1. Recruit or appoint a Data protection Officer (DPO):

This new profile has the mission of managing the compliance of the organization but it is also the privileged interface between the PDPC, the company and the subcontractors.

2. Make an inventory of the processing of personal data:

* Identify personal data, sensitive data and their flows.
* Identify existing treatments and verify their compliance.
* List who has access to this data and identify the reason why they have access to it.
* List all the treatments analyzed in the register of treatments.
* Identify and control subcontractors and external service providers working from the company’s personal data and review subcontracts.
* Verify that the processing applied by the subcontractors/service providers, in paper and/or digital format, complies with the PDPC (access, informed and unambiguous consent of the data subject and retention period).
* Take stock of archiving practices and retention periods for HR personal data.
* Ensure hr and HRIS solutions comply with the PDPA

3. Implement a corrective action plan

4. Inform employees and obtain their consent

Beyond the constraint it seems to represent, the PDPA can contribute to improving the company’s performance, but also the trust and well-being of employees, provided that tools, methods and processes are streamlined.

The digital transition has already considerably disrupted the field of HR activities in recent years. Compliance accentuates this transformation, pushing decision-makers to optimize processes and pay particular attention to HR information systems. Thanks to these new priority challenges, HRDs will be able to decompartmentalize their organization, strengthen the quality of their cooperation with their suppliers and subcontractors. And with the clear personal data management policy, take care of their reputation and the attractiveness of their employer brand.

#data #hr #pdpa #compliance #dataprotectionofficer

Thailand’s Personal Data Protection Act or PDPA is all set to come into full effect from 1 June 2022. Companies based in Thailand will have to comply with the Personal Data Protection Act (PDPA).

The legislator has provided for certain flexibilities. However, the compliance requires latecomers to produce a precise compliance plan. Among the various functions of the company, Human Resources Departments (HRDs) are most impacted by this new regulation and the obligations that result from it. This is because the HRDs, collect, process, and archive a significant volume of personal data. An apparent difficulty that can be transformed into a performance lever, thanks to adapted methods and tools.

Reminder of the PDPA issues that will be faced by the HRDs:

The PDPA obliges anybody managing the personal data of citizens to report to the supervisory authority, within couple of hours, any infringement of which it is aware. Companies failing to comply with regulations can get fines up to 5 million baht or even a sentence in prison. These coercive measures are taken to protect the Thai citizens from data theft or hacking and potential identity theft.

The issues of compliance then appears crucial for companies. If this approach concerns the company as a whole, the HRDs are particularly impacted by the volume and diversity of personal data that it manages through its various HR processes.

To date, it is estimated that 70% of companies are not yet compliant with the PDPA. If the PDPC, the supervisory body, has indicated that it will take this into account and may show some flexibility. However, it will only do so on the strict condition that the company is able to demonstrate that it is fully committed to the process.

An impact on the entire field of HR activities:

The HRD’s contribution to the compliance process is major and essential. Consequently, it is imperative to take into account all of its activities to put in place an effective action plan and guard against any risk of default. The HRD that largely manipulates data – fishing, recruitment, administrative management, training, evaluations, payroll, reporting – must, within the framework of the PDPA, review its methods of managing, securing and storing personal data. The rationalization effort will have to focus on all stages of the process, but also on the training and awareness of the employees concerned. The company’s subcontractors and suppliers are also concerned and must provide the guarantee of their PDPA compliance or an ongoing compliance process.

In view of all these aspects, we understand the need for HRDs to be able to rely on “PDPA compliant”, HR solutions, providing all the guarantees of data processing in accordance with the modalities defined by the legislator.

Next in our series of articles about PDPA we have how one can comply with this change in regulations. To know more about the PDPA and how to comply, follow our LinkedIn page and website.

#pdpa #hr #data #compliance

The Thailand Personal Data Protection Act or PDPA is set to come into force on June 1, 2022.

Lim and Partner – PRAXI Alliance is all set to start a new series of articles about the impact of the Personal Data Protection Act, both from organizational and recruitment point of view. The Personal Data Protection Act 2019 was published, on 27 May 2019, in the Royal Thai Government Gazette. The PDPA is the very first consolidated law governing data protection in Thailand.

To know more about the act, and how one can comply with it keep an eye on our LinkedIn page and website, and follow our weekly series of articles on this act.

Lim and Partner is a part of the Praxi Alliance Network; our objective is, to share and convey what we know about the Thai market and companies from our experience and expertise to our European partners.

#pdpa #thailandpdpa #personaldataprotection #network #data #law