Keeping Data Secure in Thailand

New Personal Data Security Standards for Data Controllers Subject to Thailand’s Personal Data Protection Act (PDPA)

On July 17, 2020, an Announcement of the Ministry of Digital Economy and Society on Standards for Maintaining the Security of Personal Information in 2020 (Official Notification) was published in Thailand’s Government Gazette. This Official Notification sets forth new “interim” data security standards for data controllers subject to Thailand’s Personal Data Protection Act (PDPA). These new requirements were effective on July 18, 2020 and will continue in effect until May 31, 2021. The latter date should ring a bell. The period of postponement of partial enforcement of the PDPA ends on that date.

The Official Notification sets out minimum administrative, technical, and physical safeguard measures to ensure the “security of personal information” processed by data controllers (Standards). The Official Notification defines the phrase “security of personal information” as meaning the maintenance of the confidentiality, accuracy, integrity, and availability of personal information (PI) in order to prevent the loss, improper access, use, alteration, or disclosure of such information. The Official Notification does not prescribe specific data security requirements, such as the use of encryption for data at rest or in motion, but data controllers will need to ensure compliance with these new overarching requirements.

New Personal Data Security Standards

The Standards require data controllers to ensure the security of the PI they process by implementing the following measures:

• Access Controls: Appropriate controls must be in place to limit access to PI and to any equipment used for processing and storing PI.
• Access Rights: PI access authorization or permission criteria must be established to limit access to such information and the rights and responsibilities of anyone who accesses PI must be defined to ensure the security of such information.
• Access Management: User access management protocols must be in place to ensure that access to PI is limited to authorized personnel.
• Unauthorized Access: User responsibilities must be clearly specified to prevent unauthorized access to, disclosure of, and copying of PI and the theft of any equipment that may collect or process such information.
• Traceability: Measures must be in place to ensure that any access to PI, transfers of PI, alterations or changes to PI, or deletion of PI can be monitored and traced.
• Training: Personnel, officers, employees, and related persons must be notified of and acknowledge these Standards to foster awareness of the importance of protecting PI.

The Standards establish a base to ensure the confidentiality and security of PI processed by data controllers. Data controllers may elect to apply specific data security standards that differ from those prescribed in the Official Notification, provided that such standards ensure at least the same level of protections as those prescribed in the Official Notification.

Key Takeaways

The old saying that “a good bell is heard from far, a bad one still further” continues to ring true today. Many data controllers may already have robust data security measures in place that meet the requirements prescribed in the Official Notification. For those that do not have these “good bells” in place, it is time to implement adequate administrative, technical, and physical data security standards and adopt effective data security training programs for their employees.

The failure to implement such measures may unnecessarily leave the PI of Thailand residents processed by your company at risk of compromise or other loss and expose your company to adverse reputation and other risks. A data breach can be devastating for any company. When customers lose trust in a company, they will take their business, and their money, elsewhere. Don’t let the lack of data security standards ring the closing bell for your company.