Data Protection Officer (DPO) — Thai PDPA Role
The Data Protection Officer (DPO) is the mandatory compliance role mandated by Thailand’s Personal Data Protection Act BE 2562 (2019) for data controllers and processors that process personal data at large scale or handle sensitive categories (health, biometric, financial, criminal). DPOs in Thailand must have expertise in data-protection law and practice, and are responsible for advising on PDPA obligations, monitoring compliance, and acting as the PDPC’s primary contact point for the organisation. A growing DPO-as-a-service market has emerged, with law firms, Big 4 advisory practices, and specialist firms offering outsourced DPO function. Demand for qualified DPOs exceeds supply, creating a specialist labour market at the intersection of legal, IT, and risk disciplines.
Profile overview
The Data Protection Officer (DPO) is the mandatory compliance role mandated by Thailand’s Personal Data Protection Act BE 2562 (2019) for data controllers and processors that process personal data at large scale or handle sensitive categories (health, biometric, financial, criminal). DPOs in Thailand must have expertise in data-protection law and practice, and are responsible for advising on PDPA obligations, monitoring compliance, and acting as the PDPC’s primary contact point for the organisation. A growing DPO-as-a-service market has emerged, with law firms, Big 4 advisory practices, and specialist firms offering outsourced DPO function. Demand for qualified DPOs exceeds supply, creating a specialist labour market at the intersection of legal, IT, and risk disciplines.
DPO role segments
Internal DPO
In-house compliance role
Large corporations required under PDPA to appoint an internal DPO with data-protection expertise. The role covers PDPA compliance monitoring, PDPC liaison, data-impact assessments, and breach reporting. Demand for qualified Thai DPOs exceeds supply.
Outsourced DPO
DPO-as-a-Service market
A growing market of outsourced DPO services offered by law firms (Baker McKenzie, Tilleke, Nishimura), Big 4 advisory (Deloitte, PwC, EY, KPMG), and specialist PDPA consultancies. Estimated 500-plus organisations using outsourced DPO in Thailand as of 2024.
Training
DPO certification and education
FAP-adjacent and private certification programmes for PDPA DPO training. PDPC Thailand publishes DPO guidance. International certifications (CIPP/A, CIPM) increasingly requested by multinational employers.
PDPC interface
Regulatory contact point
DPOs serve as the designated contact for PDPC investigations and data-subject requests. PDPC enforcement logs show recurring non-compliance where required DPOs were not appointed, a pattern the 2024 enforcement cycle targets.
PDPA DPO appointment requirements — sector comparison
Industries with mandatory DPO appointment under Thai PDPA 2019, 2024 status
Banking and finance
DPO mandatory?
Yes
Trigger criteria
Large-scale sensitive personal data processing
Enforcement risk level
High
Healthcare and hospitals
DPO mandatory?
Yes
Trigger criteria
Health data (sensitive category under PDPA)
Enforcement risk level
High
E-commerce and tech platforms
DPO mandatory?
Yes (if >250 employees or large-scale processing)
Trigger criteria
Systematic large-scale processing of personal data
Enforcement risk level
Medium-High
Hotels and hospitality
DPO mandatory?
Recommended
Trigger criteria
Guest personal-data volume and cross-border transfer
Enforcement risk level
Medium
SMEs (fewer than 50 employees)
DPO mandatory?
No (exempt)
Trigger criteria
Below threshold
Enforcement risk level
Low
| Sector | DPO mandatory? | Trigger criteria | Enforcement risk level |
|---|---|---|---|
| Banking and finance | Yes | Large-scale sensitive personal data processing | High |
| Healthcare and hospitals | Yes | Health data (sensitive category under PDPA) | High |
| E-commerce and tech platforms | Yes (if >250 employees or large-scale processing) | Systematic large-scale processing of personal data | Medium-High |
| Hotels and hospitality | Recommended | Guest personal-data volume and cross-border transfer | Medium |
| SMEs (fewer than 50 employees) | No (exempt) | Below threshold | Low |
Watchpoints 2025-2026
Enforcement
PDPC investigation pipeline
PDPC Thailand commenced formal enforcement in 2022. The 2024-2026 cycle targets repeated non-appointment of DPOs and inadequate breach-notification practices. Fines up to $144,928 per violation.
Labour market
DPO talent shortage
Demand for qualified DPOs with both legal and IT competencies significantly exceeds supply. Compensation for senior DPOs in banking and healthcare is rising. DPO-as-a-service providers face capacity constraints.
Regulatory evolution
PDPC secondary rules on AI and biometrics
PDPC is developing secondary regulations on automated decision-making and biometric data under PDPA Section 26. New guidance will expand DPO responsibilities in sectors using AI and facial recognition.
Where this profile is featured
Reports that reference this entity in their operator concentration or analysis.
Featured in
Thailand PDPA: Enforcement Trajectory and Compliance Cost
Mandatory appointment for certain data controllers and processors; recurring PDPC compliance failure where DPO not appointed when required.
Related Market profiles
Peers, parents, partners, agencies, and other Cybersecurity actors.
Competitor
National Cyber Security Agency (NCSA Thailand)
Thai national cybersecurity regulator under Cybersecurity Act 2019; oversees critical-information-infrastructure protection and national cyber-threat response.
Open Market profile →
Competitor
Foreign Digital Service VAT Framework (Thailand RD)
Thailand’s VAT-on-foreign-digital-services regime (Section 83/6 bis), requiring non-resident digital providers to register and remit 7% VAT on B2C revenue.
Open Market profile →
Competitor
Thai PDPA Advisory Firm Cluster
Cluster of law firms and Big 4 advisory practices providing PDPA compliance, DPO services, and data-governance advisory in Thailand.
Open Market profile →
Sector peer
Thai Data Controllers (PDPA Corporate Aggregate)
Aggregate of Thai corporate data controllers obligated under the Personal Data Protection Act 2019 across all sectors.
Open Market profile →
Reports featuring this profile
Related Market profiles
competitor
National Cyber Security Agency (NCSA Thailand)
Thai national cybersecurity regulator under Cybersecurity Act 2019; oversees critical-information-infrastructure protection and national cyber-threat response.
competitor
Foreign Digital Service VAT Framework (Thailand RD)
Thailand’s VAT-on-foreign-digital-services regime (Section 83/6 bis), requiring non-resident digital providers to register and remit 7% VAT on B2C revenue.
competitor
Thai PDPA Advisory Firm Cluster
Cluster of law firms and Big 4 advisory practices providing PDPA compliance, DPO services, and data-governance advisory in Thailand.