Data Protection & Privacy

Data Protection & Privacy

Our experts bring over 10 years of real-life EU GDPR experience with unique insights from European supervisory authorities. We provide actionable PDPA legal advice for SMEs and large corporations toward regulator-proof and risk-driven PDPA Compliance. In addition, we focus on real assurance to increase your customer trust and we push for data protection by design to save operational and development costs mid-and long term.

Our services are based on proven international approaches that enable informed decision making:

PDPA Gap Assessment

The objective is to determine the current vs. target state of compliance based on risks to the rights and freedoms of data subjects while taking into account the size of the organization and the maturity of your capabilities.

We provide different options depending on the size of your organization.

  • PDPA Health Check: we perform a quick document review, supported by a half-day workshop and a one-pager fast action report to reach bare-minimum compliance.
  • PDPA Quick Scan: we Establish the scope (business processes, personal data processed, how, and where. Then, we document the request list and questionnaire (business, IT, and legal) after which we conduct 3 half-day workshops. Lastly, we draft a High-Level Quick Scan Report containing recommended quick wins.
  • In-depth PDPA gap assessment for corporate entities engaged in multi-jurisdiction activities and cross-border data transfers. We create a data protection control matrix including explicit/implied legal obligations + best practices. Then, we create an interview list, schedule workshops, and write all minutes of meetings. Next, we conduct a risk assessment (risks of non-compliance vs risk to rights and freedoms of data subjects) and mitigation measures. Taking all of this into account, we identify work packages and integrate actionable steps into a roadmap and implementation plan.

PDPA Implementation

The objective is to close all gaps with a focus on designing and operationalizing data protection controls and measures in a cost-effective way by ensuring data protection by design. Depending on the size of the organization, we offer two proven approaches.

Quick Wins implementation:

  • Draft list of systems, apps, and shares, Record of processing operations, perform Threshold assessment, draft privacy policy and data retention policy, create an inventory of all points where personal data is collected + privacy notices, map templates of types of contracts and update legal language and clauses, and lastly perform lawful basis assessment for key processing activities

Design and operationalize:

  • We create, Data flows for key activities based on records, conduct DPIAs for processing activities that passed the threshold assessment, review key contracts, and draft missing contracts
  • Design privacy capabilities (policies): classification policy, governance, privacy awareness/training, third party risk management, DSAR, personal data breach, management, monitoring, and control, etc.
  • Operationalize privacy capabilities: Draft processes and procedures (DPIA, project development privacy, service provider outsourcing privacy, marketing communications privacy, event organizer privacy, retention, etc.) Lastly, we perform legitimate interest + balancing test assessment.

Data Protection Officer (DPO) as a service

  • The objective of this service is to monitor compliance at your organization, report to Management, and support interaction with Supervisory Authorities.
  • We inform and advise on privacy legislation/guidelines. This includes PDPC guidance, PDPA, EDPB, and Article 29 WP guidance. This also includes taking into account applicable requirements from other Thai regulations.
  • We advise and support the drafting and the updating of policies, procedures, standards, notices, records of processing, data flows, etc.
  • We also support the completion of threshold assessment and Data Protection Impact Assessment (DPIA).
  • We cooperate and act as the contact point for the Office of the PDPC, authorities, employees, service providers, etc.
  • We support the operationalization of the processes related to data protection (data subject requests, personal data breach notification, consent management, etc.).
  • We monitor compliance on site. W set up an internal audit function, preparing for any external audits, conducting audits on the controller and/or processors, replying to information requests from the regulator, etc.
  • Lastly, we support boardroom communication and reporting.

PDPA tooling advisory

  • A car is as good as its driver. We identify the resource-intensive operational activities that may be at risk of non-compliance and advise towards automating data protection capabilities thereby increasing efficiency and decreasing operational cost.
  • We assess for which data protection capabilities the organization has the right maturity to implement tooling. High priority capabilities to be enabled by tooling.
  • We perform appropriate high-level functional and technical identification of requirements for the comparison of the solutions available on the market.
  • We analyze data available on market solutions against selection criteria.
  • We assess available candidate market solutions by detailing the advantages and disadvantages.
  • We visually compare common areas of requirements covered as well as deltas or gaps.
  • We provide strategies and suggestions on how to customize available tools including high-level cost estimates and effort work breakdown structure.
  • We identify appropriate management action, and practical recommendations and generate the conclusions of the survey.
  • We conduct the PMO activities during tooling implementation projects with vendors or software integrators.

Data Protection Training and Awareness

  • We offer customized to specific use cases per department with a focus on managing change towards decreasing the possible impact of high-risk activities.
  • Our instructors are CIPP/E and CIPT certified and have a background in information security, law, audit, assurance, and cross-cultural communication.
  • Our instructors are authorized by the International Association of Privacy Professionals (IAPP) to teach various multi-day curricula to prepare participants for the Certified Information Privacy Professional certifications.
  • Create customized training for the different target audiences with different backgrounds and roles: Data Protection Officers, Auditors, Legal Compliance Officers, Information Security Managers, IT, HR, etc.
  • Create communications plans. Identify stakeholders and impacts, and identify training needs for users.
  • Design, build and implement training and awareness customized material related to all privacy policies and procedures, retention schedules, and incident response processes. for teams responsible for individual rights, DPIA, and development lifecycle procedures.
  • Typical training modules include data protection laws, data protection laws, data protection laws, data protection laws, security of processing, accountability, supervision and enforcement, international data transfers, compliance, etc.

If you have any questions, regarding the PDPA feel free to contact us at [email protected] or +66 2 117 9131