Thailand’s Personal Data Protection Act (PDPA) has been fully in force since June 2022. However, enforcement statistics from 2025 show that many organizations still have significant gaps that may lead to both civil and administrative penalties. A systematic readiness review is therefore no longer optional, but essential.
This article compiles a 15-item PDPA checklist covering all key areas prioritized by the Personal Data Protection Committee Office (PDPC), along with an analysis of the most common gaps found in Thai organizations.
Part 1: Structure and Governance
Item 1 — Appoint a DPO or a Person Responsible for Personal Data Protection
Organizations that meet the applicable criteria must appoint a Data Protection Officer (DPO) under Section 41, such as public agencies, organizations processing large volumes of sensitive data, or organizations that systematically monitor individuals’ behavior. The appointment must be formalized. Even if your organization is not legally required to appoint a DPO, it should still designate a clearly accountable lead for PDPA matters.
This may seem straightforward, but a common issue is that a DPO is formally appointed in writing without having real authority or adequate supporting resources.
Item 2 — Maintain a Personal Data Protection Policy (Privacy Policy)
You must have an up-to-date Privacy Policy covering every point of personal data collection, including websites, applications, paper forms, and offline channels. The language must be clear and understandable, not simply copied from an English template and translated word-for-word.
Item 3 — Define Controller and Processor Roles
Your organization must clearly identify whether it acts as a Data Controller or Data Processor for each processing activity, and it must have a Data Processing Agreement (DPA) in place with every external service provider.
Part 2: Legal Basis and Consent
Item 4 — Identify the Legal Basis for Every Processing Activity
The PDPA recognizes six legal bases: Consent, Contract, Legal Obligation, Vital Interest, Public Task, and Legitimate Interest. A lawful basis assessment must be completed for every processing activity.
Common gap: Using Consent as the legal basis for everything, even where Contract or Legitimate Interest would be more appropriate.
Item 5 — Implement an Auditable Consent Management System
If Consent is used as the legal basis, you must have a recordkeeping system that can prove when consent was given, how it was obtained, and for what purpose, and it must allow withdrawal as easily as giving consent. The system must maintain append-only consent logs that cannot be altered retroactively.
Item 6 — Separate Consent Clearly by Purpose
Multiple purposes must not be bundled into a single checkbox. Data subjects must be able to give or withhold consent for each purpose separately.
Part 3: Records and Data Inventory
Item 7 — Maintain a Record of Processing Activities (RoPA)
Section 39 requires both Data Controllers and Data Processors to maintain a Record of Processing Activities (RoPA) specifying data categories, purposes, legal bases, recipients, retention periods, and security measures.
Item 8 — Maintain a Data Inventory or Data Mapping
You must know where personal data resides, how it flows from one point to another, who can access it, and how long it is retained. Data Mapping is the foundation for all other PDPA activities.
A common issue is that organizations create a Data Inventory once and never update it. As soon as new systems or processes are introduced, the information becomes outdated and no longer useful.
Part 4: Data Subject Rights and DSR
Item 9 — Establish a Process for Handling Data Subject Requests (DSR Process)
You must have a process for handling all six types of data subject rights requests: access, rectification, erasure, restriction, portability, and objection. Responses must be provided within 30 days from receipt of the request.
Item 10 — Provide Easily Accessible DSR Submission Channels
You must provide convenient channels through which data subjects can submit rights requests, such as a web form, email, or online system. These channels should not be buried so deeply that they are difficult to find.
Part 5: Data Security
Item 11 — Implement Appropriate Security Measures
Section 37(1) requires appropriate security measures, both technical (such as encryption, access control, and logging) and organizational (such as policies, training, and audits). Risks must be assessed and controls adjusted accordingly.
Item 12 — Maintain a Data Breach Incident Response Plan
You must have a data breach response plan that is ready to execute immediately, including processes for notifying the PDPC within 72 hours and notifying affected data subjects in high-risk cases.
A recurring problem: there is a plan on paper, but it has never been tested. When a real incident occurs, the organization cannot respond in time.
Part 6: Data Transfers and Third Parties
Item 13 — Put Agreements in Place with External Data Processors
You must have a Data Processing Agreement (DPA) with every vendor that processes personal data on behalf of your organization. It should define the scope of duties, security measures, audit rights, and data deletion conditions at the end of the contract.
Item 14 — Manage Cross-border Transfers Properly
If personal data is transferred abroad, you must ensure that the destination country provides an adequate standard of data protection, or that appropriate safeguards are in place, such as Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs).
Part 7: Training and Organizational Culture
Item 15 — Train Employees at All Levels Regularly
PDPA compliance is not solely the responsibility of the IT or Legal team. Every employee who handles personal data must receive role-appropriate training, be assessed for understanding, and attend refresher training regularly, at least once a year.
This is a weakness in many organizations, especially those that conducted training only once when the law first came into force and then stopped. As a result, new employees may never receive training at all.
What the PDPC Prioritizes Most
Based on past guidance and enforcement trends, the PDPC places particular emphasis on three key areas.
First is verifiable evidence (Accountability). The PDPC does not merely ask whether a policy exists; it asks whether you can prove actual compliance. Consent logs, RoPA, DPAs, training records, and incident reports all need to be managed systematically.
Second is data subject rights. The PDPC expects organizations to respond to rights requests within the legal timeframe in practice, not simply receive requests and leave them pending.
Third, the PDPC is particularly strict about breach notification within 72 hours. Organizations without clear detection and reporting processes almost always fail to act in time.
From Checklist to Practical Implementation
Having a checklist is a good starting point, but putting it into practice requires the right tools. Many organizations begin with spreadsheets, only to find they cannot scale as data volumes and request volumes grow.
What to look for in a PDPA compliance solution includes a system that covers Consent Management, DSR Management, Data Inventory, RoPA, Breach Management, and Vendor Management in one place, provides an immutable audit trail, and does not store actual personal data in order to reduce risk.
