How to make your website PDPA Thailand compliant

For the past few years, improvements in computer technology have been progressing at an extremely rapid rate; one of its aspect that plays a significant role in many people’s lives is the internet. It is being used by billions on a daily basis which is a fairly good indicator of its astounding capabilities. However, like any other things, there will always be downsides. When surfing the internet, users risk losing their personal information to website operators, most often without themselves knowing. As a result, to protect their rights, website owners are bound to follow a certain set of rules which are a part of the data protection law.

The Importance of PDPA

The regulations that apply for those owning a website in Thailand regarding data security can be found in the Personal Data Protection Act or the PDPA. Similar to the General Data Protection Regulation (GDPR), which is the European’s law, PDPA protects Thai residents against illegal collection, use, and sharing of personal information. In fact, the PDPA was adapted from the GDPR. If your website collects data from Thai residents, whether it be an e-commerce website, an entertainment website, an educational website, you are automatically required to comply with the guidelines.

Here are some key points that are required in order for organizations to be able to collect, use or disclose their users’ personal data:

Data owners must have been informed of the purposes for the collection, use or disclosure of their data
The purposes for collection, use or disclosure must be considered appropriate to a reasonable person in the given circumstances
The website is expected to have a simple and clear language in the privacy policies section
Consent requests should not be misleading or deceptive
Data owners must have explicitly given their consent
Data owners must be allowed to withdraw their consent at any time

Although there are many similarities between PDPA and GDPR, there are not exactly the same. The table below taken from Construct Digital presents the differences between them.

Concept	Personal Data Protection Act (PDPA)	General Data Protection Regulation (GDPR)
Personal Data	Exclusions: Data used for business purposes Data belonging to an individual deceased for over 10 years	Only data that is necessary to an organization's purpose should be collected. (data minimization)
Consent	When an individual voluntarily provides his/her personal data to an organization and it is reasonable for the individual to do so Voluntarily provided data to one organization can be passed on to another organization for a particular purpose	Requires positive opt-in (no pre-ticked boxes or default consent) Expressly and explicitly given in a very clear and specific statement Consent requests should be separate from other terms and conditions. Get separate consent for separate purposes. Vague or blanket consent is not acceptable. Third-party controllers who will rely on consent should be named Individuals should be informed how they may withdraw their consent, and the steps to withdrawal should be easy. Consent to processing a precondition of a service should not be made.
Sensitive Personal data	Not specifically defined	Personal data revealing: Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Genetic data Biometric data for the purpose of uniquely identifying a natural person Data concerning health Data concerning a natural person’s sex life or sexual orientation.
Age of Consent	Not specified	Threshold set at 16 years old but may be lowered by member states to between 13 to 16 years.
Purpose	Should be considered appropriate to the circumstances by a "reasonable person" No need to specify the activities an organization will be undertaking in relation to the data collected; however, objectives and reasons for collecting such should be provided to the individuals from whom you wish to gain consent	Strictly limited to : “specified, explicit and legitimate purposes” Public archiving, historical, scientific, or statistical purposes must not be incompatible with the initial purposes (purpose limitation)

When is the law exempted?

There are special cases when this law does not apply. They include:

The fulfilment of contractual obligations
Public interest

Legitimate interest

Why bother?

You may be wondering about the consequences of non-compliance and the severity of the penalties. Organizations which are found to violate the law are subject to both criminal and civil fines. You risk losing ฿1,000,000 – ฿3,000,000 depending on the offence. On top of that, the courts may also enforce extra compensations (punitive damages) of up to double the amount of the actual damages and a prison sentence of one year.

If you think that this is all you can lose, unfortunately, it’s not. The PDPA also allows data owners to put forward class action lawsuits. All this gives your company a very poor image and reputation. It is therefore advised for you to familiarize yourself with and adhere to the law if you are looking to create a website or is already owning one.

Steps to take for PDPA compliance

The following steps provided by Secure Privacy is a guide that may help you to ensure that your website is PDPA compliant:

Understand how your company collects, processes, transmits, and stores data
Review your company’s internal policies, agreements, and practices related to personal data

Implement data management processes and operating systems
Update existing privacy notices and creating relevant legal documents
Ensure employees and personnel are fully trained on the relevant requirements of the PDPA
Conduct a gap assessment to identify the current levels of compliance
Have processes in place that exercise the rights of individuals relating to their personal data

How can you start?

Now that you understand the general basis of PDPA, it is time for you to get moving. Unsure how to start? We at KOS Design are ready to transform your business into digital. Ecommerce store, corporate website, branding, graphic design, digital marketing, and SEO, we do them all. You can begin by calling or emailing us for some advice and ask for more information. We look forward to working with you. Let’s start!

For many of us, working from home has become a new part of our lives due the COVID-19 pandemic. We have learned to live online; ordering our food via services like Grab, having a work meeting via Zoom, and searching to buy what we need in online ecommerce stores across the web. Our livelihood has changed and the so-called “new normal” is expected to stay. There is no denying that online spending has been increasing dramatically in the past few years, as fast internet is more accessible, and having a smartphone is quite common. So If your business is still offline, you are definitely running behind.

“Moving is living”

A great quote said by George Clooney in the movie “Up in the air” back in 2009 which basically means that nothing is static, and we must keep moving, growing, and evolving to catch up with an ever-changing situation. We could really consider this pandemic as a turning point where our economy must thrive with the help of online businesses. If customers' behavior has changed, why are we standing still? Let's take a closer look at the following reasons why you should take your business online.

1. The real money is online

Last year alone in Thailand, the total annual sales revenue from online market has grown by 23 percent. It is quite simple really, the more places you offer your product, the more revenue you can generate. Building an ecommerce store will allow you to reach more customers locally and internationally alike. So let’s expand your opportunities, find new markets to explore, and keep moving forward.

Let’s take a look at some more statistics data;

According to We Are Social, food and personal care products are at the top of the list with the highest growth rate from last year. Second is gadgets, toys, and hobbies related products. Third is fashion and beauty. The way things are now, people sometimes visit online markets just to have fun. They browse through what they are interested in and if they find it, they will likely make purchases right then and there.

2. Know your customers

Getting customer information is quite difficult in the real world. Anyone can walk into your store and leave without you knowing anything about them. Have you ever been asked to fill out a questionnaire after you bought something? Not too often right? That is because getting your information that way could possibly interrupt your customer experience.

Ecommerce is great because it lets you grab information from your customer without them even knowing about it. With the tools like Google Analytics or Hotjar, you can learn much more about your customers than ever before. You can track where customers are coming from, which product they are interested in, whether or not they buy your product, and much more. You then use these insights to adapt to your customer and grow your business.

3. Expand your reach with SEO

How do you think your customer knows about your store? How do they know where it is or when it opens? If your business has been in operation for a while then this may not be a problem for you. You may already have a good social media presence and a decent reputation with your local communities but why stop there.

When people want to find something specific to buy, they search. Ecommerce will allow people to find you easier than ever. Start by using SEO to allow your site to rank higher for keywords associated with your business and its products. Later on you will learn more advanced tips and tricks, and perhaps to invest a bit on Google Ads to boost up your rank even more.

4. Easy to get started

You are basically just a few clicks away from operating an ecommerce website. If you are looking for just a really basic store, ecommerce platforms like Wix, Squarespace, or BigCommerce offer many pre-build templates for you to choose from. They also take care of all the confusing stuff like hosting, SSL certificates, and maintenance on your behalf. Some even give you a free domain for the first year too. So why not go and try opening your first online business today.

Let’s start moving forward

If you are a perfectionist and want something much more than a simple and basic template store, look no further. We at KOS Design are ready to transform your business into digital. We specialize in highly customized ecommerce solutions like Shopify and Magento which empowers more than 1 millions professional businesses worldwide. Ecommerce store, corporate website, branding, graphic design, digital marketing, and SEO, we do them all. Still having doubt? Come talk to us and let us guide you through the seemingly complex online business solution. Welcome to the kingdom of service.