As coming into force since 2 July 2014, the Personal Data Protection Act 2021 (PDPA) requires that all organizations, including small and medium enterprises (SMEs), to appoint a DPO (Data Protection Officer) and to adhere with the regulation to govern the collection, use and disclosure of personal data by organizations in a manner that recognizes both the right of individuals to protect their personal data and the need of organizations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.