- 7
- April
PDPA (Personal Data Protection Act) — Thailand's data privacy law enacted in 2019 — has been fully enforced since 1 June 2022. Yet many organizations still haven't adapted their systems accordingly. With penalties reaching up to 5 million baht per violation, the stakes are high. The key questions are: where does personal data live in your organization? And how can an ERP system help you comply with PDPA?
What is PDPA?
Thailand's Personal Data Protection Act B.E. 2562 (2019) establishes rules for collecting, using, and disclosing personal data, with the goal of protecting data subjects' rights. PDPA applies to all organizations — both government and private sector, regardless of size.
6 Key Principles of PDPA
| Principle | Meaning | Practical Example |
|---|---|---|
| Lawful Basis | Must have a legal basis for collecting data | Consent, contractual necessity, legal obligation, legitimate interest |
| Purpose Limitation | Use data only for the stated purpose | Collecting email for invoicing — cannot use it for marketing without notice |
| Data Minimization | Collect only what is necessary | If a national ID number is not needed, don't collect it |
| Accuracy | Data must be accurate and current | Customer addresses must be updated when they change |
| Storage Limitation | Retain data only as long as necessary | Rejected job applicant data should be deleted within 6-12 months |
| Integrity & Confidentiality | Ensure data security | Encryption, access restrictions, activity logging |
Penalties for PDPA Non-Compliance
PDPA prescribes three levels of penalties, which can be imposed simultaneously:
| Penalty Type | Description | Maximum Penalty |
|---|---|---|
| Civil | Compensation for actual damages plus punitive damages | Up to 2 times actual damages |
| Criminal | Using sensitive data without consent | 1 year imprisonment + 1 million baht fine |
| Administrative | Non-compliance such as missing Privacy Notice or no DPO | Fine up to 5 million baht |
Important: All three penalty types can be imposed simultaneously from a single incident. Additionally, executives who ordered or knowingly allowed the violation may face personal liability.
Where Does Personal Data Live in Your Organization?
Many organizations assume PDPA only concerns the IT or legal departments. In reality, personal data is scattered across every business function:
| Data Source | Examples of Personal Data | System Where Stored |
|---|---|---|
| Employees (HR) | Name, national ID, salary, health records, fingerprints | ERP (HR), fingerprint scanners, payroll Excel |
| Customers | Name, address, phone, email, tax ID, purchase history | ERP (AR/CRM), Excel, LINE |
| Vendors/Suppliers | Contact name, phone, email, bank account number | ERP (AP/Procurement), Excel |
| Job Applicants | Resumes, applications, test results, criminal records | HR email, shared folders, recruitment systems |
| Visitors | Name, phone, photos (CCTV), vehicle registration | Sign-in books, CCTV, access control systems |
Common PDPA Challenges Organizations Face
Based on real-world experience helping organizations manage their ERP systems, the five most common problems are:
- Scattered data — The same data exists in ERP, Excel, email, and LINE. Deleting it from one place is not enough.
- No consent log — No record of when consent was given, by what method, or for what purpose. This is impossible to prove during an audit.
- Cannot truly delete data — When a data subject requests erasure (Right to Erasure), the data may be hard-coded or linked to other transactions, making deletion disruptive.
- Weak access control — Every employee can see everyone's salary data because access permissions were never properly configured.
- No data retention policy — Data is kept forever without defined retention periods. Job applicant data from 10 years ago is still in the system.
How ERP Helps with PDPA Compliance
A well-designed ERP system should include features that support PDPA requirements:
| PDPA Requirement | ERP Feature | How It Works |
|---|---|---|
| Consent Management | Consent Log | Records when consent was given, by what method, and for what purpose |
| Data Retention | Retention period settings | Set rules for how long each data type is kept; auto-alert when retention expires |
| Access Control | Role-Based Access Control (RBAC) | Permissions by role — e.g., HR sees salary data, procurement does not |
| Access Log | Audit Trail | Records who accessed what data, when, and what they did with it |
| Data Masking | Partial data hiding | Shows national ID as X-XXXX-XXXXX-XX-X for general users |
| Right to Erasure | Anonymization / Pseudonymization | Instead of deleting all data (which may break accounting records), anonymize it — e.g., replace name with "Customer #12345" |
| Data Encryption | Encryption at rest and in transit | Sensitive data encrypted both in storage and during network transmission |
Real-world scenario: Customer requests data deletion — what does ERP do?
A customer emails requesting complete erasure of their personal data (Right to Erasure). However, this customer has outstanding invoices in the ERP system. In this case, full deletion is not possible because accounting records must be retained by law. Instead, the ERP can anonymize non-essential personal data (phone number, email, personal address) while keeping only legally required data (company name, tax ID, amounts) until the document retention period expires.
Saeree ERP and PDPA Compliance
Saeree ERP is designed with security features that support PDPA compliance:
- Role-Based Access Control (RBAC) — Granular permissions down to the field level, e.g., only HR can view salary data
- Full Audit Trail — Every view, edit, and delete action is logged with user, timestamp, and IP address
- Data Masking — Sensitive data (ID numbers, bank accounts) is hidden from unauthorized users
- SSL Encryption (A+ Rating) — All data encrypted during network transmission to prevent interception
- Two-Factor Authentication (2FA) — Two-step identity verification prevents unauthorized access
- Workflow System — Approval workflows for accessing sensitive data, e.g., viewing salary data requires manager approval
Having an automated accounting system with built-in audit trails enables organizations to demonstrate PDPA-compliant data handling.
8-Point PDPA Compliance Checklist
- Create a Data Inventory — Survey what personal data your organization collects, where it is stored, and who has access.
- Appoint a DPO (Data Protection Officer) — Designate someone responsible for personal data. They don't need to be a lawyer, but must understand the systems.
- Prepare a Privacy Notice — Inform data subjects what data you collect, why, and how long you keep it.
- Create Consent Forms — Build consent forms and log consent records in the system.
- Define a Data Retention Policy — Set retention periods for each data category and configure auto-alerts when they expire.
- Configure Access Control in ERP — Review permissions across all modules and revoke unnecessary access.
- Enable Audit Trail — Verify that your ERP logs all access to personal data.
- Train all employees — Everyone in the organization must understand what PDPA is and what they can and cannot do with personal data.
PDPA does not prohibit data collection — it requires you to collect data responsibly: with purpose, with consent, with time limits, and with security. A good ERP system helps you achieve all of this without building a new system from scratch, because most of the data already lives in your ERP.
— Saeree ERP Team
References
- Personal Data Protection Committee (PDPC), Thailand
- PDPA Thailand — Resources for Organizations
- Royal Gazette — Personal Data Protection Act B.E. 2562
If your organization needs to adapt its ERP system for PDPA compliance or wants to assess personal data vulnerabilities, you can schedule a demo or contact our consulting team for guidance.
