Our experts bring over 10 years of real-life EU GDPR experience with unique insights from European supervisory authorities. We provide actionable PDPA legal advice for SMEs and large corporations toward regulator-proof and risk-driven PDPA Compliance. In addition, we focus on real assurance to increase your customer trust and we push for data protection by design to save operational and development costs mid-and long term.
Our services are based on proven international approaches that enable informed decision making:
PDPA Gap Assessment
The objective is to determine the current vs. target state of compliance based on risks to the rights and freedoms of data subjects while taking into account the size of the organization and the maturity of your capabilities.
We provide different options depending on the size of your organization.
For a PDPA Health Check, we conduct a swift document review, complemented by a half-day workshop. This process results in a concise one-pager fast action report to achieve the minimum compliance required.
In the case of a PDPA Quick Scan, we initiate by defining the scope, encompassing business processes, personal data processing methods, and locations. Following this, we document request lists and questionnaires spanning business, IT, and legal aspects. Subsequently, we organize and conduct three half-day workshops. Finally, we compile a High-Level Quick Scan Report that includes recommended quick wins.
Our in-depth PDPA gap assessment is designed for corporate entities involved in multi-jurisdiction activities and cross-border data transfers. This comprehensive service involves creating a data protection control matrix that covers both explicit and implied legal obligations along with best practices. We also establish an interview list, schedule and document workshops, and perform a meticulous risk assessment, weighing the risks of non-compliance against the risks to the rights and freedoms of data subjects. Based on this assessment, we develop mitigation measures, identify work packages, and integrate actionable steps into a roadmap and implementation plan.
The objective is to close all gaps with a focus on designing and operationalizing data protection controls and measures in a cost-effective way by ensuring data protection by design. Depending on the size of the organization, we offer two proven approaches.
Quick Wins implementation
Prepare a list of systems, apps, and shares, document processing activities, conduct threshold assessment, draft privacy and data retention policies, compile an inventory of personal data collection points with privacy notices, update contract templates and legal language, and perform lawful basis assessment for key processing activities.
Design and operationalize
We establish data flows for crucial activities, perform DPIAs for qualified processing activities, review and create contracts as needed.
We design privacy capabilities encompassing policies such as classification, governance, awareness, third-party risk management, DSAR, breach management, monitoring, and control.
To operationalize these privacy capabilities, we draft processes and procedures for various aspects including DPIA, project development, service provider outsourcing, marketing communications, event organization, and data retention. Finally, we conduct legitimate interest and balancing test assessments.
Data Protection Officer (DPO) as a service
Our service aims to ensure compliance, report to management, and facilitate communication with Supervisory Authorities. We provide guidance on privacy legislation and regulations, including PDPC, PDPA, EDPB, and Article 29 WP guidance, while considering relevant Thai regulations.
We assist in drafting and updating policies, procedures, standards, notices, records of processing, and data flows. Our support includes completing threshold assessments and Data Protection Impact Assessments (DPIAs).
We serve as the contact point for PDPC, authorities, employees, and service providers. We help operationalize data protection processes such as handling data subject requests, personal data breach notifications, and consent management. We conduct on-site compliance monitoring, establish an internal audit function, and prepare for external audits. Lastly, we facilitate boardroom communication and reporting.
PDPA tooling advisory
A car’s performance relies on the driver’s skill. Similarly, we pinpoint resource-intensive operational activities that might face compliance risks and recommend automating data protection processes to enhance efficiency and reduce operational costs. We evaluate the organization’s readiness to implement data protection capabilities using automation tools, focusing on high-priority areas. We outline high-level functional and technical requirements for assessing available market solutions.
We analyze market solutions against predefined selection criteria, highlighting their pros and cons. We visually compare common requirements and differences between solutions. We offer strategies to customize available tools, along with cost estimates and work breakdown structures. We propose management actions and practical recommendations, summarizing the survey’s findings. During tooling implementation projects with vendors or software integrators, we manage PMO activities.
Data Protection Training and Awareness
We offer customized training tailored to specific departmental use cases, focusing on change management to mitigate the impact of high-risk activities. Our instructors, certified in CIPP/E and CIPT, bring expertise in information security, law, audit, assurance, and cross-cultural communication. Authorized by the International Association of Privacy Professionals (IAPP), our instructors teach multi-day curricula for Certified Information Privacy Professional certifications. We develop tailored training for diverse audiences, including Data Protection Officers, Auditors, Legal Compliance Officers, Information Security Managers, IT, HR, and more. Our approach includes creating communication plans, identifying stakeholders, assessing impacts, and determining training requirements for users. We design, build, and implement customized training and awareness materials covering privacy policies, retention schedules, and incident response processes for teams handling individual rights, DPIA, and development lifecycle procedures. Typical training modules encompass data protection laws, security of processing, accountability, supervision, international data transfers, compliance, and more.
To hire an expert PDPA lawyer, please contact Frank Legal & Tax via telephone +66 (0)2 026 3284 or Email [email protected]. We look forward to hearing from you.