- 25
- February
If you ask which department in an organization holds the most personal data, many people would think of IT or HR. But the correct answer is "the Accounting Department."
National ID numbers, bank account numbers, employee salaries, vendor data, customer data, tax identification numbers, photocopies of directors' ID cards — all of this is in the hands of the accounting department.
Yet many organizations still do not realize that PDPA (the Personal Data Protection Act) directly impacts accounting operations — and failure to comply can result in both imprisonment and fines.
What Is PDPA? — A Brief Summary for Accounting Professionals
PDPA stands for Personal Data Protection Act — Thailand's data protection law enacted in 2019, fully enforced since June 1, 2022. This law protects "personal data" — any information that can identify an individual, whether directly or indirectly.
What many people do not realize is that PDPA carries severe penalties:
- Civil penalties — Compensation for actual damages, and the court may order punitive damages up to double the amount
- Criminal penalties — Imprisonment of up to 1 year and/or fines of up to 1 million baht
- Administrative penalties — Fines of up to 5 million baht
This means that if an organization mishandles personal data — whether intentionally or negligently — both the organization and the responsible individuals may face legal prosecution.
Personal Data Held by the Accounting Department — More Sensitive Than You Think
Let us examine what data the accounting department holds and the sensitivity level of each type:
| Data Type | Examples | Sensitivity Level |
|---|---|---|
| Employee Data | National ID number, salary, bank account, social security | Very High |
| Vendor/Supplier Data | Tax ID number, full name, address, bank account | High |
| Customer Data | Full name, address, tax number, purchase history, payment information | High |
| Director/Authorized Signatory Data | ID card copies, signatures, personal addresses | Very High |
As you can see, this data is far from ordinary information — if leaked, it can cause severe damage ranging from document forgery and identity theft to legal lawsuits.
5 PDPA Risks That Accounting Departments Often Overlook
From our experience working with numerous organizations — both government agencies and private companies — these risks appear repeatedly:
1. Sending Payslips via LINE/Email Without Encryption
Many organizations still send payslips through LINE chat or email without password protection. Payslips contain national ID numbers, bank account numbers, and salary amounts — even a single leak constitutes a PDPA violation. This is directly related to data security in ERP systems
2. Storing ID Card Copies in Paper Files — Without Access Management
ID card copies of vendors, employees, and directors are stored in filing cabinets accessible to anyone. There are no records of who accessed them or when, no locking system, and no redaction of sensitive details — this is the most dangerous PDPA vulnerability.
3. Sharing Employee Data Excel Files Back and Forth
Shared Excel files passed between departments often contain salary data, national ID numbers, and bank account numbers — without encryption, without password protection, and without records of who viewed, copied, or forwarded them. If a file leaks, there is no way to trace where it originated from.
4. No Policy for Deleting Data When No Longer Needed (Data Retention Policy)
PDPA stipulates that when data is no longer needed, it must be deleted or destroyed. In practice, however, most accounting departments retain documents indefinitely — ID card copies of vendors who have not done business with the company for 5 years still sit in filing cabinets. This is an unnecessary risk.
5. Allowing All Accounting Staff to Access Salary Data at Every Level — No Access Control
In many organizations, every accounting employee can view the salary of every person in the company — from daily workers to senior executives. Unnecessary data access (Excessive Access) is also considered a risk under PDPA. This can be prevented with two-factor authentication (2FA) and proper access permission settings.
What Does PDPA Require That Affects the Accounting Department?
PDPA does not specifically mention accounting departments, but every principle in the law directly impacts accounting operations:
- Consent is required — Before collecting personal data from employees, vendors, or customers, explicit consent must be obtained — except when the law mandates data retention (e.g., the Revenue Department requires retention of tax documents).
- Purpose must be disclosed (Privacy Notice) — Data subjects must be informed about what their data is used for, how long it will be retained, and who can access it.
- Access must be restricted (Access Control) — Not everyone in accounting needs to see everything. Access must be limited based on job duties and necessity.
- Retention periods must be defined (Data Retention) — A clear data retention period must be established, and data must be deleted when that period expires.
- Security measures must be in place — Appropriate security measures must be implemented, both physical (locked cabinets) and technical (encryption, security systems)
- Data subjects have the right to view, correct, and delete (Data Subject Rights) — Employees, vendors, and customers have the right to access their own data, request corrections, or request deletion. The accounting department must be able to respond to these requests.
The accounting department is the true Data Controller of an organization — holding the most sensitive data, yet often being the last department to receive PDPA training.
How ERP Helps Manage PDPA Compliance
Many of the problems above are not caused by "people" but by "systems" that do not support compliance. If you still rely on Excel, paper files, and LINE chat as your primary tools — PDPA compliance will be extremely difficult.
A well-designed ERP system directly addresses these problems:
| ERP Feature | How It Helps with PDPA |
|---|---|
| Access Control / Role-Based Permission | Restricts data access based on role and responsibilities — accounts payable staff see only vendor data, not employee salaries. |
| Audit Trail | Records who accessed what data, when, and what was modified — enabling traceback investigation if a data breach occurs. |
| Data Encryption | Encrypts sensitive data such as national ID numbers and bank account numbers — even if the database is breached, the data remains unreadable. |
| Data Retention Management | Automatically deletes data when retention periods expire — no need to remember, no risk of forgetting. |
| Centralized Data | Data is stored in a single centralized database rather than scattered across multiple Excel files — it can be controlled, audited, and deleted immediately. |
A solid accounting system must support PDPA compliance from day one — it is not just about recording numbers, but also about protecting the personal data within the system.
PDPA is not solely the IT department's responsibility — the accounting department, which holds the most personal data, must understand and comply as well. A quality ERP system makes PDPA compliance easier without adding extra burden to the accounting team.
Checklist: Is Your Accounting Department Ready for PDPA?
Check how many of these your organization can pass:
- Do you have a Privacy Notice for employees, vendors, and customers?
- Are payslips sent encrypted, or are they still shared via LINE without a password?
- How are ID card copies stored? Is there a locking system and an access log?
- Are Excel files containing personal data password-protected?
- Is there a Data Retention Policy defining data retention periods?
- Can every accounting employee really access everyone's salary data? (It should be restricted by role.)
- If a former employee requests data deletion, how many days does it take to fulfill?
- Is there an Audit Trail recording who accessed what data and when?
If you answered "No" to more than 3 items — your organization faces high PDPA risk and should consider upgrading your systems promptly.
Case Study: When Data Leaks from the Accounting Department
Imagine this scenario:
An accounting employee sends an Excel file containing the entire company's salary summary to a department manager via email — but mistypes the email address. The file reaches someone outside the organization.
The consequences:
- Every employee's salary data is exposed.
- National ID numbers and bank account numbers are disclosed.
- Affected employees can sue both the company and the responsible individual.
- Penalty: Fines up to 5 million baht plus civil damages.
This scenario happens very easily — and it actually occurs in many organizations. With an ERP system that has Access Control, accounting staff would only access necessary data and would be unable to export the entire company's salary data to Excel in the first place.
Conclusion
The accounting department holds the most personal data in any organization — yet it is often the department that receives the least attention regarding PDPA compliance. The risk does not lie in intentional human error but in "systems" that do not support compliance — transmitting data through insecure channels, storing documents without a management system, and lacking Access Control.
A well-designed ERP system helps the accounting department achieve PDPA compliance automatically — without adding workload, without needing to remember, as the system handles it all.
If your organization is concerned about PDPA compliance or needs a secure accounting system, you can schedule a Demo of Saeree ERP or consult with our expert team from Grand Linux Solution — free of charge.
References
- Royal Gazette. "Personal Data Protection Act B.E. 2562 (2019)." https://www.ratchakitcha.soc.go.th
- Ministry of Digital Economy and Society. "PDPA." https://www.mdes.go.th
