How to manage data in CRM Systems Application to comply with Personal Data Protection Act (PDPA)

Personal Data Protection Act (PDPA) is the Thailand version of General Data Protection Regulation (GDPR) in European countries.     PDPA law becomes effective on 27 May 2019.

PDPA law has the objective to regulate organizations that collect personal data to handle the personal data with care and not to use it in activities beyond those that the person has consent for, nor to disclose it violating the person’s privacy.   In addition, PDPA law instructs a remedy process that the organizations need to take when the person’s data privacy is violated or compromised.

Any entity whether be private, public, or state owned, including those from countries outside Thailand, that collects, uses, or transfers personal data of Thai citizens has a duty to take actions to comply with PDPA law or, else confront penalties as a result of non-compliance.

PDPA law defines elements that are involved in the person’s data privacy as the following:

Data Subject: Data Subject is the data about the living person, can identify such person and can effect how the person lives.  Data Subject, in most cases, is the customer data that companies collect and use.

Data Controller: Data Controller is a person or an organization that decides about collecting data, using data, or disclosing Data Subject.   Data Controller, in most cases, is the decision maker that decides how staff in Sales, Marketing, Service, or Finance collect, use, disclose, or transfers the customer data.

Data Processor: Data Processor is a person or an organization that operates data processing and data administration, delegated by or under the instruction of Data Controller.    Data Processors can be staff in IT department or be IT service providers including CRM software providers.

PDPA indicates that Data Controller has a duty to control the use of personal data for the specific activities that the person has consent for.    Data Controller must establish an internal business process that handles an investigation request by the person whose data privacy is believed to be violated.    And Data Controller must oversee the actions to  correct data, remove data, or take further actions to rectify the impact of the data privacy violation.

For PDPA compliance, Data Management is essentially important.    Data Management covers end to end from the time data is collected, used, shared among staff, or transferred to a 3rd parties, until the data is retired/removed.    Through the use of modern information systems, access to data must be controlled and use of data must be tracked and auditable.   To comply with PDPA, Signify provides general suggestions as the following:

o Has Consent Form that person can review and accept.  Or has a service agreement that indicates what the person wants the service provider to perform (service provider to use personal data to fulfill the service provider’s job).
o Has Data Privacy Officer (DPO) that creates and updates Privacy Notice on the website, data collection form, or service agreement.    DPO also involves in defining user security access to data.    If a data privacy case arises, DPO will be the one that follows through the request for investigation and coordinates between the person who owns Data Subject and jurisdiction authorities.
o Has Record of Processing Activities.    CRM systems should provide auditable record of data access and processing activities where should data privacy violation case arises, DPO can investigate for facts.
o Has a Data Processing Agreement with 3rd-party entity if it is necessary to pass the data for further data processing.

Services related to PDPA

Signify can help companies implement PDPA compliance along with SignifyCRM systems application.    SignifyCRM systems application will be configured to support PDPA and to generate monitoring reports related to PDPA.    Signify customers can request to receive this service as a complimentary.