What is PDPA and why is it important in digital marketing?

Privacy and personal data security have become a grave concern for online users. We have seen several scandals over the past few years. The most recent one being Facebook’s data privacy breach where personal data of Facebook users were leaked due to inadequate security and users accepting broad terms and conditions.

What is PDPA?

To curb the violation of data privacy, Thailand has introduced its first new data protection legislation. The Thai Personal Data Protection Act B.e. 2562 (2019) also known as the PDPA. This new privacy law goes into effect on 27th May 2020, but may be delayed until May 2021 due to the pandemic. 

PDPA shares similar concepts with the General Data Protection Regulation (GDPR) with regards to consent, legal processing and notification. The law strengths protection against competitors imitating products and mirroring algorithms. It is essential to keep data protected as this is the only sustainable competitive advantage. 

The purpose of this act is to strengthen the methods businesses are using to handle users personal data. 

The type of data which will be protected includes (KPMG, 2019): 

  • Personal data: data that is related to identifying a person, which includes but not limited to customers, employees and business partners. 
  • Sensitive personal data: this includes, racial, ethnic origin, sexual orientation, health data and etc.

abstract image of heads and binary data

Key Steps Businesses Should take (DFDL, 2020)

With several businesses already adhering to the GDPR, many already have laws implemented. However, if not, to comply with the PDPA, businesses must:

1. Have a legal basis and consent of individuals whose personal data is being processed
2. Ensure there is transparency and a notice is provided when collecting data for individuals
3. Have security measures put in place to protect the data of individuals
4. A privacy policy which inform the period of time personal data will be stored for
5. Have records of data processing to show PDPA requirements are being fulfilled 


Why should you be concerned?

The effect of this law will result in major implications if not followed. Failure to adhere to the rules and regulations will result in both criminal and civil penalties. (DFDL Thailand, 2019)

Complice – You can face up to 5 million THB in Administrative fines and criminal fines of up to 1 million THB 

Reputational Damage – Your business can face negative media coverage and scandals similar to recent data privacy violations. (i.e. Cambridge Analytics) 

Customer Trust – Gaining the trust of your customers will result in positive reviews as well as new business opportunities. 

Mark Zuckerberg speaking on a stage

What does this mean for agencies 

When working with businesses, it is crucial for agencies to follow the PDPA key compliance’s which includes, 

1. Ensuring that consent has been obtained for collection of any sort of data
2. Consent is given freely by the data owner and can be withdrawn by the owner of the data
3. Privacy notice is given to the owner when data is collected
4. The purpose of collecting data is provided 

Duties of the agency:

1. Implementing appropriate security measures
2. Keeping written / electronic records
3. Setting up strict privacy policies


A woman scanning her face with a smartphone

Primal’s take on PDPA

Here at Primal, we understand the importance of data protection and data security. Having managed digital marketing campaigns for several businesses in various industries, including banking, finance, real estate, e-commerce and etc, we are prepared to comply with laws and regulations put in place through PDPA. 

We take this very seriously and have implemented this into our business to ensure that the campaigns of our clients can run smoothly and are successful.