+44 (0) 121 582 0192 [email protected]



The Personal Data Protection Act (PDPA) has become a significant framework for data protection and privacy in Thailand since its enactment in 2019. Its implications extend to various sectors, including education, and international schools are no exception. With the sensitive nature of children’s data, health, pastoral care, disabilities, and more, international schools in Thailand Must Keep Up with PDPA Changes and maintain a high level of governance and compliance with the PDPA. In this article, we’ll explore why international schools in Thailand must stay vigilant in updating their practices and privacy notices, revising their Registry of Processing Activities (ROPA), and conducting thorough assessments as part of their compliance efforts adjusting their compliance strategy to major amendments.


Keeping Privacy Notices Up to Date


Privacy notices play a pivotal role in PDPA compliance, communicating between the international school and individuals whose data is collected and processed. International schools must ensure that their privacy notices are compliant with the PDPA and reflect any changes to the law since its enactment.

  1. Changes to PDPA: The PDPA may undergo amendments or revisions over time. International schools must actively monitor these changes and update their privacy notices accordingly. This ensures that parents, students, and staff know how their data is used and what their rights are under the current legal framework.
  2. Transparency and Consent: Transparency is a fundamental principle of data protection. International schools should be transparent about the purposes for which data is collected, the types of data collected, and the third parties with whom data is shared. Additionally, they must obtain explicit and informed consent from individuals, especially when processing sensitive data related to children’s health, disabilities, and other personal information.
  3. The latest International School website report stated that over 70% of Thailands International Schools had failed to update their original privacy policy since the PDPA was enacted although a number of significant changes to the PDPA had been published by the PDPC. This could be penalised with an administrative fine.


Registry of Processing Activities (ROPA)


The ROPA is a comprehensive record of all data processing activities conducted by an organisation. Regularly reviewing and updating the ROPA is a critical aspect of PDPA compliance for international schools.

  1. Scope Expansion: As international schools evolve and introduce new services or data processing activities, these changes should be promptly documented in the ROPA. This includes any new systems, software, or technologies that involve personal data processing.
  2. Data Flow Mapping: The ROPA should also include data flow mapping, indicating how personal data moves within the organisation and identifying potential vulnerabilities or risks. This is particularly important when transferring data across borders or sharing data with third parties.


Assessments and Audits


International schools should proactively conduct various assessments as part of their compliance efforts and be prepared to provide evidence of their reviews if audited by the Personal Data Protection Commission (PDPC).

  1. Data Protection Impact Assessments (DPIAs): DPIAs help identify and mitigate risks associated with specific data processing activities. International schools should conduct DPIAs, especially for activities involving sensitive data such as health records or pastoral care information.
  2. Legitimate Interest Assessments (LIAs): When relying on legitimate interests as the legal basis for data processing, international schools should perform LIAs to ensure that their interests are balanced against the rights and interests of data subjects.
  3. Data Transfer Assessments: When transferring personal data internationally, international schools must conduct assessments to determine whether the receiving country offers adequate data protection. If not, appropriate safeguards should be implemented.




The PDPA imposes stringent requirements on organisations in Thailand, including international schools, regarding collecting and processing personal data. Due to the sensitive nature of children’s data and the additional responsibilities international schools bear, they are expected to maintain a higher level of governance and compliance.

Staying updated with changes to the PDPA, regularly reviewing and updating the ROPA, and conducting thorough assessments are essential steps to ensure compliance. International schools must meet the legal requirements and foster a culture of data protection and privacy awareness among their staff, students, and parents. By doing so, they can protect the rights and privacy of individuals and demonstrate their commitment to data protection in an ever-evolving regulatory landscape.

The above can be a heavy burden on staffing resources within tight school budgets. Formiti delivers PDPA  for International Schools that encompases all requirements for one low monthly fee that can not be beat.