violation of the law could result in fines of up to THB 5 million – or US$ 145,000. Businesses can also face criminal penalties and might be forced to cease all data processing activities. Violating the PDPA could involve:

  • The use or disclosure of user data without consent.
  • Failure to inform data subjects of data collection, processing, or access.
  • The collection of special personal data with explicit consent.
  • Failure to maintain records of data processing.
  • Failure to report a data breach notice within 72 hours of becoming aware of the breach - if it is likely to result in a risk to the rights and freedoms of data subjects.
  • Failure to appoint a Data Protection Officer (DPO) to oversee processing.
  • Failure to implement adequate cybersecurity measures. This includes the lack of comprehensive endpoint or network security. Sangfor Endpoint Secure, a modern Endpoint Protection Platform (EPP) that can be used to prevent this violation by fortifying compliance with a combination of antivirus, Endpoint Detection and Response (EDR), and endpoint management. Additionally, Sangfor’s Network Secure firewall provides 99% elimination of external threats at the network perimeter.
  • Failure to adhere to PDPA data transfer policies

Now, to avoid these violations, organizations simply need to remain compliant with the standards put out by the PDPA.

How to Stay Compliant with the Thai PDPA?

Sangfor has discussed in detail the key standards and compliance standards of the PDPA in a previous article. However, compliance can be simple enough when your company prioritizes data integrity. Remaining compliant with data privacy laws ensures that companies are legally protected from penalties, lawsuits, and other legal repercussions. Compliance also demonstrates a trustworthy and responsible reputation to customers, the government, and investors. Here are some of the main ways to remain compliant with the PDPA of Thailand:

  • A critical component of PDPA compliance involves investing in the correct infrastructure and platforms to contain and secure data. For reinforced cloud protection, Sangfor’s Hyper-Converged Infrastructure (HCI) and Cloud Managed Services (MCS) are the ideal choice to stay compliant while providing efficient cloud computing.
  • Companies need to update privacy policies and cookie policies to meet all requirements for properly informing users about data collection.
  • Organizations must implement a consent management platform that uses a functional consent banner to allow users to easily access opt-in and opt-out options – meeting the requirements outlined by the law.
  • The official PDPA website also offers advisory services from PDPA experts on legal matters, management, work processing, and software issues related to personal data protection.
  • Ensuring that it’s easy to receive and respond to requests from users to follow through on their rights by adding a Data Subject Access Request (DSAR) form on your site.
  • Investing in intensive cybersecurity platforms that actively prevent cyber threats. Sangfor’s Anti-ransomware service can be used to proactively detect and mitigate ransomware threats in just 3 seconds. Additionally, Sangfor Secure Access Service Edge (SASE) will provide enhanced cloud security compliance by integrating advanced security tools that ensure continuous user authentication, encrypted traffic inspection, and policy enforcement. This allows organizations to seamlessly meet regulatory standards while ensuring processing efficiency.
  • Enacting effective data recovery solutions. A key factor of compliance is disaster recovery and fortunately, Sangfor has an effective disaster recovery management plan that outlines the procedures and protocols during an incident to ensure business continuity and reduce data loss.

Staying compliant with the PDPA is easier than it looks and organizations need to understand their role in data security. The key differences between the GDPR and PDPA provide a broad overview of how data integrity should be maintained on a global scale. However, while these laws and legislation exist to protect users, they need to be upheld by organizations in their respective countries to remain effective. Compliance with both the PDPA Thailand and GDPR can come from investing in robust cybersecurity measures and secure infrastructure.

Sangfor Technologies offers a variety of different services that pointedly ensure data safety and regulatory compliance for organizations. These platforms work seamlessly to prevent your company from ending up on the bad end of a lawsuit or penalty. Contact Sangfor today to see how we can help you or visit www.sangfor.com for more information.

 

Contact Us for Business Inquiry

Listen To This Post

Search

Keyword maximum 256 character

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

Brain Cipher Ransomware Attack: Alleged 1TB Data Breach at Deloitte UK

Date : 07 Dec 2024
Read Now
Cyber Security

Top Crypto Heists & The Lam Serrano $230M Bitcoin Theft Story

Date : 04 Dec 2024
Read Now
Cyber Security

Final Quarter Sangfor Digest 2024: Get Ready for the Holidays

Date : 04 Dec 2024
Read Now

See Other Product

Sangfor Omni-Command
Replace your Enterprise NGAV with Sangfor Endpoint Secure
Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall

Meet the Author

sangfor building image

Sangfor Technologies

Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing solutions. The majority of the blogs that you are seeing here are written by professionals working at Sangfor. We have a team of content writers, product managers and marketing experts who are taking care of writing articles on various topics that are relevant to our audience. Our team ensures that the articles published are factually correct and helpful to our customers and partners to know more about the recent trends on Cyber Security and Cloud, and how it can help their organizations.

  • facebook
  • twitter
  • linkedin
  • youtube
  • instagram
See Author's Detail