Skip to main content
AI & Technology

PDPA 2026 — The Year Thailand Begins Real Enforcement, Alongside New AI Governance Guidelines

สคส. ปรับไปแล้ว 21.5 ล้านบาท ปล่อย Eagle Eye Crawler ตรวจเว็บอัตโนมัติ และกำลังออกแนวปฏิบัติ AI กับ PDPA ที่ทุกองค์กรต้องเตรียมตัว

4 Mar 20267 min
PDPAAI Governanceสคส.Eagle EyeEnforcement

From "Awareness Building" to "Privacy in Action"

At Data Privacy Day 2026, organized by the PDPC (Personal Data Protection Committee Office), the message was clear: this year’s theme is "Privacy in Action" — the era of simply knowing that PDPA exists is over. Organizations must implement it in practice and be able to prove compliance.

Figures disclosed by the PDPC as of February 2026:

  • 2,672 cumulative complaints
  • 8 administrative penalty orders across 5 cases
  • Total fines of THB 21.5 million (approximately USD 654,690)
  • Sectors under heightened scrutiny: e-commerce, healthcare, telecom, and government agencies

Eagle Eye Crawler — The Automated Detection System Changing the Game

What many organizations still do not realize is that the PDPC is no longer waiting for complaints to be filed. It is proactively using the Eagle Eye Crawler to crawl organizational websites and check whether:

  • proper cookie consent is in place
  • the privacy policy is complete
  • data is being collected beyond what is necessary
  • a Data Subject Request (DSR) process is available

Organizations whose websites still drop cookies without obtaining consent, or whose privacy policies are outdated, may be flagged even before any complaint is submitted.

AI Governance — New Rules on the Horizon

One of the most important developments in 2026 is the personal data protection guideline for AI currently being drafted by the PDPC. The key areas expected to be covered include:

Organizations Using AI Are Considered Data Controllers

If an organization uses AI to process personal data — whether for customer analytics, resume screening, credit scoring, or chatbots that collect user information — it must fully comply with PDPA in its capacity as a Data Controller.

Data Protection Impact Assessments (DPIAs) Will Be Required

The use of AI with personal data, especially for automated decision-making, is classified as high-risk processing and requires a DPIA before deployment.

Explainability Is Not Optional

Data subjects have the right to know the basis on which AI systems make decisions. For AI systems that materially affect individuals (such as loan rejection or failed candidate screening), organizations must be able to explain the reasoning behind the outcome.

Cross-Border Data Transfers Are Facing Tighter Scrutiny

Another area requiring close attention is cross-border data transfer, where the PDPC is becoming more stringent:

  • A Transfer Impact Assessment (TIA) must be completed before transferring data overseas
  • The destination country must provide an adequate standard of data protection
  • If using international cloud services (AWS, GCP, Azure), organizations must ensure there are Standard Contractual Clauses (SCCs) or other appropriate safeguards in place

For organizations using AI APIs from overseas providers (such as OpenAI or Anthropic), this requires urgent review — data sent for processing through an API is considered a cross-border data transfer.

Trustmark — A New Standard Organizations Should Prepare For

The PDPC is developing a PDPA Trustmark, a certification for organizations that fully comply with PDPA. While not yet mandatory, it is likely to become a competitive advantage for organizations operating in B2B markets or working with the public sector.

5 Things to Do Before the End of 2026

  1. Review cookie consent and privacy policies — ensure the Eagle Eye Crawler will not flag your website
  2. Establish a DSR process — responses must be provided within 30 days, with a clear workflow in place
  3. Conduct DPIAs for AI systems — for every automated system that processes personal data
  4. Review cross-border data flows — know where data is going and what safeguards are in place
  5. Appoint a DPO (if you have not already) — a Data Protection Officer to oversee ongoing compliance

How Enersys Supports PDPA Compliance

Enersys’s PrivacyHub covers consent management, DSR automation, DPIA templates, data mapping, and breach notification — specifically designed for Thai organizations, supporting both PDPA compliance and readiness for the upcoming AI governance guidelines.

For organizations already using AI or planning to start, Enersys helps conduct a gap analysis between current AI usage and PDPA requirements, then builds a roadmap for compliance before the new rules take effect.

References: Tilleke & Gibbins: Thailand's Data Privacy Day 2026 | PIM Legal: PDPA Enforcement 2026 | Hogan Lovells: Thailand Ramps Up Enforcement | Security Scientist: PDPA Compliance 2026

ลิงก์ที่เกี่ยวข้อง

Genesis AI Platform

แพลตฟอร์ม Agentic AI สำหรับองค์กร

AI Readiness Assessment

ประเมินความพร้อม AI ขององค์กรฟรี

ติดต่อปรึกษา AI Strategy

พูดคุยกับผู้เชี่ยวชาญ

Back to Insights

Related Articles

AEO + SEO — The Survival Guide for When AI Swallows Google Search

Gartner predicts search volume will drop 25% by 2026 and 50% by 2028 — while zero-click search has surged to 65%. Websites that fail to adapt will disappear from customers’ view. This article is a complete guide for Thai businesses.

AEO vs GEO — A Deep Dive into the Two Strategies That Determine Whether AI Will "See" or "Skip" Your Website

Web mentions correlate with AI citations 3x more strongly than backlinks, AI referral traffic grew 527% YoY, and websites with schema are 2.5x more likely to be cited by AI — a complete AEO vs GEO guide with audit steps and website optimization tips.

Agentic AI in the Enterprise — From 5% to 40% by 2026: Opportunities and Risks Every Executive Should Know

The Agentic AI market is growing from $1B to more than $9B in just two years. Gartner predicts that 40% of enterprise applications will include AI agents by the end of 2026, but more than 40% of projects may also be canceled. Here is a practical look at the opportunities, risks, and strategies for Thai enterprises.

"Empowering Innovation,
Transforming Futures."

ติดต่อเราเพื่อทำให้โปรเจกต์ของคุณเป็นจริง