PDPA for HR: A 2026 Thailand Guide

In Thailand’s fast-moving labor market, technological advancements are creating immense opportunities. They are also creating significant risks. Since Thailand's Personal Data Protection Act (PDPA Thailand) came into full effect, companies have made data handling a core organizational goal.

For HR professionals, this law has fundamentally changed the HR function. HR departments are arguably the most data-heavy units in any company. HR teams collect, process, and store the personal data of all job seekers and existing employees.

By 2026, the PDPA is no longer a new law to learn. It has matured into a regulation with serious consequences. The focus has shifted from basic compliance to active, ongoing data governance. New industry trends, like AI in HR and permanent remote work models, create fresh challenges.

HR professionals must now act as data stewards. They must protect their people and their business. This blog explores what human resources teams in Thailand need to know about the PDPA in 2026.

PDPA in 2026: A Core Pillar of Culture, Not Just Compliance in Thailand

In 2026, PDPA Thailand is no longer just an IT or legal problem. It is a central HR strategy and a major part of company culture. The "grace period" is long gone. The Personal Data Protection Committee (PDPC) is actively enforcing the law. The 2024-2027 Master Plan, in fact, aims for 100% compliance across all sectors (Tilleke & Gibbins, 2024).

The penalties are severe. They include administrative fines up to THB 5 million and potential criminal penalties (KPMG, 2022). This has captured the full attention of business leaders. HR departments must prove their processes are compliant to protect the company's bottom line.

But the most important part is trust. How you handle data directly positively impacts your employer branding. Job seekers are more aware of their data rights. A data breach or a sloppy hiring process does not just create a legal problem. It destroys trust. A strong, transparent PDPA policy builds trust and fosters a sense of belonging.

It is essential for creating a positive workplace culture. Companies that master PDPA compliance gain a competitive advantage. They can build a positive work environment based on respect for privacy. This positivly impacts employee satisfaction and is key for employee retention and achieving a high retention rate.

The Recruitment Process: Consent is King

The talent acquisition lifecycle is the first and most critical PDPA checkpoint for HR teams. Every job opening is a data collection point.

Vague consent is no longer acceptable. For the recruitment process, consent must be "explicit, clear, and specific" (Baker McKenzie, 2025). Your application form or job posts must clearly state what data you are collecting. You must state why you are collecting these specific skills and skills and experience data. You must also state how you will use it and how long you will keep it if the job seeker is not hired.

Many hr departments like to keep resumes of qualified candidates for future job titles. Under PDPA, you cannot do this without separate, specific consent. The consent to apply for "Job A" does not cover keeping their data for "Job B." You must ask for this permission separately.

Background checks are another high-risk area. Criminal records and health data are "Sensitive Personal Data." HR professionals must obtain explicit consent for these checks. You cannot make them a mandatory, non-negotiable part of the hiring process unless a separate law requires it for that specific job title.

The Employee Lifecycle: From Onboarding to Performance

Once a job seeker becomes an existing employee, the PDPA rules do not stop. HR professionals manage data throughout the entire employee experience.

Many HR teams believe the employment contract covers all data processing. It does not. The contract allows you to process data that is necessary for employment. This includes paying salary, managing leave, and providing legally required benefits.

For "Sensitive Personal Data," you need separate, explicit consent. This includes health data for insurance or biometric data like fingerprint scanners. HR teams must get specific permission for each purpose. For example, using a fingerprint scan for building access is one purpose. Using it for time tracking is a separate one that requires its own clear consent.

This also applies to employee feedback. When you run employee surveys or pulse surveys, you are collecting employee feedback. You must inform team members if it is anonymous. You must also state how the data analysis will be used and who will see it. This is key to getting honest feedback.

New Challenges for 2026: AI, Data Analytics, and Remote Work

Technological advancements are creating new PDPA challenges. These are now critical industry trends for HR professionals in Thailand.

AI in HR: The New Frontier

AI in HR presents the biggest new challenge. HR teams are using AI technology for talent acquisition (screening resumes), upskilling (suggesting training programs), and performance management (monitoring employees performance). This creates a "black box" problem.

If an AI tool rejects a qualified candidate, can you explain why? PDPA gives data subjects the right to know about automated decision-making. HR teams must be part of a higher level review. You must ensure AI tools are fair, transparent, and explainable.

Data Analytics and Workforce Planning

HR professionals now use data analysis for Strategic Workforce Planning. This means analyzing employees performance, skills and knowledge, and career goals to predict the skills gap.

This is a legitimate interest, but it must be transparent. You must ensure employees know how their data is used for career path planning. This helps them grow personally and professionally.

Data Security in a Hybrid Work Model

The rise of flexible work and remote work has supported work-life balance. It has also created huge security risks. HR professionals must partner with IT to support employee flexibility safely.

This is not just an IT problem; it is a people problem. HR teams must launch continuous learning programs. These must teach existing employees about data security at home. This includes how to spot phishing emails and why they should not use public Wi-Fi for company work.

Clear policies on data storage and device encryption are essential to maintain secure working conditions outside the office.

Data Rights and HR's Duty to Respond

Under PDPA Thailand, employees are data subjects. They have rights. HR departments are on the front line for managing these rights in real time.

An employee (or former employee) can send a "Data Subject Access Request" (DSAR). This means they are asking for a copy of all personal data you hold on them. This includes their performance management reviews, salary history, work experience records, and any employee feedback notes.

HR departments must be able to find all this data. It is often spread across different systems, from emails to old paper files. You must provide this data within a set timeframe, usually 30 days (CookieYes, 2024).

Employees also have the "Right to Erasure." They can ask you to delete their data when it is no longer needed for legal or contractual reasons. This is why HR strategies must include a data retention policy. You cannot keep employee data forever "just in case." You must define why you keep it and how long you keep it.

Finally, if a data breach happens, you have a legal duty. You must notify the PDPC office within 72 hours of discovering the breach (CookieYes, 2024). This requires a clear, practiced plan.

Conclusion

In 2026, PDPA Thailand sits at the center of the HR function. It is no longer a simple legal checklist. It is a core part of building a positive work environment and a strong organizational culture. It builds trust, fosters a sense of belonging, and gives your company a competitive advantage.

Business leaders must empower their HR professionals to lead this charge. By mastering data privacy, you are not just complying with a law. You are creating a positive corporate culture of respect. This culture is your best strategy for enhancing employee trust, achieving a high retention rate, and ensuring long term success.

Partnering with Hyperwork Recruitment

Navigating the complex labor market and PDPA compliance requires a strategic partner. As Thailand's leading recruitment agency, Hyperwork Recruitment understands the critical link between data privacy and talent acquisition.

We help HR teams build a recruitment process that is not only effective but also fully compliant. We find qualified candidates who respect company culture and data privacy. Partner with us to ensure your HR strategies are built for the future, helping you secure and retain the high performers who will drive your success.

References

1. Baker McKenzie. (2025, January). Legal Bases for Processing of Personal Data | Thailand. Retrieved November 11, 2025, from https://resourcehub.bakermckenzie.com/en/resources/global-data-and-cyber-handbook/asia-pacific/thailand/topics/legal-bases-for-processing-of-personal-data

2. CookieYes. (2024). Thailand's Personal Data Protection Act (PDPA). Retrieved November 11, 2025, from https://www.cookieyes.com/blog/thailand-personal-data-protection-act-pdpa/

3. KPMG. (2022, June). Key penalties for non-compliance with PDPA. Retrieved November 11, 2025, from https://kpmg.com/th/en/home/insights/2022/06/legal-news-flash-issue-14.html

4. PwC Thailand. (2024). Thailand CEO Survey 2024. Retrieved November 11, 2025, from https://www.pwc.com/th/en/ceo-survey.html

5. Tilleke & Gibbins. (2024, April 29). Thailand Releases Master Plan for Personal Data Protection. Retrieved November 11, 2025, from https://www.tilleke.com/insights/thailand-releases-master-plan-for-personal-data-protection/7/