PDPA Phase 2 for Professional Services: Moving from Paper Policies to Practical Compliance

For two years after the Personal Data Protection Act took full effect in June 2022, the Personal Data Protection Committee operated primarily in education mode. Workshops, guidance documents, and awareness campaigns dominated the PDPC’s public output. Enforcement was slow to follow, and many boutique professional services firms concluded, reasonably enough, that compliance was a formality: publish a privacy policy, add a consent tick box to the website, and move on.

That reading is no longer accurate. In August 2025, the PDPC issued a single enforcement batch covering eight fines across six cases and nine administrative orders, bringing cumulative penalties to 21.5 million baht. The fines ranged from ฿153,000 against a government agency to ฿7,000,000 against an IT equipment retailer. A system developer working as a data processor for a toy retailer was fined ฿3,000,000, more than six times the ฿500,000 fine levied against the retailer it served. The regulator is no longer waiting.

What the Enforcement Record Shows

The August 2025 enforcement batch is the clearest signal yet that the PDPC has moved into its operational phase. The cases covered healthcare, retail, technology services, and government, but the violation types were consistent across sectors: missing data processing agreements with contractors, failure to report breaches to the PDPC, absent data protection officers, weak access credentials, and inadequate oversight of third-party data handlers.

Two cases are particularly instructive for professional services firms.

In the hospital case, medical records covering approximately 1,000 patient documents were leaked when a contractor stored files improperly at home. The hospital, as data controller, was fined ฿1,210,000. The contractor, as data processor without an adequate data processing agreement in place, was fined separately. The absence of a formal DPA between the hospital and its contractor was a central factor in both penalties.

In the cosmetics company case, inadequate security measures allowed a breach that enabled call center scams against affected customers. The violation was not that the company collected personal data. It was that the company failed to implement reasonable safeguards against foreseeable misuse of that data.

The pattern across all August 2025 cases is the same: the PDPC is not fining firms for having a privacy policy that is slightly out of date or a consent notice that is imperfectly worded. It is fining firms for operational failures, specifically for the gap between what a privacy policy says and what the firm’s actual data handling practices do.

Why Professional Services Firms Are High-Risk Targets

Accounting and law firms occupy a specific and exposed position under the PDPA. They act as data processors for client personal data in almost every engagement: individual identification documents submitted for company formation, payroll records processed as part of bookkeeping, tax identification details used in Revenue Department filings, and personal financial records reviewed in the course of an audit.

The Federation of Accounting Professions has recognised this exposure directly. TFAC published a five-chapter compliance framework specifically for bookkeeping and audit offices, covering lawful processing frameworks, data subject rights procedures, breach response protocols, security measures, and the documentation requirements that the PDPC expects to see in an enforcement review. The existence of that guidance signals that accounting firms are considered a category that needs specific compliance attention, not a category that can rely on generic business PDPA frameworks.

The hospital case maps almost exactly onto the risk profile of a boutique accounting or law firm. A firm principal who manages client documents by forwarding them to a part-time bookkeeper or a freelance paralegal via email, without a data processing agreement in place, is replicating the structural failure that produced the hospital contractor penalty. The contractor stored client files improperly. The junior staff member forwarding client tax documents to a personal email for home working is doing something materially similar in PDPA terms.

The Shadow IT Problem

The biggest practical compliance gap at Thai boutique professional services firms is not the absence of a privacy policy. It is shadow IT: the daily use of consumer-grade applications to handle client personal data, without any of the controls that the PDPA requires.

A staff member who sends a client’s national ID number via LINE to a colleague is transmitting personal data through an application that has no data processing agreement with the firm, stores data on servers outside the firm’s control, and provides no audit trail for who accessed what and when. A junior accountant who uploads a client’s financial records to a personal Google Drive to work from home is placing that data in a storage environment the firm has never reviewed for PDPA compliance and cannot audit if a breach occurs.

These are not edge cases. They are the normal operational behaviour of firms that have not provided a compliant alternative. Staff use LINE because it is fast and familiar. Staff use personal cloud storage because the firm has not given them a secure alternative. The compliance risk is a structural consequence of the tooling gap, not of individual carelessness.

The toy retailer enforcement case illustrates how processor liability works in this context. The system developer who built and managed the retailer’s booking system was fined ฿3,000,000, more than six times the ฿500,000 fine against the retailer itself. The developer was the data processor. The absence of a formal DPA and the developer’s own inadequate security practices made it the primary enforcement target. Any third party that handles a firm’s client data — a freelance bookkeeper, a document scanning service, a software tool with access to client records — is a potential data processor. If there is no DPA, the firm has no contractual basis to enforce data protection standards on that third party, and no documentary evidence to show the PDPC that it tried.

Vendor Governance as the Most Immediate Upgrade

The fastest way for a boutique professional services firm to improve its PDPA compliance posture in 2026 is vendor governance: reviewing every tool and third party that touches client personal data and ensuring that a data processing agreement is in place for each one.

A DPA does not need to be a complex document. It needs to specify what personal data is being processed, for what purpose, on what legal basis, with what security measures in place, and what happens in the event of a breach. Most reputable software vendors serving professional services firms have standard DPA templates available. Signing one takes less time than most firms spend on a single client meeting.

The review process itself is valuable because it forces the firm to map where client personal data actually goes. Most boutique firms, when they undertake this exercise, discover that data is flowing through more channels than they realised: a transcription tool that captures client names and financial details in meeting recordings, a form tool that stores client intake responses on third-party servers, a cloud storage account that a former staff member still has access to. Each of those flows is a potential compliance gap.

TFAC’s guidance emphasises documentation as a baseline requirement: records of processing activities, consent records, breach response logs, and data subject request procedures. A firm that cannot produce these records in an enforcement review is in the same position as the August 2025 cases: technically aware of PDPA obligations, operationally unprepared to demonstrate compliance.

What Practical Compliance Looks Like in 2026

Practical compliance in 2026 is not about achieving perfection across every PDPA requirement simultaneously. It is about closing the operational gaps that the PDPC’s enforcement record shows it is actually looking for: documented processing activities, contractor oversight, security measures proportionate to the sensitivity of the data, and a breach response procedure that the firm can actually execute.

The TFAC five-chapter framework gives accounting firms a structured starting point. Work through it chapter by chapter: establish the lawful basis for each category of personal data the firm processes, implement a procedure for data subject access and deletion requests, document the security measures in place for each data category, train staff on what constitutes a breach and how to report it, and maintain the records that demonstrate the above.

For a law firm, the same framework applies with the addition of specific attention to legal professional privilege and the interaction between PDPA data subject rights and confidentiality obligations: a data subject request for deletion cannot override a legal hold obligation, and the procedures need to reflect that.

FirmFlow replaces the tooling gap that creates shadow IT. Rather than staff forwarding client documents through LINE or uploading them to personal drives, the firm has a single secure workspace where client records, document uploads, meeting summaries, and intake submissions all sit within one access-controlled environment. Audit trails are maintained automatically. The vendor relationship is covered by a PDPA-compliant data processing agreement. Sensitive client data does not leave the platform’s secure perimeter.

The PDPC’s enforcement record does not suggest that boutique professional services firms are the primary target in the next enforcement cycle. But the violation types that produced ฿21.5 million in fines are exactly the violation types that characterise how most boutique firms currently handle client data: missing contractor DPAs, inadequate security measures, no documented breach response. Closing those gaps now, while the enforcement focus is still on larger and more visible organisations, is materially easier than closing them under regulatory scrutiny.