DPO (Data Protection Officer)
An organizational role responsible for overseeing data-protection strategy and ensuring compliance with privacy laws like PDPA and GDPR. Required when an organization processes sensitive personal data at scale or systematically monitors data subjects.
A Data Protection Officer (DPO) is the designated person responsible for overseeing an organization's compliance with data-protection law. Both PDPA (Thailand) and GDPR (EU) define when a DPO is mandatory and what the role entails.
A DPO must be appointed when:
- The organization is a public authority.
- Core activities involve regular and systematic monitoring of data subjects on a large scale.
- Core activities involve large-scale processing of sensitive personal data (health, financial, biometric, etc.).
DPO responsibilities include:
- Informing and advising the organization and employees about their data-protection obligations.
- Monitoring compliance with the law and internal policies.
- Providing advice on Data Protection Impact Assessments.
- Cooperating with the supervisory authority (PDPC in Thailand) and serving as the contact point for data subjects.
The DPO must be able to perform their duties independently — they cannot be instructed to compromise data-protection principles, and they should not have conflicting responsibilities (a CISO can sometimes also serve as DPO, but a Head of Marketing cannot).
A DPO does not have to be a full-time employee. Many SMEs use an external DPO on retainer.
Sources
- [2]Royal Thai Government. Personal Data Protection Act B.E. 2562 (2019). Ministry of Digital Economy and Society, Thailand, 2019. https://www.pdpc.or.th
- [2]Royal Thai Government. Personal Data Protection Act B.E. 2562 (2019). Ministry of Digital Economy and Society, Thailand, 2019. https://www.pdpc.or.th