Language
Search
言語
Menu

Thoughts before Appointing Data Protection Officer

  • Articles

Thoughts before Appointing Data Protection Officer

1. Legal Requirement

The requirement to designate a Data Protection Officer (the “DPO”) under the Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”) has imposed significant concerns on organizations. Both data controllers and data processors have a duty to appoint the DPO. However, it is worth noting that not every organization is required to appoint the DPO.

Pursuant to Section 41 of the PDPA, the DPO must be appointed in the following circumstances:

(a) the processing activities of your organization in the collection, use, or disclosure of personal data require regular monitoring or system, by reason of having a large number[1]of personal data as prescribed by the Personal Data Protection Committee (the “Committee”);
(b) the core activity of your organization is the collection, use, or disclosure of sensitive data; and
(c) the data controller or the data processor is a public authority as prescribed by the Committee.

In this regard, your organization may not need the DPO if it does not fall under the above circumstances. Nevertheless, in the case where your organization is not required to designate the DPO, designating the DPO may be advisable in order to show legal responsibility and be more conservative with the data subjects. Please note that relevant sub-regulations concerning the appointment of the DPO may shed more light on this matter, however it is still under consideration.

2. Should internal personnel or external party be appointed as your DPO?

The DPO can be an employee of your organization or a service provider under contract with your organization. In considering whether the DPO should be appointed internally or externally, the following points should be taken into account.

Points to consider Appointment of Internal Personnel as the DPO Appointment of External Party as the DPO
i. Independence The organizational structure may need to be changed if it does not allow an employee/unit (who will be appointed as the DPO) to work and perform its duties independently and freely. The organizational structure does not need to be changed because the independence as an external party is guaranteed.
ii. Expertise Current employees are familiar with the operating system and information of the organization, and this would allow employees to perform theirs duties effectively and flexibly. However, legal compliance with the PDPA and relevant data protection laws should also be added to their training. Time would be required for an external party (i.e., a law firm or an audit firm) to understand the operating system and information of the organization. However, these firms specialize in legal compliance with personal data protection.
iii. Leak of data risk This can ensure that the data would be processed internally. The risk concerning the leak of data is higher because the data shall be processed by an external party.
iv. Budget Low - operating expenses can be paid in the form of salary. Operating expenses are higher compared to the appointment of internal personnel as the DPO.
v. Responsible party Compliance unit, legal unit, risk assessment unit, IT unit, or new unit established for PDPA compliance in your organization as your organization deems appropriate. Law firm, audit firm, or consulting firm as your organization deems appropriate.

3. Desirable Skills and Qualifications

Currently, the PDPA only prescribes the duties of the DPO. The DPO may be able to perform other duties or tasks, but such other duties or tasks must not be against or contrary to the performance of the duties as the DPO under the PDPA. Even though the skills and qualifications of the DPO are not specified under the PDPA, the legal duties of the DPO provide an understanding of what skills and qualifications the DPO should have.

Below is the table of desirable skills and qualifications of the DPO.

Skills and Qualifications

Explanation
i. Risk and technology assessment

Since the DPO has a duty to conduct the risk assessment of personal data processing, it is essential for the DPO to have experience in privacy and technology risk assessment, including preventive measures or risk transfer for privacy and technology. In addition, the DPO must understand the changes and evolution of technology that will make the risks more challenging.
ii. Legal knowledge

The DPO must have knowledge of the law relating to personal data protection as the DPO has a duty to assist the data controller and data processor, including external entities that will continue to process personal data obtained from the organization. The DPO should ensure that the personal data obtained by the organization will be kept confidential and used for processing in accordance with its tasks assigned for the stated purposes and in accordance with the law.
iii. Understanding of business and culture of an organization and good communication skills

The DPO is required to communicate, coordinate, and consult with data controllers and data processors, including external entities and other relevant entities. It is very important for the DPO to have a good understanding of the business and corporate culture of the organization. In addition, in order to enable all units in the organization to process personal data in accordance with the privacy policy, rules, and regulations relating to personal data protection, the DPO has to provide an understanding and explanation of the practices and legal obligations to the relevant units in the organization. Therefore, the DPO must have good communication skills in order to pass on knowledge in an easy-to-understand language. 
iv. Independence and no conflict of interest

Due to the responsibilities of the DPO (e.g., giving advice and monitoring the data protection operations), the opinions of operating units in the organization may not be in line with the opinions and advice given by the DPO, or the actions suggested by the DPO may have a negative effect or pose difficulty for operating units. Thus, the DPO should be independent and be able to report freely to the Chief Executive Officer of the organization.

In the case where the DPO is internal personnel of the organization, such organization shall ensure that the duties of the DPO do not conflict with its primary mission or duties. For example, when the DPO is performing its risk assessment duties, the DPO may perform other functions or tasks. However, such duties or missions must not contradict the performance of duties as the DPO under the PDPA.
v. Cross-boarder personal data protection knowledge

The organization may have to communicate with foreign agencies and may have to process personal data abroad. Therefore, the DPO should also have knowledge of international law concerning personal data protection, such as the General Data Protection Regulation (GDPR) of the European Union. This is to ensure compliance with the law both in the country and abroad.

The lists above are only examples of the desirable skills and qualifications of the DPO. If the DPO appointed in your organization does not possess these skills or qualifications, there is no legal offense whatsoever. 

4. Suggestion

Before the appointment of the DPO, your organization should check whether it needs to appoint the DPO or not (i.e., this depends on the nature of the processing activities in your organization as explained in 1. above). The DPO can be an individual or a group of people appointed internally or externally. The business and corporate culture, the capability of personnel, and the processing activities/system of your organization should be looked into before making any decision on the DPO appointment. Lastly, the DPO should have desirable skills and qualifications in order to perform its duties smoothly and effectively in your organization.

This is intended merely to provide a regulatory overview and not to be comprehensive, nor to provide a legal advice. Should you have any questions on this or on other areas of law, please contact any of our authors.

[1] For your information, according to the draft sub-regulations of the PDPA, “large scale” means either when the data controller or the data processor has in its possession personal data of more than (1) 50,000 data subjects or (2) 5,000 data subjects in the case of sensitive data processing, within any 12-month period.

Related Knowledge

By subscribing to the N&A Newsletter, you will get access to the latest information and guidance on our seminars, as well as exclusive updates and invitations.
Subscribe
Don't miss out on the latest news and insights from N&A. Login to My Page and customize your subscription settings to receive the latest information tailored to your needs
Login