Thailand Clarifies Data Breach Notification Requirements
Thailand’s Personal Data Protection Committee (PDPC) released clarifications on notification requirements for data breaches to assist organizations aiming to comply with data protection laws, DLA Piper staff noted in a Privacy Matters blog Monday.
Sign up for a free preview to unlock the rest of this article
“Since the full implementation of Thailand’s Personal Data Protection Act (PDPA) in June 2022, the [PDPC] has been instrumental in shaping the nation’s data protection framework,” the bloggers said. “Recently, the PDPC provided detailed clarifications on data breach notification requirements by responding to the public consultation, offering essential guidance for organizations striving to comply with the PDPA.”
According to the PDPA, data controllers must notify the office of PDPC of a data breach within 72 hours of becoming aware of it, unless the breach does not put individuals’ rights and freedoms at risk, the blog said. The risk to rights and freedoms can be assessed by considering factors such as the nature and category of the breach, the type and volume of personal data affected and the nature of the relevant security and data storage systems, the bloggers wrote.
But when personal data breaches pose a risk, data controllers should notify the PDPC as soon as possible, said the blog, and then submit additional details once additional information is available and more investigation has occurred. If there are unavoidable circumstances, data controllers can notify the PDPC within 15 days of the breach, along with an explanation as to why there was a delay in notification, the bloggers said.
“Data controllers can now make informed decisions about whether to report a data breach using the outlined criteria for assessing the risk to individuals’ rights and freedoms,” said the blog. “By adhering to these clarifications, business operations can protect individuals’ rights and freedoms while maintaining compliance with the PDPA.”