Benefit of Outsourcing DPO
According to the Personal Data Protection Act B.E. 2562 (PDPA) fully enforced on 1 June 2022, baseline standard of the law is to strengthen and reinforce the rights of the individual and create a much need harmonization of data protection law. Under the PDPA, most organisations are required to designate at least one individual, a natural person or a legal entity, as the data protection officer (DPO).
Currently, while the Personal Data Protection Committee (PDPC) has issued several sub-regulations, it has not yet prescribed qualifications of DPO. PDPA only sets out its roles and responsibilities. DPO roles are, among other things, to uphold the rights of data-subject which may vary from an organization to another one and to ensure legal compliance of PDPA.
Who needs a DPO?
- Company’s activities requiring regular and systematic monitoring of a large scale of personal data (The Draft PDPA Sub-Relations suggests that “large scale” means data controller or data processor has in its possession of personal data of more than 50,000 data subjects or 5,000 data subjects in case of sensitive data processing within 12 months)
- Public authorities including governmental agencies, state enterprises, local administrative agencies, and other state agencies.
- Company’s core activities concerning collection, use or disclosure of sensitive personal data.
To have an in-house DPO might benefit from fully conversant with processes within the business entity. However, to have outsource DPO provides you an expert knowledge on specifical field and experience of working with numbers of organisation and avoids a possible conflict of interest within an organization. A DPO, under PDPA, must be independent enough to challenge the management of the organization on existing vulnerabilities. Since Thailand is still new to PDPA, to hire an in-house DPO, who is a highly qualified on PDPA, may be difficult. Thus, outsourcing this task to a qualified external firm is an option.
To outsource the Data Protection Officer (DPO), the company would benefit from:
- Timesaving; while, the organization can focus on core businesses.
- Meeting the independence requirements for the DPO role without compromising existing internal duties or roles.
- Assurance regarding the correctness of decisions made.
- Quickly access specialized, skilled and experienced consultants in the event of a personal data breach, supervisory authority investigation or other privacy impact events.
- It is not accessary to set up an individua workplace, employment’s benefits and to integrate a new staff member to the cohesive work environment.