PDPA and Client Data: What Accounting and Law Firms in Thailand Must Get Right

Thailand’s Personal Data Protection Act has been in full force since June 2022. Most professional services firms now have a privacy notice on their website and a consent checkbox on their intake form. But a notice is not a compliance posture — and for firms that handle sensitive client data across four or five disconnected tools, the gap between having documentation and actually managing personal data in accordance with the law is wider than most principals realise.

This article covers the PDPA obligations most relevant to accounting practices and law firms, where the risks and exposure points are concentrated, and what a defensible compliance posture looks like in practice.

PDPA Applies to More Than You Think

The Personal Data Protection Act covers all personal data your firm holds about any living individual. For a professional services firm, that scope is broad: client name, national ID, tax identification number, financial position, details of a legal matter, documents uploaded for review, meeting transcripts, notes in your CRM, and billing records. There is no professional services exemption, and there is no threshold below which a firm is excluded.

The key distinctions under PDPA are between a data controller — the firm that determines the purposes and means of processing personal data — and a data processor — a vendor or system that processes data on the controller’s behalf. Your firm is the data controller for your clients’ data. Every tool you use to store, process, or transmit that data is a data processor, and the relationship must be governed by a written data processing agreement.

The Personal Data Protection Committee (PDPC) is the enforcement body. It has been developing its enforcement guidance since the Act came into full force and its capacity to investigate complaints and impose penalties is increasing year on year.

Consent at Intake Is Only the First Step

Capturing consent at the point of intake is the starting point most firms have addressed. A client fills in a form, acknowledges the privacy notice, and confirms they consent to the collection and processing of their personal data for the stated purposes.

The problem begins after that moment. The data collected at intake flows into a CRM. It is referenced in meeting notes stored in a transcription tool. Documents uploaded for review sit in a cloud storage folder. Progress reports are drafted in a Word template and emailed out. Each of these systems holds personal data. Each is operating under its own terms of service, its own data retention defaults, and its own access control settings. The consent captured at intake does not automatically govern what happens to the data downstream — not unless your internal processes and your vendor agreements are explicitly aligned to honour it.

PDPA requires that personal data be processed only for the purposes it was collected for, only for as long as necessary, and only by parties who have a lawful basis to access it. A consent form at intake that is followed by uncontrolled data flow across five independent systems is not a compliant process. It is documentation placed in front of a gap.

Data Subject Rights Are Harder Than They Sound

Under PDPA, your clients have meaningful rights over their personal data. They can request access to all personal data your firm holds about them. They can request correction of inaccurate data. They can request deletion or restriction of processing where the legal basis no longer applies. They can request data portability — a copy of their data in a structured, machine-readable format.

Your firm must respond to these requests within 30 days. And the response has to be accurate — if a client asks for all personal data you hold and you miss a system, you remain in breach even if the omission was unintentional.

Now consider what that response process looks like in practice for a firm running five disconnected tools. Someone needs to search the CRM for the client record. Then check the intake form tool for the original submission. Then look through the meeting transcription tool for any recordings. Then search cloud storage for uploaded documents. Then check email threads for anything that wasn’t captured elsewhere. Compile the results. Verify nothing was missed. Respond within the 30-day window.

This is not an impossible exercise, but it is a costly and error-prone one. It is also one that will occur more frequently as awareness of data subject rights grows among Thai clients and professionals.

Third-Party Tools and the Vendor Risk

Using a global SaaS tool — a US-hosted CRM, a cloud storage service, a transcription platform — means making a cross-border data transfer every time client data is synced or stored. PDPA has specific requirements for cross-border transfers: the recipient country must provide an adequate level of protection, or appropriate safeguards (such as standard contractual clauses) must be in place, or the data subject must have given explicit consent to the transfer.

Most global tools rely on GDPR-aligned data processing terms rather than PDPA-specific agreements. GDPR and PDPA have significant structural similarities, but they are not identical in their requirements. A firm that signs up to a vendor’s standard terms and assumes this satisfies PDPA may be carrying more compliance risk than it realises, particularly if the vendor has no Thai data processing addendum and stores data in jurisdictions with no adequacy determination under Thai law.

This does not mean that every international tool is off-limits. It means that the firm needs to understand what data goes where, on what legal basis, under what contractual terms — and have that documented. The PDPC expects data controllers to be able to demonstrate their compliance posture, not simply assert it.

Enforcement Risk Is Real and Rising

PDPA provides for administrative fines of up to ฿5 million per violation. It also creates criminal liability for wilful unlawful disclosure of personal data, and — critically for professional services firms — a direct civil liability pathway: clients who suffer damage from a breach of their personal data can sue the data controller directly.

For a boutique firm, the civil liability and reputational dimensions are often more significant than the regulatory fine. A data incident involving client financial records or legal matter details is not primarily an administrative event. It is a client relationship event and a market reputation event. The firm that can demonstrate it had proper systems in place is in a materially better position than the firm that cannot.

The PDPC’s enforcement capacity is maturing. It has issued initial decisions, developed sector guidance, and is building the institutional infrastructure for more systematic oversight. Firms that treat PDPA compliance as a once-done documentation exercise rather than an ongoing operational practice are likely to find that posture increasingly difficult to defend.

What a Compliant Posture Looks Like

A defensible PDPA compliance posture for a professional services firm involves several operational components, not just documentation:

Consent and lawful basis management. Consent captured at intake should be specific, informed, and linked to defined processing purposes. Where processing relies on a lawful basis other than consent — such as contract performance or legal obligation — that basis should be documented for each data category.

Data minimisation and retention. Only collect what is necessary for the matter. Define retention periods by data category — client identification data, financial records, legal matter files — and have a process for deleting or anonymising data when those periods expire.

Data subject request process. A defined internal workflow for handling access, correction, deletion, and portability requests, with a single authoritative system of record to query. The 30-day response window makes a manual, multi-system search process a liability.

Third-party disclosure register. Know what personal data goes to which vendors, on what legal basis, and whether data processing agreements are in place. This includes your cloud storage provider, your email platform, and any AI tools used to process client documents.

Breach response plan. Under PDPA, a personal data breach that poses a risk to data subjects must be reported to the PDPC within 72 hours of discovery. Having a documented incident response process is not optional for a regulated professional services firm.

One System Is Easier to Manage Than Five

The firms that handle PDPA compliance most cleanly are not those with the longest privacy policies — they are those whose operational workflows make compliance automatic rather than manual. When all client and matter data lives in a single system, with defined access controls, consistent data processing terms, and a clear audit trail, the operational overhead of compliance drops significantly.

FirmFlow captures consent at the point of intake and stores all client and matter data in one place — making data subject requests, retention controls, and third-party disclosure management straightforward rather than a spreadsheet exercise. All data at rest and in transit is encrypted. FirmFlow does not sell or share client data with third parties. Firm administrators have full visibility and control over what personal data is held and how it is used. For professional services firms in Thailand, PDPA compliance infrastructure is built in — not retrofitted.

Getting Ahead of the Risk

PDPA compliance for a professional services firm is primarily an operational question, not a legal one. The hard work is not in drafting the privacy notice — it is in ensuring that the day-to-day handling of client data across your systems and your team actually matches what that notice says.

For a firm currently running client data across multiple disconnected tools, the most productive first step is an honest audit: what personal data do we hold, where does it live, who has access to it, and what happens to it when a matter closes? The answers to those questions will tell you where your compliance risk actually sits — and what needs to change.

The cost of getting this right now is a fraction of the cost of a client complaint, a PDPC investigation, or a data incident that becomes public. The firms that build clean data handling into their operations from the outset are those best positioned as enforcement matures.