Navigating Thailand’s Personal Data Laws

Data Minimization and Purpose Limitation

The PDPA emphasises the principles of data minimisation and purpose limitation, requiring organisations to only collect data that is necessary for a specific purpose and use it only for that purpose. The idea is to depersonalise data, for example by using approaches such as pseudonymisation (replacing personal identifiers with proxy data, which reduces but does not eliminate data protection risks) and anonymisation (removing identifiers, meaning the data is no longer ‘personal’). Organisations should have an appropriate framework in place to assess, explain and provide to the regulator how they determine what is necessary.

Data Subject Rights and AI Transparency

The PDPA grants individuals the right to access, rectify, and delete their personal data. Implementing these rights in the context of AI can be difficult, especially with complex machine learning models that generate insights and predictions from massive data sets.

Transparency is key to addressing these challenges. Organizations need to ensure that AI systems are designed and implemented in a way that allows individuals to understand how their data is being used. This involves providing clear explanations of AI decision-making processes and ensuring that individuals can effectively exercise their rights.

Data Breach Notification and Security

AI systems, like other data processing systems, are susceptible to security breaches. The PDPA requires that data breaches be notified to the appropriate authorities and affected individuals. Ensuring robust data security measures are essential to preventing and mitigating breaches.

For AI systems, this includes implementing strong encryption, access controls, cybersecurity measures, and regular security reviews and audits. Additionally, organizations should have a clear incident response plan to quickly and effectively deal with potential data breaches.

The role of data protection officers (DPOs)

Under the PDPA, some organizations are required to appoint a Data Protection Officer (DPO) to oversee compliance with the PDPA. The DPO plays a key role in ensuring AI systems comply with the PDPA requirements. This includes conducting data protection impact assessments (DPIAs) for AI projects, monitoring data processing activities, and providing guidance on data protection best practices.

Application

How AI technology will shape up in the coming years and what impact it may have is still unknown. What is certain is that integrating AI technology into business operations in Thailand offers significant opportunities for innovation and growth. It also requires careful consideration of data privacy and PDPA compliance.

Collaboration through open and transparent conversations between industry and regulators is essential to developing a pragmatic approach that balances regulatory compliance and supports innovation in AI.

By adopting transparent data collection practices, implementing robust security measures, and ensuring respect for individual rights, organizations can harness the power of AI while complying with data protection principles. Navigating the complexities of AI and PDPA requires a proactive and informed approach, but with the right strategies, companies can balance technological innovation with data privacy compliance.

Somkrit Krishnamra | Partner

Puttida Sriwong |Senior Manager

Strategy, Risk and Trading
Deloitte Thailand