Latecomers: How to comply with the PDPA?

1. Recruit or appoint a Data protection Officer (DPO):

This new profile has the mission of managing the compliance of the organization but it is also the privileged interface between the PDPC, the company and the subcontractors.

2. Make an inventory of the processing of personal data:

* Identify personal data, sensitive data and their flows.
* Identify existing treatments and verify their compliance.
* List who has access to this data and identify the reason why they have access to it.
* List all the treatments analyzed in the register of treatments.
* Identify and control subcontractors and external service providers working from the company’s personal data and review subcontracts.
* Verify that the processing applied by the subcontractors/service providers, in paper and/or digital format, complies with the PDPC (access, informed and unambiguous consent of the data subject and retention period).
* Take stock of archiving practices and retention periods for HR personal data.
* Ensure hr and HRIS solutions comply with the PDPA

3. Implement a corrective action plan

4. Inform employees and obtain their consent

Beyond the constraint it seems to represent, the PDPA can contribute to improving the company’s performance, but also the trust and well-being of employees, provided that tools, methods and processes are streamlined.

The digital transition has already considerably disrupted the field of HR activities in recent years. Compliance accentuates this transformation, pushing decision-makers to optimize processes and pay particular attention to HR information systems. Thanks to these new priority challenges, HRDs will be able to decompartmentalize their organization, strengthen the quality of their cooperation with their suppliers and subcontractors. And with the clear personal data management policy, take care of their reputation and the attractiveness of their employer brand.

#data #hr #pdpa #compliance #dataprotectionofficer

Reminder of the PDPA issues that will be faced by the HRDs

Thailand’s Personal Data Protection Act or PDPA is all set to come into full effect from 1 June 2022. Companies based in Thailand will have to comply with the Personal Data Protection Act (PDPA).

The legislator has provided for certain flexibilities. However, the compliance requires latecomers to produce a precise compliance plan. Among the various functions of the company, Human Resources Departments (HRDs) are most impacted by this new regulation and the obligations that result from it. This is because the HRDs, collect, process, and archive a significant volume of personal data. An apparent difficulty that can be transformed into a performance lever, thanks to adapted methods and tools.

Reminder of the PDPA issues that will be faced by the HRDs:

The PDPA obliges anybody managing the personal data of citizens to report to the supervisory authority, within couple of hours, any infringement of which it is aware. Companies failing to comply with regulations can get fines up to 5 million baht or even a sentence in prison. These coercive measures are taken to protect the Thai citizens from data theft or hacking and potential identity theft.

The issues of compliance then appears crucial for companies. If this approach concerns the company as a whole, the HRDs are particularly impacted by the volume and diversity of personal data that it manages through its various HR processes.

To date, it is estimated that 70% of companies are not yet compliant with the PDPA. If the PDPC, the supervisory body, has indicated that it will take this into account and may show some flexibility. However, it will only do so on the strict condition that the company is able to demonstrate that it is fully committed to the process.

An impact on the entire field of HR activities:

The HRD’s contribution to the compliance process is major and essential. Consequently, it is imperative to take into account all of its activities to put in place an effective action plan and guard against any risk of default. The HRD that largely manipulates data – fishing, recruitment, administrative management, training, evaluations, payroll, reporting – must, within the framework of the PDPA, review its methods of managing, securing and storing personal data. The rationalization effort will have to focus on all stages of the process, but also on the training and awareness of the employees concerned. The company’s subcontractors and suppliers are also concerned and must provide the guarantee of their PDPA compliance or an ongoing compliance process.

In view of all these aspects, we understand the need for HRDs to be able to rely on “PDPA compliant”, HR solutions, providing all the guarantees of data processing in accordance with the modalities defined by the legislator.

Next in our series of articles about PDPA we have how one can comply with this change in regulations. To know more about the PDPA and how to comply, follow our LinkedIn page and website.

#pdpa #hr #data #compliance

Thailand’s PDPA and it’s effects on the HRD

The Thailand Personal Data Protection Act or PDPA is set to come into force on June 1, 2022.

Lim and PartnerPRAXI Alliance is all set to start a new series of articles about the impact of the Personal Data Protection Act, both from organizational and recruitment point of view. The Personal Data Protection Act 2019 was published, on 27 May 2019, in the Royal Thai Government Gazette. The PDPA is the very first consolidated law governing data protection in Thailand.

To know more about the act, and how one can comply with it keep an eye on our LinkedIn page and website, and follow our weekly series of articles on this act.

Lim and Partner is a part of the Praxi Alliance Network; our objective is, to share and convey what we know about the Thai market and companies from our experience and expertise to our European partners.

#pdpa #thailandpdpa #personaldataprotection #network #data #law

People-centric attitude to data safety

Article by Wichayada Amponkitviwat

Source: Bangkok Post

Cyber attacks and ransomware have become crimes of modern digital society. Yet, in Thailand what is of new concern is the attack on government database sources — particularly those of state hospitals.

In September last year, Saraburi Hospital’s database was hacked and the attackers gained access to information of patients.

Last month alone there were two cases. In the first hackers managed to crack into the database of a state hospital in Phetchabun and make a profit from selling the information of thousands of patients on the dark web. A week after, another hospital, the Bhumirajnakarin Kidney Institute in Bangkok fell victim, with the hackers demanding a ransom in exchange for the records of 40,000 patients.

The cases again raise a red flag that data breaches can be caused by several factors — from deliberate ransomware attacks by hackers to human error such as failure to update security software or negligence of a personal data officer who may unknowingly open malware-infested emails, links or files. Therefore, even if an organisation has adequate security measures, there can still be the risk of a data breach caused by human error or other mistakes.

Today, government agencies get involved in many aspects of our lives, and they have collected important personal data from the “cradle-to-the-grave” whether it be information on health, social security and education. In other words, the government is one of the institutions that have a lot of our personal data.

The attacks on hospital computer systems affected not only the government but patients whose privacy and crucial personal data have been accessed. Sensitive personal data of individuals as well as staff of state organisations are protected by the Personal Data Protection Act 2019.

However, the real concern is how these state agencies collect and use public information. Many agencies tend to keep more personal information than necessary for performing their official duties or missions. Additionally, some agencies may maintain personal data in a way that does not meet security standards and therefore are exposed to higher risk from data breaches or attacks on computer systems. Another concern is the lack of setting access control measures which leads to unauthorised access to personal information, especially for electronic documents in office computers.

The current law is not of much help. The Personal Data Protection Act 2019 — known as PDPA, is only partially enforced, and is also still unclear on many issues.

In May, the government approved a royal decree to postpone the full enforcement of the law until June 1, 2022, citing concerns about compliance among state and private organisations amid the pandemic.

Once implemented, the PDPA is expected to change the landscape of personal data protection in Thailand. The legislation mandates that data controllers and processors that use personal data must receive consent from data owners and use it only for express purposes.

Yet, the PDPA is unclear. One of the issues is that it is harder for state agencies to clearly understand their obligations and start implementing necessary measures or policies which are legally compliant with the law. For example, without a clear categorisation of personal data, officials cannot determine correctly what type of information can either be publicly used or transferred to other public agencies or which types of data are sensitive personal information that needs additional care and protection.

When it comes to having security measures, both systemic and technical security depends on the allocation of budget and finding appropriate personnel who can effectively operate and monitor the security systems. In practice, it may be impossible for some organisations to achieve adequate standards immediately because it requires a huge amount of budget and time to recruit personnel to perform such duties.

Therefore, in order for state agencies to have appropriate measures for their collection and use of personal data, the question is: What are the steps for setting up those appropriate measures?

State agencies that possess civilian data must provide appropriate and sufficient security measures. But without skilled and trained personnel with the relevant knowledge, there cannot be a proper security system. Therefore, building a good data protection system can start with creating knowledge and raising awareness about personal information for personnel in the organisation. This can begin with the management issuing policies and clear guidelines for their workforce to strictly follow. The guidelines should cover how personal data should be collected, protected, used, stored and destroyed.

In addition, a great emphasis must be placed on providing the correct knowledge, especially to officers whose primary task involves collecting personal data, such as for civil registration and passport issuance. Therefore, personnel engaged with such tasks must have great understanding and awareness in using the information in their task. For other less data-related tasks, such as disaster prevention and mitigation, and engineering department personnel, basic knowledge of the use of personal data may be sufficient.

Therefore, when designing guidelines and training courses to build a better understanding of personal data protection, it should be considered as creating a culture within the organisation that encourages employees to always treat the personal information of the people like it was their own.

Meanwhile, making employees more conscious and understand fully about personnel data protection may require other tools, such as handbooks for guidance and documents with information about the law, guidelines and cases in other countries. If outside consultants are hired, the organisation must ensure that the staff within the organisation have opportunities to engage and work closely with them. The training staff will benefit from knowledge transfer and be able to continue the data protection duties and operation even when the outsourced services end.

The protection of personal data is not just about the issue of systemic and technical security. It also means raising awareness, understanding, and having the tools for staff to work effectively. Therefore, to create an excellent personal data protection system, the organisation must prepare its personnel to be ready and capable because the “personnel” will be the driving force that allows the organisation to have a good system.

Most SMEs under digital attack over past year

Source: Bangkok Post

Small and medium-sized enterprises (SMEs) in Thailand are vulnerable to cybersecurity threats, with 65% of them suffering from attacks over the past year, while malware and phishing are the top two threats, says Cisco, a global technology company.

“Thai SMEs have increased their pace of digitisation over the past 18 months. The more digital they become, the more attractive a target they are for malicious actors,” said Padd Chantaraseno, managing director of Cisco Thailand.

He was speaking during the recent unveiling of “Cybersecurity for SMBs: Asia Pacific Businesses Prepare for Digital Defence” study, which gauged 3,700 small and medium-sized businesses (SMBs) across 14 markets in Asia-Pacific, including Thailand.

The study found 65% of Thai SMEs surveyed said they suffered cyber incidents in the past 12 months, compared to 56% in Asia-Pacific.

Some 91% of the attacks on Thai SMEs came from malware, followed by phishing with 77% and denial of service (DoS) at 65%. A similar pattern was also seen at the regional level, Mr Padd said.

Some 49% of the Thai SMEs surveyed indicated they suffered cyberattacks because their cybersecurity solutions were not effective enough to detect or prevent the attacks.

For the cyberattacked SMEs, 47% said incidents over the past 12 months cost the business US$500,000 or more and 28% said the cost was $1 million or above.

In addition to customer data loss, the cyberattacks made local SMEs lose employee data, emails, intellectual property, financial records and sensitive business information, according to Mr Padd.

Some 56% of attacked companies said the incidents disrupted their operations.

The survey also found 81% of Thai SMEs indicated that downtime of more than one hour could cause severe disruption to their operations.

Some 29% pointed out that downtime of more than a day could lead to the permanent closure of their organisations, Mr Padd said.

According to Mr Padd, 13% of the respondents in Thailand said they were able to detect a cyber incident within an hour and 7% indicated they were able to find a solution to a cyber incident within an hour.

The survey also shows that 89% of local SMEs had increased their investment in cybersecurity since the start of the pandemic.

People-centric attitude to data safety

Who is a Data Protection Officer (DPO)?

A data protection officer or DPO is responsible for overseeing a company’s data protection strategy and it’s implementation to ensure compliance with the Personal Data Protection Act (PDPA) requirements. They help an organization in applying the laws and protecting one’s personal data.

Why do you need a Data Protection Officer?

The data protection officer participates from the earliest possible stage in all questions related to data protection. Being a contact person within the company and they form a part of the working groups that deal with the data processing activities. With so much data around and company’s being digitalized in many areas, data is prone to threats and vulnerabilities. A data protection officer ensures the safety of the data and is always alert of any kind of data breach.

The new Thailand’s PDPA date is on 1st June 2022.

How to find the perfect DPO for your company?

Our Services

identify dpo

Identify the perfect DPO for your company

We will find the perfect DPO for your company who will prepare for the implementation of Thailand’s Personal Data Protection Act (PDPA) for you and your company.

training dpo

Training DPO

We also offer training services. We will train your employee(s) and develop their skills required to be an effiecient Data Protection Officer.

For more detailed information about our services please contact us at or call us at (+66) 0819202077.

This is a great opportunity for Companies in Thailand to be compliant with the new Thai Data Privacy law.

This project is a collaboration between Thai Market Leader in Data Destruction: ADD and Lim and Partner – Praxi Alliance, a member of World Top 40 Executive Search!

Why Market Research is Important?
By Tasnia Rehnuma Mahmud,  Market Research Analyst at Lim and Partner

Here at Lim and Partner, we provide Market Research and Expansion and Executive Search and Assessment consultancy services in Thailand. Our expertise also extends to various countries of South-East Asia, including Vietnam, Cambodia, Malaysia, Philippines, Indonesia, and Singapore.

One of our services include Market Research. If you are contemplating whether you should enter the Thai market or not, please allow us to help clear your doubt. But first —

Why market research is important at all?


Extensive market research helps to gain a better understanding of the market that you are trying to penetrate. It helps you know your target customers  well and aware you about potential competitions.


When you understand the market better, you can come up with the best of business strategies to achieve your business goals. Detailed research helps you forecast the market trends and where you might stand in the next 5/10 years in the business.


Knowing about your potential competitors, not only provides you with opportunity of being ahead of them but also helps you understand your own shortcomings and gives you room for improvement.


Market research focuses on customer needs and demands. It is needless to say; how important it is to keep your customers at the center of all that you do in business. Market research keeps you attentive to where you can improve your business strategy, customer service or product offering.


Research is a lot more than what it seems. It can act as an extremely powerful tool if used correctly. There is never an end to knowing more about something. However, market research just does not limit to the only points mentioned above. Use market research for employee engagement surveys, and to highlight performance or knowledge gaps and areas for potential growth. You can also use it to change strategies or expand your business. Research also helps to you to explore other aspects of your business. All these will open your company up to thinking about new methods, ideas, areas and tools; leading you to improve your business and take them to new heights.

Why should you choose Lim and Partner?

Here at Lim and Partner, we put our clients first. We are extremely attentive and empathetic towards our client’s needs.

After we collect your requirements, we will conduct extensive research for you. This will include industry and market overview in Thailand, customer analysis, competitor analysis, importation and exportation data, distributor profiles, importation and customs rules, tariffs, and taxes Thailand) and a lot more according to your needs.

We provide both qualitative and quantitative data and provide for primary (fieldwork) and secondary (desk) research.

Whether you are trying to enter a mass market or niche market here in Thailand, our consultants got you covered.

Our expert consultant team will be open for questions and discussions throughout the time you will be collaborating with us. They  will be more than happy to answer your queries related the market or business situation here in Thailand.

For more information you can always leave us a message. One of our consultants will get to you in no time!


Thailand PDPA – Personal Data Protection Act Postponed

The cabinet has approved the deferral of the full enforcement of the Thailand PDPA or Personal Data Protection Act (PDPA) slated for this June by another year, with the explanation of the difficult time with the pandemic in Thailand and the legislation’s related processes have yet to be settled.

The postponement request was forwarded by the Ministry of Digital Economy and Society to the cabinet meeting on Wednesday and the royal decree drafted to defer the enforcement was agreed upon, according to a ministry source.

Enforcement is pushed back to June 1, 2022.

The source said several procedures linked to the act have yet to be completed, including the appointment of the 16-member Personal Data Protection Committee.

According to the current status, the PDPA needs further adjustments and necessary regulations still need to be drafted, as many issues have been raised for consultation with regard to the PDPA since it came into effect. The main priorities on which the government intends to focus are as follows:

  • Supporting people’s access to innovation and technology,
  • Creating an ecosystem conducive to a digital economy,
  • Gearing up for digital infrastructure development, particularly 5G and smart city projects,
  • Legal development and enforcement to create a trusted digital ecosystem, especially for the PDPA and issues related to electronic transactions and cybersecurity,
  • Protecting the public from abuse on social media and the internet.

Source : Bangkok Post

5 Tips for an Efficient Day in Your Home Office

By Anoushka Kassam, Summit Recruitment & Search (Kenya)

As headhunters, we are constantly on the lookout to improve our processes and stay up to date with the newest trends in the market. As the global recruitment space develops, so do we, embracing all new possibilities with open arms.

One such development in the talent market is the heightened adoption of competency-based and personality tests to improve diversity and inclusion in recruitment processes. By using a range of personality assessments and customized interview questions, we have developed a thorough and seamless process that ensures we find the right fit from the most diverse candidate pools.

These assessments are interesting not only for recruiters, but also for clients and candidates alike. For candidates, using ‘competency’ skills for a role — rather than simply outlining traditional ‘responsibilities’ for a job profile — widens their scope of positions to seek. For clients, this process boosts diversity and inclusion in their organizations by expanding the pool of candidates beyond experience alone.

An Insight into Future Job Success

In most recruitment cases, many candidates may be competent in areas such as efficient collaboration, creative thinking and problem-solving, while they may be lacking in some other areas specific to the role.

By using competency and personality tests, the selected candidate is given an overview of his or her strong and weak spots, that can be developed later in the job, even without previous experience in an industry. The reporting of competency potential, along with competency blockers, gives a glimpse of all areas of development.

Why We Consider Personality as an Integrated Part of the Selection Process?

When our Consultants meet our clients for the first time, they do their best to understand the role(s) and personalities the client would like to recruit. From this, specific competencies and personalities important for the role are agreed upon with the client (these often also aid in the creation of the job description). From here, the competencies guide the interview process with Consultants curating specific questions and target answers they are looking for in the ideal candidate. The score received by the candidates and the answers from the interviews are then used to guide the creation of the short list and shared with the client when making their final selection.

Closing Thoughts

Personality and competency assessments undoubtedly improve the validity of selection processes. They not only examine in-depth the competency potential, but also examine the possible competency blockers. Overall, they act as a window to the candidate’s personality and preferences, while also helping headhunters understand a candidate’s potential to develop competencies required in a specific role. Last but not the least, they widen access to high potential candidates from large and diverse applicant pools.

Credit : Praxi

Remote Working – New Opportunities and Approaches for Talent Management

Within five years, 30% of current workforce skills will be obsolete. That is the reality facing multinational, market leading technology firm, Siemens – and no doubt other firms across the globe. Following extensive and in-depth work and job analysis carried out by the firm, it realized now was the time to rethink and invest in the skills needed for its future, and to support its workforce make the shift.

Its research is backed up the findings reported in The World Economic Forum’s latest Future of Jobs report. In it, the WEF concluded that 50% of all employees will need reskilling by 2025 as the adoption of technology increases. The challenge facing organizations is how best to identify those with transferable skills and knowledge to support a program of internal mobility and also develop the future skills required in the future.

For Siemens and its global workforce of 293,000 employees, the challenge is very real.

Establishing a Fund for the Future

Siemens knows that those skills needed in the future are scarce in the external hiring market and, as a firm, faces stiff competition for talent from other tech companies, car manufacturers and digital firms. However, it recognizes the strength and power of its current internal talent and its ability to pivot to acquire new skills.

In agreement with its Central Works Council in Germany, the firm chose to create a €100 million Fund for the Future in 2018. This fund was established to finance qualification and reskilling projects in Germany until the end of 2022 and is in addition to the company’s regular annual training and continuing education budget of around €500 million.

Assessments to Understand the Best Fit with Future Skills

Siemens has a strong track record in and commitment to understanding the skills, behaviors, preferences and motivators of its workforce, investing in psychometric assessments for many years. It also understands that, in such a large organization, it can be overwhelming for applicants to understand the opportunities for training and learning available. Siemens had developed some years ago an award-winning applicant assessment to help the candidate to understand how their own interests and skills matched with different training routes within the firm.

Building on that success, Siemens worked with Aon to bring together a new combination of fully mobile-enabled assessments of vocational interests and abilities, attitudes, learning styles, cognitive abilities as well as an indicator of ‘willingness to change’. The results from these assessments, together with the biographical information, pass through a complex matching algorithm developed by the Aon team.

The Qualifications Navigator

Once completed, the employee receives a report highlighting the top three best matches between their own interests and those identified as a future skill for Siemens. It also offers development action suggestions and ideas to acquire new skills. Armed with these top three suggestions, the employee is then able to request an in-depth feedback session with one of the Siemens Professional Education team.

From there, they may apply to join one of the 30 reskilling routes the firm has researched, sourced and will fund. These include undertaking courses such as a Bachelor’s degree in robotics, computer engineering or digital marketing, or qualifications to pursue a role in IT application development, as an industrial electrician or a process manager.

The Start of a New Chapter in Talent Mobility

This is a story not of employer-imposed learning, development and training, but an example of how employees are given access to tools to make informed choices about their career paths – and given the opportunity to study in new areas, acquire skills in new fields and learn how they can contribute to the   future success of the organization.

Siemens employees are seizing the opportunity to reassess where their interests and skills lie – and the investment in such employee support and development is inspiring. We expect other organizations will be following their lead.

A Challenge for All Sectors

While technology giant Siemens has facing this challenge right now, the future skills profile of all organizations should be under review.

Credit : AON Empower Results