The Personal Data Protection Committee (PDPC) is set to roll out more subordinate regulations to clearly define the practices for Personal Data Protection Act (PDPA) compliance to ease concerns among businesses.
Meanwhile, businesses are urging the government to consider issuing tax incentives that would support their compliance.
They shared their views at a seminar on compliance with the PDPA jointly organised on Monday by the Thai Chamber of Commerce (TCC), the Board of Trade, the Digital Economy and Society (DES) Ministry and University of the Thai Chamber of Commerce (UTCC).
The PDPA was enforced on June 1 following two years of postponement partly due to the pandemic.
Speaking at the seminar, DES Minister Chaiwut Thanakamanusorn said the PDPA and Cybersecurity Act are important pieces of legislation to level up confidence among foreigners doing business with Thailand and drive the economy.
"We believe within the next 4-5 years, the digital economy will contribute 30% of GDP, making us the digital 'Silicon Valley of Asia'," he said.
The PDPA is meant to protect people from misuse of their data and level up data security, Mr Chaiwut said. "It does not intend to create a burden for businesses," he added.
Wetang Phuangsup, deputy permanent secretary for the DES Ministry and acting secretary-general of the PDPC, said six subordinate laws have been implemented since the PDPA came into force last month.
Another two regulations are set to be rolled out in early August, he said. One concerns a guideline on how to seek consent from data subjects and another involves a guideline on how to notify data subjects about the purposes and details of personal data collection.
Udomtipok Phaikaset, secretary-general of the Federation of Thai SMEs, said the government needs to consider providing tax incentives for small and medium-sized enterprises that have to invest in PDPA compliance.
SMEs seeking to comply with the PDPA should be entitled to double tax deduction, he added.
Paiboon Amornpinyokiat, an advisor for the PDPC secretary-general, said businesses no longer need to seek consent to use data from data subjects once they have such a written agreement in contracts with customers.
However, if the businesses need to use personal data for new purposes, they need to seek new consent.
The law goes against people who intend to expose the "sensitive data" of others, such as information regarding their health conditions, religion and sexual preference, and the court of justice will deliberate their intentions.
Regarding administrative fines of up to 5 million baht for PDPA violations, Mr Paiboon said a reprieve is being given at present during the transitional period.
"The PDPA is not intended to overrule other specific laws, such as those used in the banking and financial sectors, security authorities and media, which already have their code of practices," he said.
He insisted the PDPA aims to facilitate the digital economy rather than erect hurdles for businesses.
Atip Bijanonda, vice-chairman of the Board of Trade, said accelerated efforts should be made to roll out subordinate laws to ease concerns among businesses in terms of PDPA compliance.
They are afraid of being abused from non-compliance, he said.
He said the criteria for the punishment could be made clear in the written guidelines without the need to use discretion as business executives are now concerned about imprisonment.
He also threw support behind the issuance of the double tax deduction for businesses investing in order to comply with the PDPA.
Supakorn Kungpisdan, managing director of Cyber Elite, a cybersecurity solution provider, said businesses need to comply with the PDPA to level up their data security defence and risk assessment for data breaches.
"Businesses need to have procedures in place to respond to incidents in line with the PDPA and Cybersecurity Act," he added.
Prapanpong Khumon, deputy dean of the UTCC's School of Law, said a PDPA readiness survey conducted by UTCC and TCC in March showed only 8% of 3,000 organisations said they had fully complied with the PDPA.
Businesses now need to make sure their call centres and frontline staff understand the PDPA so they can respond to customers' requirements based on the PDPA, including demanding to revoke businesses' right to use their personal data.
"The PDPA is about data protection management, making sure the operators secure data. This can also show businesses' intention of pursuing legitimacy and responsibility," Mr Prapanpong added.