5 Best Practices for the Personal Data Protection Act (PDPA)

31 Mar 2020

The Personal Data Protection Act (PDPA) B.E. 2562 (2019) will be enforced upon all agencies and businesses on May 27th. The Electronic Transactions Development Agency (ETDA) has issued guidelines on best practices to protect personal data as follows:

1. Identify personal data

Establish an understanding with the overall strategy of personal data protection, both the company’s sensitive data and personal data, according to PDPA. Thereafter, identify the scope of data to be protected and develop a model data structure and categorize data. 

2. Identify how data is being used

Search, analyze, and categorize data into different types regularly. Establish an understanding about the data environment, structure, and lifecycle to determine the most effective data protection measures. 

3. Identify the baseline of sensitive data protection

Set up a baseline to protect sensitive data of the company and personal data, according to PDPA. Evaluate the control processes and measures required, as well as perform risk assessment and gap analysis to identify solutions and risk mitigation. 

4. Plan, design, and implement data protection

Plan and prioritize measures to protect sensitive data of the company and personal data, both technical and strategic data. Thereafter, design and implement preventive measures for such data securely. Most importantly, the protective measures must be aligned with business growth targets. 

5. Monitor and protect sensitive data

Develop data governance framework, risk metrics, and monitoring processes to ensure that practice guidelines and control measures are working properly to achieve objectives. In addition, review the strategy and data protection measures regularly. 

For more information, please download “Personal Data Protection Laws and the Context of Personal Data Protection in Other Laws at ETDA