Since Thailand's PDPA (Personal Data Protection Act) came into full force in 2022, many Thai businesses have continued building software without seriously considering its legal requirements. The result: systems that carry legal risk from day one of launch.
This article explains how PDPA affects software development and which features every system must include to be compliant from the start.
PDPA in the Context of Software
PDPA governs how organizations may collect, use, and share personal data. In software terms, this means:
- Every field storing personal data (name, email, phone, address, IP address, health data) must have a legal basis
- Users must know why their data is collected and be able to give explicit consent
- The system must practically support "data subject rights"
6 Features Software Must Have for PDPA Compliance
1. Consent Management System
Before collecting personal data, the system must display:
- A clear purpose for data collection
- Separate, distinct "Accept" and "Decline" options (pre-ticked boxes are not allowed)
- A consent log with timestamp and the version of the policy accepted
Example: A membership registration form must have separate checkboxes for each purpose — newsletter subscriptions and sharing data with partners must be independent choices.
2. Right to Access & Portability
Users must be able to:
- View all their personal data stored in the system
- Request their data in a readable format (CSV, JSON)
Implementation: A dedicated endpoint or UI allowing users to export their own data.
3. Right to Erasure (Right to be Forgotten)
Users can request deletion of all their data. The system must:
- Remove data from the active database
- Retain only data with a legal obligation to keep (e.g., financial documents for 5 years)
- Maintain an audit log of deletion requests
4. Data Breach Notification
In the event of a data breach, the system must:
- Detect unusual access patterns (Security Monitoring)
- Notify the PDPC (Office of the Personal Data Protection Committee) within 72 hours
- Notify affected data subjects
Implementation: Audit logs, anomaly detection, and an alert system are required.
5. Data Minimization & Retention Policy
- Collect only what is necessary — storing "just in case" is not permitted
- Define a retention period for each data type
- Implement automated deletion when the retention period expires
6. Privacy Policy & Cookie Consent
- Privacy Policy must be written in plain, understandable language
- Cookie Consent Banner must allow users to specify which cookie categories they accept
Data Types Requiring Extra Protection
PDPA classifies Sensitive Personal Data as requiring elevated safeguards:
| Type | Examples |
|---|---|
| Health | Medical history, blood type, disability |
| Religion/Beliefs | Religion, political beliefs |
| Financial | Bank account numbers, credit scores, tax data |
| Biometric | Fingerprints, Face ID, voice prints |
| Race/Ethnicity | Origin information |
Systems storing this data must obtain Explicit Consent and apply higher security measures.
Privacy by Design: Build It In from the Start
Instead of adding compliance as an afterthought, design with privacy from the beginning:
- Data mapping — know what data is stored where and who can access it
- Role-based access control — restrict access to what each role actually needs
- Encryption at rest and in transit — encrypt data both in storage and in transmission
- Pseudonymization — anonymize personal identifiers wherever possible
- Regular security audits — conduct periodic vulnerability assessments
PDPA Checklist for New Software Projects
Before launch, verify the system has all of the following:
- Consent Management — always request consent before data collection
- Clear, plain-language Privacy Policy page
- Complete Cookie Consent Banner
- User dashboard to view, export, and delete personal data
- Defined Data Retention Policy with clear timelines
- Security monitoring and breach notification system
- Data Processing Agreements with all third-party vendors
- Basic PDPA staff training completed
Conclusion
PDPA compliance is not something to retrofit after launch — designing for it from the start is far cheaper than fixing it later. Adowbig provides PDPA audits for existing systems and designs compliant features into all new software projects. Contact us for a free consultation.