As covered in part one of this series the PDPC released amendments and notifications of changes to the Thailand PDPA law. The second of these is covered below.
PDPC Notification of the PDPC Re: Security Measures of the Data Controller B.E. 2565 (2022)
The Thailand PDPA mandates, data controllers. To ensure appropriate security measures for the prevention of unauthorized, unlawful loss, access to, use, alteration, correction, or disclosure of an individual’s personal data.
Controllers should at least carry out an annual review of the measures, or when any changes to the technology involved in the processing of personal data have changed therefore ensuring the maintenance of the appropriate levels of security and safety required under the PDPA Law.
The notification has been issued to detail the minimum standard of the above-mentioned security measures. Including but not limited to,
- Data controllers must maintain the required security measures and ensure they are applied to all personal data under their control.
- Data controllers must implement and apply governance on the implemented technical and organisational measures including any physical security controls introduced. Such measures should be applied in full to mitigate the risk of data breaches and the consequences of any data breach that may occur.
- When designing and implementing such measures a comprehensive Data Protection Impact Assessment is often the best way of exploring any risks within data processing activities undertaken by the controller.
- Data controllers must ensure that they maintain the security of the CIA Triad being Confidentiality, Integrity and availability of individuals’ data under its control.
- Security measures in relation to the collection, processing, access, use, modification, disposal, or disclosure of an individual’s personal data are substantially similar to the standard that is required under the MDES Notification – which includes, data access control, user access permissions management, data handling responsibilities, audit and logging activities, etc. However, the Security Measures Notification sets additional requirements.
- Access control is the approach of ensuring the user’s identity who is accessing the data and their access permissions to the said data.
- The adoption of role-based access control or the access by the principle of least permissions or similar high standards.
Formiti International has extensive expertise in achieving and completing PDPA compliance and complimentary services. We have a full catalogue of PDPA services from global PDPA assessment, outsourced DPO service, and PDPA compliance within 15 days service.