Compliance Audit-ENG

Do you know if your business is compliant with the PDPA?

The PDPA (Personal Data Protection Act, B.E. 2562) is a new law that sets out strict requirements for businesses that collect and process personal data. If you are not compliant with the PDPA, you could face significant fines and penalties.

Here is a checklist to help you assess your compliance:

  • Do you have a data protection officer (DPO)? If you process a high volume of personal data, you are required to have a DPO.
  • Have you obtained consent from data subjects for each processing activity? If you cannot find a specific legal basis to justify your data processing, you must obtain consent from the data subject.
  • Have you prepared a Record of Processing Activities (RoPA)? The RoPA is a document that describes how you collect, use, and store personal data.
  • Have you prepared a Privacy Policy? The Privacy Policy should explain to data subjects how their personal data will be collected, used, and stored.
  • Do you have a data breach contingency plan? In the event of a data breach, you must notify the Personal Data Protection Commission (PDPC) within 72 hours.
  • Do you have a system in place to facilitate the exercise of data subject rights? Data subjects have the right to access, correct, delete, and port their personal data. You must have a system in place to allow data subjects to exercise these rights.
  • Have you inspected and improved your IT security system? You must take steps to protect personal data from unauthorized access, use, disclosure, destruction, or loss.
  • Do you grant access to personal data only to authorized persons? You must ensure that only authorized persons have access to personal data.
  • Have you trained your personnel on the PDPA? You must train your personnel on the PDPA so that they understand their responsibilities under the law.
  • Have you carried out a Data Protection Impact Assessment (DPIA) for any high-risk processing activities? If you engage in any high-risk processing activities, you must carry out a DPIA to assess the risks to data privacy.


If you are not sure if your business is compliant with the PDPA, you can contact us for a free consultation. We can help you assess your compliance and take steps to become compliant.