Since the full implementation of Thailand’s Personal Data Protection Act (PDPA) in June 2022, the Personal Data Protection Committee (PDPC) has been instrumental in shaping the nation’s data protection framework. Recently, the PDPC provided detailed clarifications on data breach notification requirements by responding to the public consultation, offering essential guidance for organizations striving to comply with the PDPA.
Data Breach Risk Assessment
Under the PDPA, data controllers are required to notify the office of PDPC of a data breach incident without delay and within 72 hours of becoming aware of the breach, unless the breach has no risk on individuals’ rights and freedoms.
The PDPC clarified that data controllers should assess the risk to individuals’ rights and freedoms by considering the factors outlined in Section 12 of the Notification of the Personal Data Protection Committee on Criteria and Procedures for Personal Data Breach Notification B.E. 2565 (2022) (“Notification“).
These factors include:
- The nature and category of the personal data breach.
- The type and volume of affected personal data, and the status of the affected data subjects (e.g., minors, disabled persons, vulnerable individuals).
- The severity of the impact and potential damage to the affected data subjects, including the effectiveness of the preventive or remedial measures.
- The broad-ranging effects on the data controller’s business or public due to the breach.
- The nature of the relevant data storage system and associated security measures, including organizational, technical, and physical measures.
- The legal status of the data controller.
If data controllers determine that the breach poses no risk to individuals’ rights and freedoms by considering these factors, they are not obligated to notify the PDPC. However, the PDPC advised that data controllers retain all information, documents, and records related to the risk assessment as evidence in case of future complaints, regulatory inquiries, or inspections.
Starting the 72-Hour Period
The PDPC advised that the 72-hour notification period begins when the data controller reasonably believes a breach has occurred or is likely to occur, based on a preliminary assessment and verification as specified in Section 5 of the Notification.
According to Section 5 of the Notification, upon data controllers being informed of a data breach incident, data controllers must first verify the credibility of the information, promptly investigate the relevant facts, and review the security measures in place (for both themselves and their data processors), including investigate the data controllers’ and their processors’ personnels, to determine whether there are reasonable grounds to believe a breach has occurred.
The PDPC further clarified that the precise commencement of this 72-hour period must be evaluated individually for each case. In certain situations, breaches may be immediately evident, such as when personal data is mistakenly sent to an incorrect email recipient. Conversely, other cases may necessitate additional time to verify the breach, such as when investigating a reported data leak resulting from a cyberattack. Data controllers should exercise its judgment to ascertain when there are sufficient grounds to suspect a breach has occurred.
Phased Notification and Late Notification of Data Breaches
The PDPC explained that in cases where a personal data breach poses a risk to the rights and freedoms of individuals, data controllers may consider notifying the PDPC in phases. Initially, data controllers should report the breach as soon as possible, providing preliminary information. Additional details can be submitted later once further investigation has been conducted and more information is available.
If a data controller is unable to notify the PDPC within the 72-hour timeframe, they must do so as soon as possible, but no later than 15 days from becoming aware of the breach. The data controller must provide a valid explanation and relevant details to the PDPC, demonstrating that the delay was due to unavoidable circumstances.
This approach provide flexibility and allows data controllers to manage the breaches effectively while ensuring compliance with the legal requirements.
Conclusion
The clarifications provided by the PDPC on data breach notification requirements are essential for organizations striving to comply with the PDPA. Data controllers can now make informed decisions about whether to report a data breach using the outlined criteria for assessing the risk to individuals’ rights and freedoms. The emphasis on timely notification given by the PDPC further allows data controllers to manage data breaches effectively. Additionally, the guidance on phased notifications and allowances for delayed reporting provides flexibility for data controllers in dealing with breaches, ensuring they can meet legal requirements. By adhering to these clarifications, business operations can protect individuals’ rights and freedoms while maintaining compliance with the PDPA.