2024 Survey: Post-PDPA implementation yields benefits beyond compliance

•    Deloitte reveals survey results on organisations post-PDPA (Personal Data Protection Act) implementation, highlighting benefits beyond legal compliance. 

•    Key factors driving organisations to comply with PDPA include the potential for reputational damage, improved customer trust, and, ultimately, benefits in building brand credibility. All of these are top priorities for the business sector. Concerns about regulatory fines or legal action have decreased in importance, ranking third instead of first.

•    72% of organisations are confident in their ability to comply with PDPA due to adherence to regulations and regular self-assessment of their readiness.

•    Most organisations recognise the importance of training employees to be knowledgeable and vigilant about PDPA, especially regarding the protection of customer data.

•    Data Leakage Prevention (DLP)     receives the highest budget allocation and technological priority regarding investments in PDPA compliance activities.

In 2024, two years after its enforcement in June 2022, another survey was conducted to evaluate how companies have adapted to the PDPA enforcement, analyse the challenges organisations face, and study the changes in internal organisational processes.

On Benefits and Business Awareness.

The survey results revealed two critical drivers for PDPA compliance: the potential for reputational damage, which rose to 81% from the previous survey's 66%, and the Improving customer trust, which increased to 75% from 59% in the previous survey. On the contrary, concerns about fines or legal action, previously the top priority for organisations, decreased to 59% from 73%, and the importance of improving data processing efficiency declined to 15% from 36%.

Organisations perceive PDPA compliance as a beneficial legal obligation across various dimensions. Of the organisations surveyed, 58% acknowledged significant benefits from implementing PDPA, compared to 45% in the previous survey. The Energy, Resources, and Industrial sectors regarded PDPA compliance as highly beneficial, with 75% affirming its advantages. Furthermore, 38% of respondents indicated that PDPA had fundamentally changed how the organisation handles personal data, highlighting its impact on personal data governance.

On Readiness and Compliance.

When asked about overall confidence in their organisation's practices by the Personal Data Protection Act (PDPA), 72% responded that they were confident or very confident. Most organisations (89%) indicated they had implemented PDPA processes, a significant increase from the previous survey's 30%. The Financial Services sector had the highest compliance rate at 100%, followed by the Consumer sector at 95%, the Energy, Resources, and Industrial sector at 93%, and the Technology, Media, and Telecom sector at 89%.

In addition to complying with the PDPA, organisations have also assessed their readiness. The survey revealed that 80% of organisations in Thailand had conducted PDPA readiness assessments, up from 45% in 2021. The Financial Services sector again led with a 100% readiness assessment rate, followed by the Consumer sector at 81%, the technology, Media, and Telecom sector at 78%, and energy and resources at 71%.  Regarding investment in personal data management, 41% of organisations believed they already had good management practices and were making moderate investments to maintain this status.

Regarding Personnel, Processes, and Technology

Organisations that participated in the survey indicated that the Human Resources and Compliance departments are the two leading functions for PDPA programs and compliance activities, each accounting for 34%. 72% of organisations have designated internal personnel to act as Data Protection Officers (DPO), an increase from 56% in the previous survey. The Financial Services sector reported the highest rate of DPO appointments at 100%. When asked whether organisations have recruited additional staff to handle PDPA compliance, 67% responded that they had not, with only 20% indicating they had slightly increased dedicated staff.

The survey revealed that organisations allocate budgets primarily for Data Leakage Prevention (DLP) and Governance, Risk, and Compliance (GRC), both at 50%, followed by employee training at 46%. Regarding investment in technology related to PDPA compliance, organisations prioritised DLP at 57%, Consent/Preference Management at 55%, and Privilege Access Management at 54%. 

67% of organisations identified technology implementation as the primary challenge in PDPA compliance, followed by employee knowledge at 61% and the integration of new policies and business processes into business operations at 55%. The challenge of having sufficient personnel has increased significantly, rising from 13% to 48% in the latest survey results. When asked whether organisations have the required resources to support sustained PDPA compliance, 52% indicated that they utilise internal and external resources to support compliance, followed by 33% of organisations relying solely on internal resources.

"After the PDPA has been in effect, the PDPC has issued related Notifications and Guidelines. Business operators, especially in the roles of Data Controllers, should stay vigilant to carefully observe the requirements under the Notifications and use the Guidelines to assist them in fulfilling their obligations due thereunder. Data controllers should closely monitor further announcements from the PDPC to stay on top of any important legal updates," said Mr Anthony Visate Loh, Partner, Tax and Legal Advisory Services, Deloitte Thailand.

Somkrit Krishnamra, Partner, Risk Advisory Services, Deloitte Thailand, added, “While the survey results are encouraging, showing positive trends in data security, concerning stories of personal information crimes continue to surface. This highlights the need for continued vigilance. Effective prevention requires a multi-layered approach, encompassing people, processes, and technology working in unison.”

“Deloitte has continually surveyed organisational readiness for the Personal Data Protection Act, gathering executive perspectives to inform our understanding of current practices and future trends. This knowledge is instrumental in developing policies and strategies aligned with the evolving landscape,” said Narain Chutijirawong, Executive Director of Clients & Markets, Deloitte Thailand.