You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
February 3, 2025

Thailand’s PDPC Hosts Event to Promote Data Protection Awareness

Subscribe to Updates

On January 28, 2025, the Office of the Personal Data Protection Committee (PDPC) hosted Data Privacy Day 2025, bringing together over 1,000 participants from both the public and private sectors. The event underscored the importance of personal data protection and aimed to raise nationwide awareness while fostering a culture of compliance. During the event, the PDPC reaffirmed its commitment to strengthening Thailand’s data protection framework to align with international standards. The initiative also emphasized the collective goal of achieving zero data breaches.

During the first session of the event, Mr. Prasert Jantararuangtong, deputy prime minister and minister of digital economy and society, delivered a speech highlighting the role of personal data protection in fostering Thailand’s digital economy. He emphasized that strong data protection measures enhance business credibility, build consumer trust, and attract foreign investment. He also addressed the PDPC’s “zero data breach” policy and the ongoing issue of data leaks, which have been exploited by call-center scam operations to deceive the public and cause financial harm.

Additionally, Mr. Prasert announced that the Thai cabinet has approved a draft amendment to the Emergency Decree on Cyber Crime Prevention and Suppression B.E. 2566 (2023), commonly referred to as the “Cyber Crime Decree.” The draft will now proceed to the Council of State for review before its official enactment. Key provisions of the amendment include holding financial institutions, telecom providers, and social media platforms accountable for technology-related crimes; requiring compensation for victims; and enforcing stricter security measures. Cyber offenses, including personal data trading, face harsher penalties of up to THB 5 million in fines or five years of imprisonment. Authorities are also empowered to suspend suspicious SIM cards for committing illegal activities and expedite monetary refunds for victims without court approval.

In the second session, the Office of the PDPC presented its 2024 Privacy Maturity Model and Privacy Index report, summarizing key findings and developments in Thailand’s personal data protection landscape.

Privacy Maturity Model

The Privacy Maturity Model consists of assessment criteria designed to evaluate the readiness of government agencies and private entities in implementing personal data protection measures. The Privacy Maturity Model provides online self-assessment questionnaires for organizations to assess their compliance levels under the PDPA.

The model classifies organizations into five maturity levels based on compliance status and implementation of personal data protection measures:

  • Initial (Level 1) – Minimal compliance, with key legal requirements not yet fully implemented.
  • Managed (Level 2) – A structured approach to data protection is in place, but gaps remain in meeting full legal requirements.
  • Defined (Level 3) – Full compliance with legal requirements has been achieved in a systematic manner.
  • Measured (Level 4) – Ongoing performance monitoring and assessment have been implemented to enhance effectiveness.
  • Optimizing (Level 5) – Data protection practices are continuously refined and improved based on evaluation metrics.

The Privacy Maturity Model assesses organizations across 10 areas: oversight, policies and procedures, training and awareness, individuals’ rights, transparency, ROPA and lawful basis, contracts and data sharing, risk management, data security, and breach response and monitoring. The assessment aligns with the PDPA, covering both legal requirements and best practices.

Overall, the first-year Privacy Maturity Model assessment recorded an average score of 2.72 out of 5. In 2024, 142 entities participated in the assessment, including 69 government agencies and 31 private sector organizations, spanning various industries. The financial, investment, and insurance industries achieved the highest scores, with 47% of participating organizations scoring above the average. Across all categories, the highest-scoring areas were (1) Policies and Procedures (e.g., implementation of privacy policies), (2) Training and Awareness, and (3) Oversight. Conversely, the lowest-scoring areas were (1) contracts and data sharing (e.g., lack of safeguards for B2B and cross-border data sharing), (2) breach response and monitoring (e.g., absence of data breach handling policies or breach notification procedures), and (3) individuals’ rights (e.g., lack of identity verification before processing data subject requests).

Privacy Index

The key difference between the Privacy Index and the Privacy Maturity Model is that while the Privacy Maturity Model is an internal assessment based solely on self-assessment and internal data, the Privacy Index incorporates external data for a more comprehensive evaluation. The Privacy Index assigns scores on a scale of 0 to 100 and evaluates organizations using two types of data sources:

  • Primary data – Information obtained from questionnaires or evidence submitted by the organization.
  • Secondary data – Information collected from external sources, including reported data breaches, complaints filed with the PDPC, or publicly available information.

Overall, the average Privacy Index score was 51.03, with private-sector organizations scoring an average of 63.12, while the financial, investment, and insurance industries achieved the highest scores. The results suggest that organizations generally demonstrate a moderate level of personal data protection, complying with legal requirements to some extent. However, organizations should strive for more comprehensive compliance, with greater emphasis on preparing and maintaining ROPAs to identify potential risks and vulnerabilities and on enhancing data security measures based on these findings.

Outlook

The PDPC’s Data Privacy Day 2025 event highlighted the importance of personal data protection and set a clear direction for Thailand’s digital future. The implementation of the Privacy Maturity Model and Privacy Index provides organizations with valuable tools to assess and improve their data protection practices. As Thailand continues to strengthen its data protection framework, the collective efforts of the public and private sectors to put in place strong safeguards and procedures will help the country achieve the goal of zero data breaches.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

January 30, 2025
The Thai cabinet has approved a draft amendment of the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes as proposed by the Ministry of Digital Economy and Society to strengthen measures against technological crimes, particularly targeting call center scams and cyber fraud. Following the Council of State’s review, the emergency decree will be tentatively enacted by February 2025, becoming effective immediately upon publication in the Government Gazette. While the draft amendment is not yet publicly available, the government recently indicated that the emergency decree aims to empower authorities with decisive measures to combat cybercrime effectively. It underscores the shared responsibility among various sectors, including banking, telecommunications, and online platforms, in safeguarding against technological crimes. Key provisions of the draft amendment of the emergency decree include: Telecommunications provider obligations: Telecommunications service providers must suspend SIM cards associated with criminal activities. The National Broadcasting and Telecommunications Commission and mobile service providers themselves are authorized to temporarily suspend mobile phone numbers if there is reasonable suspicion of involvement in criminal activities. Banking responsibilities: Financial institutions are required to promptly report mule accounts to the Anti-Money Laundering Office to facilitate quick restitution to victims. The Anti-Money Laundering Transaction Committee is empowered to order the return of funds to victims without requiring a final court ruling. Penalties for noncompliance: The amended emergency decree introduces penalties for noncompliance by regulated entities that fail to prevent criminal activities for offenses related to technology crimes in the following cases: Digital asset services: Those engaged in the buying, selling, or exchanging of digital assets, such as cryptocurrencies and digital tokens, as well as digital asset businesses that launder money obtained from online crimes by converting it into digital currency, will be subject to imprisonment for up to one year, a fine of up to
Read More
January 24, 2025
Following Vietnam’s adoption of the new Law on Data (“Data Law”) on November 30, 2024, there remained uncertainty as to what impact the new framework would have on businesses in Vietnam and abroad. The government has now released a package of four draft legal documents aimed at guiding the implementation of the Data Law: (1) a decree on the National Data Development Fund (“NDDF Decree”), (2) a decree related to regulations on scientific, technological, and innovation activities and data products and services (“Decree on Specific Activities”), (3) a decree detailing a number of articles and measures to implement the Data Law (“Implementation Decree”), and (4) a decision on the lists of important data and core data. This article will provide an overview of the draft legislation. 1. NDDF Decree The draft NDDF Decree relates to the establishment, management and use of a National Data Development Fund (“NDDF”), which is a non-profit and non-budgetary state financial fund established and managed by the Minister of the Ministry of Public Security (MPS). The NDDF has legal personality and is fully state owned, operating similarly to a single-member limited liability company. Its main objectives are to support, promote, and invest in artificial intelligence (AI), the Internet of Things (IoT), and other new technologies and innovation. The NDDF may lend to, invest in, or otherwise support eligible organizations. The draft NDDF Decree also proposes a series of regulations on donations to the NDDF and from the NDDF (through expense support), the lending activities of the NDDF to commercial banks, which will in turn lend to eligible organizations, the investment activities in data products and services innovative start-ups, and other kinds of support. The government commits to provide VND 1 trillion (approx. USD 40 million) to the NDDF, evidencing the importance the government places on
Read More
January 23, 2025
Thailand’s Ministry of Digital Economy and Society, through the Digital Economy Promotion Agency (DEPA), recently held a focus group hearing on the draft Gaming Industry Promotion Act. This legislation seeks to strike a balance by promoting the growth of the online game industry while safeguarding society, with a particular focus on protecting youth from potential negative impacts and enhancing a positive gaming environment. From the public releases, the draft act is expected to address several key aspects, including: Registration requirements for key industry players, such as developers and platform providers. It is also worth monitoring whether these requirements will also apply to offshore entities offering services to users in Thailand. Governance measures, such as game rating systems and measures to address online gambling and violence in games. Incentives, such as the establishment of a fund to support the gaming industry, and tax incentives to promote Thai gaming businesses. DEPA plans to incorporate feedback from the focus group hearing to refine the Draft Act. The legislation is expected to be submitted to the cabinet for approval by April 2025, with enactment expected by the end of 2025. As this draft law is still at an early stage, amendments may be introduced during the legislative process. Businesses and stakeholders in the gaming industry are encouraged to monitor the matter closely and assess how the developing legislation may impact their operations.
Read More
January 22, 2025
Tasked with implementing the Politburo’s policy outlined in Notice No. 47-TB/TW dated November 15, 2024, the prime minister of Vietnam issued Decision No. 1718/QD-TTg on December 31, 2024, appointing himself as the head of a steering committee dedicated to the establishment of an international financial center in Ho Chi Minh City and a regional financial center in Da Nang by 2025. The Ministry of Planning and Investment has subsequently drafted an outline for the National Assembly’s Resolution on the Establishment of Regional and International Financial Centers in Vietnam (“Draft Resolution”). This Draft Resolution introduces two key policy groups: (i) policies governing the quantity, location, structure, organization, functions, and responsibilities of the financial centers; and (ii) policies applicable to various areas and matters within the financial centers. Notably, under the Draft Resolution, fintech has been identified as a key sector, with a specific focus on the implementation of a “controlled sandbox” policy for business models involving virtual assets and cryptocurrencies. Under this framework, transactions related to virtual assets and cryptocurrencies will be permitted from July 1, 2026, subject to licensing, management, impact assessment, and risk oversight by the financial centers’ Management and Operations Committee. Scope of Application and Key Principles The Draft Resolution applies to a wide range of stakeholders, including investors, regulatory agencies, organizations, and individuals involved in the establishment, organization, and operation of regional and international financial centers in Vietnam. These financial centers will have clearly defined geographical boundaries and specific locations, which will be further specified and detailed by the People’s Committees of Ho Chi Minh City and Da Nang. Companies successfully registered as members of these financial centers will benefit from special investor-friendly policy principles, which may differ from the general legal and regulatory framework applicable in other parts of Vietnam. Most notably, the state will
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice