Getting Started with PDPA Compliance in Thailand

Date : 29-05-2026

Key Points on HR Data, Privacy Policies, and System Updates that Japanese IT Managers Should Know

One of the early challenges faced by Japanese professionals newly assigned as IT managers at Thai subsidiaries is how to comply with Thailand’s Personal Data Protection Act (PDPA). The PDPA is designed based on concepts similar to the EU’s GDPR (General Data Protection Regulation), and there are many differences from Japan’s Act on the Protection of Personal Information. As a result, approaches used in Japan cannot always be applied as-is.

Although personal data protection may seem like the responsibility of legal or HR departments, in practice it is closely tied to IT functions such as system operations, cloud management, access control, backups, and vendor management. This article outlines the key PDPA points that IT managers should understand upon assignment in Thailand.

1. What is Personal Data?

Under Thailand’s PDPA, personal data refers to any information that can directly or indirectly identify an individual. Examples include names, email addresses, phone numbers, employee IDs, attendance records, performance evaluations, IP addresses, and cookie identifiers.

HR systems may also handle sensitive personal data such as medical checkup results, fingerprints, or facial recognition data. Such sensitive data is subject to stricter rules, typically requiring explicit consent from the data subject.

2. Key Initial Checks for HR Data Management

After assuming the role of IT manager, the following points should be reviewed first :

  1. What data is collected and for what purpose?

    Understanding what personal data the company collects and the purposes of collection is fundamental to PDPA compliance. Corporate systems often contain a wide range of personal data, including information on customers, business partners, and employees.

    It is essential to verify that:

    • The purposes of data collection are properly communicated to individuals (e.g., through privacy policies), and
    • Only the minimum necessary data is collected in line with those purposes.
  2. Who has access?

    Confirm that access rights are not overly broad for HR or IT departments, and that accounts of former employees are properly deactivated. The PDPA requires that access be limited to those who need it for their work.

  3. Where is the data stored?

    Even if operations are conducted in Thailand, personal data may actually be stored in Japan headquarters or abroad via cloud services. Cross-border transfers of personal data are subject to PDPA restrictions, making it critical for IT departments to understand where data resides.

  4. Are vendor contracts in place?

    If employee data processing is outsourced (e.g., payroll providers, cloud vendors, or developers), data processing agreements compliant with the PDPA are required.

3. The Starting Point : Privacy Policy

When thinking about PDPA compliance, many focus first on obtaining consent. However, in practice, the foundation is the preparation of a proper privacy policy.

The PDPA requires organizations to inform individuals—before or at the time of data collection—about:

  • What personal data is collected
  • The purposes of use
  • Retention periods
  • Whether data will be shared with third parties
  • The rights of the data subject

In practice, this information is documented as a privacy policy and presented via websites, apps, HR systems, and application forms, with consent obtained accordingly.

For IT managers, a critical task is ensuring that actual system operations match what is described in the privacy policy. Examples of inconsistencies include:

  • Stating that employee data is managed within Thailand while actually storing it in overseas cloud systems
  • Indicating deletion one year after termination while retaining data indefinitely
  • Having policies for employees but none for job applicants or individuals captured by surveillance cameras

Such cases require revision of the privacy policy.

4. Risks During System Changes

Data breaches are more likely to occur not during normal operations but during periods of change, such as:

  • System updates
  • Data migration
  • Adoption of new cloud services
  • Outsourcing to external vendors

Examples include :

  • Using real employee data for testing by external vendors
  • Leaving Excel files containing former employee information in shared folders
  • The PDPA requires reviewing security measures during such technical changes. IT managers should proactively check access controls, test data handling, backup processes, and vendor management.

5. Incident Response: Reporting Within 72 Hours

In the event of a data breach, the PDPA generally requires reporting to the Personal Data Protection Committee within 72 hours. While reporting may not be required if the risk to individuals is low, it is recommended to consult and report through the official PDPC channel.

The IT department’s immediate actions in case of an incident are straightforward:

  • Block access and prevent further damage
  • Preserve logs and investigate facts
  • Report promptly to legal teams and management

Delays in initial response can result in serious reputational damage beyond legal penalties.

Conclusion

PDPA compliance is not solely the responsibility of legal or HR departments. For IT managers newly assigned to Thailand, the first step is to clearly understand:

  • What personal data is handled
  • Where it is stored
  • Who has access
  • For what purposes it is used

From there, organizations should establish and update privacy policies aligned with actual system operations. This serves as the foundation for effective PDPA compliance.

Contact us

" + NS Solutions" is register trade mark of NS Solutions corporation.

Other description about company name and product name are trademark or register trade mark of each companies.