Deloitte Thailand, the leading professional services provider of audit and assurance, consulting, financial advisory, risk advisory, tax and legal, and related services to public and private clients spanning multiple industries has launched PDPA Readiness Survey.
With the increased collection and use of personal data, management and privacy of data is a growing concern for businesses across all sectors. More importantly, the introduction of the Thailand Personal Data Protection Act B.E.2562, “Thai PDPA”, will officially come into affect in June 2022 after two years of postponements, in order to create greater transparency and accountability whilst handling personal data. Even though the delay has allowed businesses more time to prepare for the new regulations, it will nonetheless change the privacy landscape for businesses dramatically.
In October 2021, Deloitte Thailand conducted a Thai PDPA readiness survey across a sample of organisations and industries in Thailand. The aim of this survey was to understand how organisations are preparing for Thailand’s PDPA compliance, how far along their implementation plans are and what challenges they may be facing along the way. The majority of respondents came from the Consumer industry (40%) followed by Financial Services industry (27%). Overall, more than half of the respondents consisted of larger sized companies with an employee headcount of 500 and above.
The results of the survey indicate that industries are differing in their implementation speed and timeline of compliance activities. Financial Services is currently leading the way ahead of other sectors, in becoming fully compliant and ready in time for June 2022. 81% are already fully compliant or expect to be by March 2022, due to the fact that the industry is already highly regulated, with strong backing from the Bank of Thailand in protecting the personal data of bank customers.
The main driver of PDPA compliance activities are the threat of lawsuits if there is a personal data breach, along with reputational damage and loss of consumer trust. Most of the focus is placed on those drivers that are driven by regulations, rather than the associated benefits. Failure to comply with these aspects means that the organisations can face high costs.
45% of total respondents expect significant benefits from Thai PDPA compliance. However, when compared by industry, around 80% of those from Financial Services and Life Sciences and Health Care expect limited or no benefits outside of regulatory compliance. The nature of data that these two industries deal with is highly sensitive, and there are already strict regulations in place whilst handling this data.
Integrating new policies and processes into business operations, followed by interpreting the PDPA requirements were selected as the top challenges amongst all industries, during the implementation of PDPA compliance activities.
“A clear understanding of the new rules will allow companies to prepare responsibly and thoroughly for the privacy obligations that form the core of the Thai PDPA. Business owners need to approach data protection and privacy in a holistic manner, to ensure all aspects are covered, and in the best interest to serve customers and fuel the future growth of the business” said Mr. Somkrit Krishnamra, Partner, Risk Advisory.
Mr. Anthony Visate Loh, Partner, Tax and Legal, added “Before the PDPA becomes effective, readiness from a legal perspective should be given a high priority so that the business operators could run their businesses with confidence and to build trust with both their internal personnel and external parties, e.g., their customers. At Deloitte, we look into legal perspective that could go along with business, not only what the law requires but also what and how the law would enable a business to create an opportunity to grow.”
“Addressing the Thai PDPA and broader data protection laws and regulation requires a holistic transformation program, combining Technology, Legal, Compliance and Organization workstreams to ensure end-to-end compliance and data protection”, said Mr. Somkrit.