PDPA Compliance Checklist for Thai Businesses (2026)

Thailand’s Personal Data Protection Act (PDPA) has been in force since 2022, and enforcement is now routine. Non-compliance can lead to administrative fines and, in some cases, criminal and civil liability. Yet many Thai businesses still treat PDPA as a one-time legal document rather than an ongoing technical discipline. This checklist focuses on the IT side — the controls that auditors and regulators actually look for.

Know what personal data you hold

You cannot protect data you have not mapped. Start with a data inventory: what personal data you collect, where it lives (servers, SaaS tools, spreadsheets, backups), who can access it, and how long you keep it. For most companies this single step surfaces forgotten databases and over-broad access that represent the bulk of their risk.

Lawful basis and consent

Every processing activity needs a lawful basis. Where you rely on consent, it must be freely given, specific, and recorded — a pre-ticked box is not consent under the PDPA. Build consent capture and withdrawal into your forms and CRM so you can prove it later.

Technical and organisational safeguards

The PDPA requires "appropriate security measures." In practice that means access controls and least-privilege permissions, encryption of data in transit and at rest, logging and monitoring, tested backups, and a documented incident-response plan. Pairing PDPA with an ISO 27001-style framework makes these measures defensible and repeatable.

A 72-hour breach-notification expectation means you need detection and a response runbook before an incident, not after. If you cannot currently tell whether data has been accessed improperly, that is the first gap to close.

Where most companies fall short

The common failures are not exotic: shared admin accounts, no audit logs, unencrypted backups, third-party vendors with unmanaged access, and no way to honour data-subject requests within statutory timeframes. Each is fixable with standard IT controls.