Thailand Personal Data Protection Act
Comply with key PDPA provisions
Complying with Thailand’s Personal Data Protection Act
Published in the Government Gazette, May 27, 2019, Thailand’s Personal Data Protection Act (B.E. 2562 [2019]) addresses the collection, use and protection of personal data and puts in place remedial measures for data subjects whose personal data protection is violated. The PDPA applies to organizations located in Thailand, whether they collect and use the data in Thailand or not. It also applies to organizations located outside of Thailand, if they offer goods and services to data subjects in Thailand, or if they conduct monitoring of data subjects’ behavior in Thailand.
Thailand’s PDPA is based on the EU’s General Data Protection Regulation (GDPR), but it is not the same. So, being in compliance with GDPR does not ensure compliance with PDPA. Enterprises operating in Thailand or with Thai residents should review the PDPA to ensure compliance.
One way to ensure compliance is to make sure personal data your organization holds is protected through cryptographic pseudonymization techniques, such as tokenization, and that the underpinning cryptographic keys are protected by storing and managing them in FIPS and Common Criteria certified Entrust nShield® hardware security modules (HSMs).
Entrust can help you comply with many of the specific requirements of Thailand’s PDPA act.
Regulation
The Data Controller shall have the following duties:
- Provide appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data….
- In the circumstance where the Personal Data is to be provided to other Persons or legal persons, apart from the Data Controller, the Data Controller shall take action to prevent such person from using or disclosing such Personal Data unlawfully or without authorization;
- Put in place the examination system for erasure or destruction of the Personal Data when the retention period ends, or when the Personal Data is irrelevant or beyond the purpose necessary for which it has been collected, or when the data subject has request to do so, or when the data subject withdraws consent….
The Personal Data Processor shall have the following duties:
- Prepare and maintain records of personal data processing activities in accordance with the rules and methods set forth by the Committee.
The data protection officer shall have the following duties:
- Keep confidentiality of the Personal Data known or acquired in the course of his or her performance of duty under this Act.
Compliance
Entrust’s Professional Services team has developed a customized tokenization solution that secures personal information. The Entrust solution addresses the following PDPA requirements:
- Securing personal data. The solution converts plain text data to tokens that cannot be traced back to the original data. To further secure the data, access to the solution is controlled by cryptographically based user authentication, and the underpinning cryptographic keys are stored and managed in FIPS and Common Criteria certified Entrust nShield hardware security modules (HSMs).
- Protecting legally shared personal data from disclosure. The Entrust solution can partially mask data before sending it to third-party entities to maintain data confidentiality.
- Destroying personal data when retention periods end. When data retention times expire, token keys can be easily removed from Entrust nShield® HSMs thus destroying the original data.
- Preparing and maintaining records of personal data processing. The Entrust solution provides logs of tokenization, de-tokenization, and masking calls for audit reference.
Resources
Compliance Brief: Complying with Thailand’s Personal Data Protection Act
Thailand’s Personal Data Protection Act addresses the collection, use and protection of personal data and puts in place remedial measures for data subjects whose personal data protection is violated. Learn how Entrust can help your organization comply with several provisions of the Thailand PDPA.
Complying with Thailand’s Personal Data Protection Act
Brochures: Entrust nShield HSM Family Brochure
Entrust nShield HSMs provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption and more. Available in three FIPS 140-2 certified form factors, Entrust nShield HSMs support a variety of deployment scenarios.