PDPA compliance audit with AI: a complete guide for Thai businesses

Quick answer

A PDPA audit verifies that your privacy notices, consent flows, data-processing records, and security controls satisfy the Thai Personal Data Protection Act B.E. 2562 (2019)^[2]. Using AI, this audit takes about 10 minutes per session and produces a report grouped by PDPA chapter with risk-scored findings.

Who PDPA applies to

PDPA applies to any business that processes personal data of people in Thailand — regardless of where the business is registered. There is no small-business exemption.

If you collect names, emails, phone numbers, or any identifier from Thai customers — PDPA applies. If you run analytics on website visitors from Thailand — PDPA applies. If you outsource customer service to a vendor in another country — PDPA applies, and you need to ensure the cross-border transfer is properly safeguarded.

What the AI checks

EvidProof's PDPA Auditor evaluates your documents against seven dimensions:

1. Lawful basis. Is each processing purpose backed by one of PDPA's lawful bases? (Consent, contract, legal obligation, vital interests, public interest, legitimate interest.)
2. Purpose limitation. Does your privacy notice clearly state why each category of data is collected?
3. Data subject rights. Is there a documented process for access, rectification, erasure, portability, and objection?
4. Security measures. Are technical and organizational safeguards described, with reference to roles and cadences?
5. Breach notification. Is there a 72-hour breach notification workflow?
6. Cross-border transfer. Are transfers to overseas vendors backed by adequacy or safeguards?
7. DPO and accountability. Is a Data Protection Officer designated? Is record-keeping in place?

Step-by-step walkthrough

1. Gather your privacy documents

You need at minimum:

• Privacy Policy (the public-facing one on your website)
• Cookie Notice
• Internal Record of Processing Activities (ROPA)
• All consent forms (signup, marketing, sensitive data)
• Data Processing Agreements with vendors

If you don't have a ROPA yet — that itself is a PDPA finding. Make a list now and upload it as a draft; EvidProof will flag the missing fields.

2. Upload to EvidProof

Drag all files into a single audit session. Select PDPA Auditor (Thailand) from the role selector. If your business also serves EU customers, add the GDPR Reviewer role to get cross-jurisdiction findings^[3].

3. Provide processing context

Describe in one paragraph:

• What categories of personal data you collect (name, email, location, behavioral, etc.)
• Why you collect each (signup, billing, analytics, marketing)
• Who you share data with (payment processor, email service, analytics)

The AI uses this to evaluate purpose limitation and necessity — two of the most-cited PDPA shortcomings in Thai enforcement actions.

4. Review findings by PDPA section

Findings are grouped by PDPA chapter:

• Chapter 2 — Personal Data Protection (lawful basis, consent)
• Chapter 3 — Rights of the Data Subject
• Chapter 4 — Complaint and Dispute
• Chapter 7 — Penalties (security and breach notification)

Score-5 findings (critical) usually fall under:

• No documented lawful basis for marketing communications.
• No breach notification process.
• Cross-border transfer with no safeguards.
• No designated DPO when one is required.

5. Fix critical gaps first

A score-5 PDPA finding is a real-world liability — PDPA fines can reach 5 million baht per incident, plus civil damages. Triage by:

1. Fixing missing lawful bases (often a single paragraph in your privacy notice).
2. Standing up a breach notification runbook (template available in the EvidProof knowledge base).
3. Putting Standard Contractual Clauses or equivalent safeguards on cross-border transfers.

6. Translate into Thai

Consent forms and privacy notices for data subjects in Thailand must be available in Thai. EvidProof flags any consent or notice that exists only in English. The Thai version doesn't need to be a marketing translation; it needs to be accurate.

7. Schedule a quarterly re-audit

PDPC enforcement has stepped up since 2023. Processing activities change as the business changes. A recurring quarterly audit catches drift before it becomes a finding.

Common pitfalls

• Consent stacking. A single "I agree to the privacy policy" checkbox is not sufficient consent for marketing — marketing consent must be specific and separately recordable.
• Pre-checked boxes. Pre-checked consent is invalid under PDPA. Audit your signup flow for this.
• No retention schedule. You must define how long you keep each category of data and a process to delete it. "Forever" is not an answer.

Next steps

Once your gap report is in the green, document a yearly internal PDPA review and consider engaging a Thai law firm for a formal opinion before any major data-processing change. EvidProof's audit is a strong pre-audit; a Thai-licensed attorney is the right partner for high-risk decisions.