- 25
- February
If you were asked "Which department in your organization holds the most personal data?" — what would you answer? IT? HR? Management?
The answer might surprise you: it's the accounting department.
National ID numbers, bank account details, salaries, vendor tax IDs, customer purchase histories, director signatures — all of this sits in the hands of the finance team. And under Thailand's Personal Data Protection Act (PDPA), mishandling any of it can lead to imprisonment and fines of up to 5 million baht.
Yet in many organizations, the accounting team remains the last department to receive PDPA compliance training. This article explains why that needs to change — immediately.
What Is PDPA? A Quick Summary
The Personal Data Protection Act B.E. 2562 (2019), commonly known as PDPA, is Thailand's comprehensive data privacy law. After several postponements, it was fully enforced on 1 June 2022.
The PDPA protects personally identifiable information (PII) — any data that can directly or indirectly identify a living individual. This includes names, ID numbers, addresses, phone numbers, email addresses, financial data, biometric data, and more.
The law establishes three categories of penalties:
- Civil liability — compensation for actual damages, plus punitive damages up to twice the actual amount
- Criminal penalties — up to 1 year imprisonment and/or fines up to 1 million baht for unauthorized disclosure of sensitive data
- Administrative fines — up to 5 million baht imposed by the Personal Data Protection Committee
These penalties apply to both the organization and the individuals responsible for the violation. An accountant who leaks salary data via an unencrypted email could face personal criminal liability — not just a company-level fine.
Personal Data Held by the Accounting Department
To understand why accounting is at the center of PDPA risk, consider the sheer volume and sensitivity of data flowing through the finance team every single day:
| Data Type | Examples | Sensitivity Level |
|---|---|---|
| Employee data | National ID number, salary, bank account, tax withholding, social security | Very High |
| Vendor data | Tax ID, contact name, address, bank account for payments | High |
| Customer data | Name, address, tax ID, purchase history, payment records | High |
| Director/signatory data | ID card copies, specimen signatures, authorization documents | Very High |
Notice that every single row contains data classified as "High" or "Very High" sensitivity. No other department — not even HR — handles this breadth and depth of personal data on a daily basis. Payroll alone touches national IDs, bank accounts, salary figures, and tax information for every employee in the organization.
5 PDPA Risks Accounting Teams Often Overlook
Most accounting professionals understand general data security. But PDPA compliance goes far beyond "don't lose the files." Here are five risks that are alarmingly common — yet rarely addressed:
1. Sending Payslips via LINE or Unencrypted Email
This is perhaps the most widespread violation. Sending a PDF payslip through LINE or a standard email means the data travels without encryption and is stored on third-party servers with no data processing agreement in place. Under PDPA, the organization must ensure appropriate security measures for personal data transmission. A LINE chat is not an appropriate security measure.
2. Storing Vendor ID Copies in Paper Files with No Access Control
Many accounting departments still keep photocopies of vendor ID cards, tax registration certificates, and bank book pages in physical filing cabinets. If anyone in the office can open that cabinet, there is no access control — a direct violation of PDPA's requirement for organizational security measures. These documents contain enough information for identity theft.
3. Sharing Excel Files Containing Employee Data
Passing around Excel spreadsheets with employee salaries, bank accounts, or ID numbers — via email, shared drives, or USB — creates uncontrolled copies of personal data with no audit trail and no way to ensure deletion. Once that file is forwarded, you have lost control of the data permanently. For more on this risk, see our article on why sharing Excel files creates data leaks you don't see coming.
4. No Data Retention Policy for Expired Records
PDPA requires organizations to retain personal data only as long as necessary for the stated purpose. Yet many accounting departments keep employee records, vendor files, and customer data indefinitely — "just in case." Without a clear Data Retention Policy specifying when records must be deleted or anonymized, the organization is technically in violation from the moment the retention purpose expires.
5. All Accounting Staff Can Access All Salary Levels
In many organizations, every member of the accounting team can view the salary of every employee — from entry-level staff to the CEO. This violates the PDPA principle of data minimization: personal data should only be accessible to those who genuinely need it for their specific job function. A junior accounts payable clerk processing vendor invoices has no legitimate need to see executive compensation data.
What PDPA Requires from Accounting Departments
PDPA is not merely a suggestion — it imposes specific legal obligations on anyone who collects, uses, or stores personal data. For accounting teams, this translates into concrete requirements:
- Consent: Obtain proper consent before collecting personal data, or ensure you have a lawful basis (such as contractual necessity or legal obligation) documented
- Privacy Notice: Clearly inform data subjects about what data you collect, why you collect it, how long you keep it, and who has access
- Access Control: Implement role-based restrictions so that only authorized personnel can view specific categories of data — read our guide on data security in ERP systems for practical approaches
- Data Retention: Define clear retention periods for each data category and establish procedures for secure deletion when data is no longer needed
- Security Measures: Deploy both technical safeguards (encryption, two-factor authentication, secure transmission) and organizational safeguards (policies, training, incident response plans)
- Data Subject Rights: Establish processes for individuals to exercise their rights — including the right to access, correct, delete, and port their personal data
The key insight is that PDPA compliance is not a one-time project. It requires ongoing processes, regular audits, and continuous staff training — particularly for the department handling the most sensitive data.
Accounting is the true Data Controller of any organization — holding the most sensitive data, yet often the last department trained on PDPA compliance.
- From our experience implementing data governance across Thai organizations
How an ERP System Helps with PDPA Compliance
Many of the PDPA risks described above stem from a common root cause: data is scattered across multiple systems, files, and physical locations with no centralized control. This is exactly the problem that a properly configured ERP system solves.
| PDPA Requirement | How ERP Addresses It |
|---|---|
| Access Control | Role-Based Access Control (RBAC) — each user sees only the data relevant to their role. A payroll officer sees payroll; an AP clerk sees vendor invoices — not salary data. |
| Audit Trail | Full audit logging — every data access, modification, and deletion is recorded with timestamps and user IDs. If a breach occurs, you know exactly who accessed what and when. |
| Security Measures | Data encryption at rest and in transit, plus authentication controls including two-factor authentication. See our article on ERP data security for details. |
| Data Retention | Automated retention management — configure retention periods by data category, with system-enforced archival and deletion when periods expire. |
| Centralized Data | Single database — no more scattered Excel files, paper copies, or USB drives. All personal data lives in one controlled environment with consistent security policies. |
A centralized ERP system like Saeree ERP consolidates financial data into a single, controlled environment where access permissions, audit trails, and retention policies can be managed systematically. Instead of relying on individual staff members to "remember" not to share files, the system itself enforces compliance. For a deeper look at how ERP supports accounting operations, see our article on ERP accounting modules.
PDPA is not just IT's responsibility — the accounting team holding the most personal data must understand and comply too. Organizations that treat PDPA as purely an IT issue are missing their biggest vulnerability: the finance department's daily handling of sensitive personal information without adequate controls.
Practical Steps to Get Started
If your accounting team has not yet addressed PDPA compliance, here is a practical starting point:
- Conduct a data inventory — map every type of personal data your accounting department collects, stores, and processes. You may be surprised by how much there is.
- Identify your lawful bases — for each data type, document whether you rely on consent, contractual necessity, legal obligation, or legitimate interest.
- Implement access controls immediately — at minimum, restrict salary data access to payroll staff only. This single change addresses one of the most common violations.
- Stop sending sensitive data via LINE or unencrypted email — switch to secure channels or an ERP self-service portal where employees can view their own payslips.
- Define retention periods — work with your legal team to establish how long each data category must be kept, and create procedures for secure disposal.
- Train your team — PDPA compliance requires awareness. Every accounting staff member should understand what personal data they handle and what their obligations are.
Summary
The accounting department is, by the nature of its work, the largest repository of personal data in most organizations. National ID numbers, bank accounts, salaries, vendor information, customer records — all flow through finance daily. Under Thailand's PDPA, this makes accounting the highest-risk department for data protection violations.
The penalties are severe: up to 1 year imprisonment and administrative fines of up to 5 million baht. But beyond penalties, a data breach in the accounting department can destroy employee trust, damage vendor relationships, and create lasting reputational harm.
The solution is not complicated, but it requires deliberate action: map your data, control access, encrypt transmissions, define retention policies, and train your staff. And if your organization is still managing financial data through scattered spreadsheets and paper files, it may be time to consider a centralized ERP system that enforces compliance by design.
If your organization needs guidance on PDPA compliance for accounting operations, or if you want to see how an ERP system can help centralize and protect sensitive data, contact our team at Grand Linux Solution for a free consultation.
References
- Royal Thai Government Gazette. "Personal Data Protection Act B.E. 2562." https://www.ratchakitcha.soc.go.th
- Ministry of Digital Economy and Society. "PDPA." https://www.mdes.go.th
