Despite threats that the Personal Data Protection Act (PDPA) would be coming into force in June 2022, Thailand’s Personal Data Protection Committee had changed its mind and has given a grace period to small-to-medium-sized enterprises (SMEs) to comply with the Act’s requirements.
This comes as a relief for smaller businesses which, since the Act was legislated in 2020, have continuously expressed their concerns about complying with its provisions pleading financial hardship and economic difficulties caused by the COVID-19 pandemic. As discussed in our infographic, PDPA means significant investments in technology, systems, and staff – all of which are out of reach of many SMEs struggling with Covid travel restrictions, and in an economy where the timing of recovery is uncertain.
While the government acknowledges that gearing up towards compliance may be daunting for smaller businesses, it recognises the importance of consumers owning their personal data. While granting a grace period for small businesses can be seen as a compromise, the move does little to address the fundamental issue SMEs have about PDPA compliance – the lack of resources, training, awareness, and qualified personnel.
Better support for SMEs is needed to make the most out of the PDPA rollout
Despite widespread publicity around the upcoming Act, many SMEs in Thailand still don’t know their obligations under the PDPA and the significant penalties for non-compliance. This isn’t unusual as an EU survey conducted by the GDPR.EU in 2019 found that approximately half of SMEs in Spain, the United Kingdom, France, and Ireland were not GDPR compliant a year into its implementation. According to employers’ organisations, the initial rollout of the regulation disproportionately disadvantaged SMEs as they faced greater difficulties in assessing whether they were data controllers or processors, implementing control systems, finding qualified personnel to monitor these systems, and having sufficient legal understanding to inform customers of their rights and obligations under the Act.
SMEs in Thailand face similar challenges during the rollout of the PDPA; and many are rightly concerned about possible fines and penalties if they fail to comply with the upcoming legislation, especially since many of them have limited budgets to implement the changes. While there has been extensive coverage about the PDPA, a one-size-fits-all approach to advising businesses, this fails to take into consideration variations in sizes, technical ability, and access to legal expertise. This not only unfairly puts smaller businesses at a disadvantage, but also defeats the idea of a consistent approach to protecting personal data.
Providing SMEs a grace period undoubtedly provides them with a much-needed respite and time to comply with the upcoming regulations. However, this alone will not be enough to give SMEs the support they need to comply with the Act. Hopefully, regulators will consider a multistakeholder approach and consider new ways to ensure that enforcement is inclusive to all businesses, regardless of size.
At Silk Legal, we have advised many clients on the most cost-effective and efficient means of complying with the upcoming PDPA. The worst situation is delaying compliance until it becomes urgent and additional money and resources are needed to put together a response. We suggest a considered approach to PDPA compliance starting with an audit of information usage and process and a phased systems and technology overhaul. SMEs have had this last-minute reprieve but should not expect another.