Handling data breaches can be complicated, and it’s gaining more attention in Thailand. The Personal Data Protection Committee (PDPC) has issued clear rules and ramped up enforcement. If you’re a controller or processor under the PDPA, this guide is for you.
What Counts as a Personal Data Breach?
Thailand’s PDPC defines a personal data breach broadly to include unauthorized or unlawful loss, access, use, alteration, or disclosure of personal data. This covers intentional acts, negligence, human error, and cyberattacks affecting confidentiality, integrity, and availability of data.
Required Steps When a Breach Occurs
Once aware, or reasonably suspect a data breach has occurred, organizations must:
- Investigate and assess risk: Confirm if a breach occurred and determine the risk level to individuals’ rights.
- Contain and mitigate: If high risk, immediately implement measures to prevent further damage.
- Notify the PDPC: Report within 72 hours, including details on nature of breach, contact person, potential impact, and remedial actions.
- Inform affected individuals: If high risk, notify data subjects without delay, including breach details, potential consequences, and recommendations.
- Review and prevent: After containment and notification, reassess security to prevent future incidents.
When Notification Can Be Delayed or Exempted
If the 72-hour deadline cannot be met, a waiver may be requested from the PDPC, with explanation, within 15 days. Breaches that pose no risk to individuals (e.g., involving encrypted data) may be exempt, provided documentation is kept and shown to the PDPC if required.
What PDPC Enforcement Looks Like in Practice
The PDPC has recently stepped-up enforcement, imposing millions of baht in fines. Cases have involved:
- State agencies and developers fined for privacy-by-design failures after a major cyberattack.
- Hospitals and contractors penalized over mishandled medical record destruction.
- Retailers fined for poor security and missing DPOs.
- Companies penalized for delayed breach reporting and lack of safeguards.
Why This Should Matter to You
Breach reporting under the PDPA is mandatory, and delays or failures can lead to enforcement action. Inadequate security or a poorly managed response not only increases regulatory risk but can also cause significant financial and reputational harm. Moreover, organizations remain accountable for their processors’ actions, meaning outsourcing does not reduce responsibility.