Episode 2 – Appointment of Data Protection Officer
Watch this brief, concise and easy-to-follow 3 minutes video to understand more about the appointment and roles of the Data Protection Officer (“DPO”), and why such position within an organization becomes increasingly important with the upcoming enforcement of Thailand’s Personal Data Protection Act (“PDPA”).
As June 2021 approaches, many companies in Thailand are focusing on and racing towards the implementation of compliance mechanisms in advance of the adoption of the PDPA – the first comprehensive personal data protection law in the country’s history.
Following our first episode discussion on the types of legal basis to which businesses can rely upon in collecting and processing personal data (see link here), Ng Woan Na (Regional Legal Adviser, China Desk) further highlights in this second episode another key discussion under the PDPA i.e. requirement on the appointment of DPO if the business operations require “regular and systemic monitoring of personal data” as a result of “processing large volume and sensitive personal data”. Examples of such businesses include e-commerce and online banking businesses.
She provides an insightful overview on the appointment and roles of the DPO within an organization, and whether such appointment should be made internally within the organization, or be outsourced to third-party data privacy service provider.
Stay tuned, and do not miss out on our third episode where we will discuss PDPA implications from the human resource perspective!
Following the first series of our video on the upcoming enforcement of the Thailand’s Personal Data Protection Act (also known as the PDPA) as well as the types of legal basis to which businesses can rely upon to legally collect and process personal data, it is also important for us to bring to your attention to another key item, which is on the appointment of the data protection officer (also known as the DPO).
Similar to the EU General Data Protection Regulation, the Thai PDPA also requires business organizations to appoint a DPO if their business activities require regular and systemic monitoring of personal data as a result of processing large volume of personal data as well as sensitive personal data.
Essentially, the duties of DPO is not an operational one, but it involves giving advice to and monitoring the compliance by the business organizations (including their employees) towards with PDPA provisions. Such duties must be performed in an autonomous and independent manner. In other words, the business organizations must not instruct nor influence the DPO’s performance of services and that he or she must be allowed to operate without being put into a conflict of interest situation. For example, an individual who holds operational and senior management role in a company that determines the purposes and means of processing data, he or she must not be appointed as an internal DPO.
This leads us to the question of whether the DPO should be appointed internally within an organization, or should such role be outsourced to a third party service provider? The Thai PDPA does not lay out any restrictions in this respect – both methods work.
Based on our advisory experiences, many companies consider outsourcing as a fairly practical option because there is a lot of training and education required when it comes to internal appointment of a candidate while the data privacy service providers on the other end they are independent organizations so the likelihood of a conflict of interest arises between the outsourced DPOs and the organization units remains rather low.
In considering whether to make an internal appointment or go with the outsourcing route, the business organizations may need to consider a number of substantial factors, such as the size and nature of the organization (in particular, the budget allocated for the appointment of a DPO), the staff and resources available who can take on the DPO role and most importantly whether he or she is able to take on such role in line with the PDPA to keep not only his or her duties but as well as the company activities in line with the data protection laws so as to not lead towards the conflict of interest situation.
So whether the decision is made to appoint a staff member or an outsourced contractor as a DPO, this position within an organization will remain of great importance, especially with the upcoming enforcement of the Thai PDPA and with stories of heavy fines start appearing in newspaper headlines.
The role of a DPO within any organization will also be expected to take on great significance when it becomes clear that they in fact act as a first line defender or an early warning provider from the local enforcement authority.
So in short, this is an important appointment, and a good deal of time and careful consideration should go into choosing the right person for such role and making sure that he or she would be able to perform the duties in line with the PDPA in a way that will not compromise his or her ability to do so.