Achieving Thailand PDPA compliance is no small matter for any company or educational establishment, but the way you go about it can be the difference between success and failure. With the right management tools at your disposal, it can be achievable.
A PDPA gap analysis shows your current compliance status compared to where you should be. It helps you close gaps. It’s useful to do at any stage, whether you’re just starting to achieve PDPA compliance or have been tackling it from the outset and stalled.
There are several ways to go about a PDPA gap analysis, but where do you start? This article looks at areas covered by analysis and what tools you can use to perform one. Let’s start with the first step of a PDPA compliance checklist
For collection, storage and use the PDPA has the following principles.
(a) Purpose limitation. The Controller cannot collect, use or disclose personal data for any other purpose than the initial purpose as consented to by the data subject.
(b) Proportionality. The Controller cannot collect, use or disclose more personal data than is necessary to achieve the intended purpose.
(c) Collection limitation. Data controllers and processors may only collect personal data directly from the data subject, subject to limited exceptions.
(d) Retention limitation. The Controller cannot store personal data for longer than necessary to achieve the intended purpose.
(e) Transfer limitation. Data controllers and processors cannot transfer data to countries that do not meet the adequacy levels required for data protection standards, except for a transfer under an approved process verified and certified by the OPDPC.
The Scope of a PDPA Gap Analysis
The scope of a PDPA gap analysis may vary depending on who conducts it and for whom, but it is often comprehensive. If you’re a long way from compliance, a lighter gap analysis may be in order so you can quickly make the most pressing changes. Some of the key areas a privacy gap analysis might examine are below.
- Policy and Procedure Management: How does your organisation define, document, communicate and assign accountability for your privacy policies and processes.
- Notices: How does your organisation notify data subjects about your privacy policies, purposes and procedures for which you collect use and retain personal data?
- Choices and Consent: How do you outline the choices available to the data subjects about the data they disclose. What methods do you use to gain consent?
- Use, Retention and Disposal: Is your organisation only using personal data for the purposes that your data subjects have consented to and for as long as necessary. When data is no longer required, are you disposing of it appropriately?
- Access Rights: How does your organisation, provide, manage, and process access to data subject data.
- Disclosure: If your organisation discloses personal data to third parties is this only for the purposes outlined in policies and contracts.
- Security for privacy: How does your organisation protect personal information from unauthorised access, both logical and physical.
- Data Quality: Is the data you collect and store accurately. Is it complete and relevant to the purposes identified in your privacy policies?
- Monitoring and enforcement: How does your organisation monitor your compliance with your privacy policies and procedures. What measures are in place to deal with privacy-related complaints and disputes?
PDPA Gap Analysis: Who & How
There are different pathways to performing a PDPA gap analysis. You can use a consultancy firm, employ someone in-house, use PDPA software to do most of the work for you or a mixture of both. The latter is viable for small to mid-sized businesses (SMEs).
Internal PDPA Gap Analysis
Organisations can perform their internal gap analyses using teams of technical or legal professionals if they have the resource bandwidth. Some companies use a PDPA compliance checklist, which asks a long series of questions about all aspects of data processing and protection (e.g. security policies and processes, roles and responsibility, record-keeping, legal and regulatory). Checking compliance is a time-consuming project.
PDPA software provides a beneficial solution to analysing compliance for SMEs. Because everything is in the cloud, collaborative efforts toward compliance are easier. Changes occur in real-time. It’s affordable, too. having a good data privacy platform can benefit an organisation’s compliance journey
- Data Mapping: locating and tracking the flow of data
- Data Protection Impact Assessment (DPIA): assesses the risk of data processing to subjects
- Generates PDPA-compliant privacy policies and contracts
- Subject access management creates a mechanism for handling SARs
- Data breach management helps manage and report data breaches
- Subject consent management assists in all aspects of gaining, recording and renewing consent
- Compliance assessment: generates a data protection programme tailored to your company
- DPO features help responsible parties implement and track compliance
Eliminating the Gaps
Comprehensive Gap Analysis Report
Instantly see where your pdpa maturity status is with clearly describe gaps for remediation.
Comprehensive Remediation Report
The report clearly explains what is needed to remediate the gaps.