What the Data Controller needs to do when a Personal Data Breach occurs
The Personal Data Protection Committee (“PDPC”) is currently considering issuing a Personal Data Protection Announcement on how to report an incident of personal data breach to the Office of PDPC and whether it needs to report to the Data Subject.
According to Section 37(4) of Personal Data Protection Act B.E. 2562 (“PDPA”), a Data Controller has to notify the Office once there is a data breach without delay or within 72 hours after having become aware of the data breach. The data breach may be occurred by the Data Controller, Data Processor, Representative, any related person, or any other factors, such as an accidental, technological and computer processing system, computer crime, or cyber threat, who acts willfully, negligently, unauthorizedly, or unlawfully, affecting the completeness and accuracy of the personal data and the rights of the Data Subject. The Data Breach Category is divided into three types which are the leak of confidential personal data (Confidentiality Breach), the personal data misfiling (Integrity Breach), and inaccessibility of personal data, which can result in permanent inaccessibility or destruction (Availability Breach).
At the same time, the Data Controller is required to check its security measures in all aspects, including Organizational Measures, Technical Measures, and Physical Measures. And conduct a risk assessment of all possible effects on the Data Subject considering whether the data breach is likely to result in a high risk to the Data Subject’s rights and freedoms, the risk assessment factors as stated in the Announcement, if so, Data Controller is required to notify the Data Subject without delay, along with the remedial measures. In case where Data Controller cannot contact Data Subject for any reason, the data breach notification to Data Subject can be carried out on a public platform, such as social media or any other means by which the public can become aware of such notification. However, Data Controller is not required to notify the Office if such data breach is unlikely to result in a risk to the rights and freedoms of the Data Subject due to the reasons such as personal data being anonymous information that cannot be used to identify the Data Subject, unusable personal data due to adequate technological security measures or other reliable reasons according to the law.
Furthermore, the Data Controller must take immediate remedial action against the cause of such data breach either by restricting access to personal data or by any other means as necessary.
The data breach notification submitted to the Office must be included the details such as the number of personal data that has been leaked or violated, the name and address to contact the Data Protection Officer, consequences of a data breach, security measures that the Data Controller or Data Processor have to prevent data breach together with the remedial action in all respects, including personal, procedure and technology. In the event that the Data Controller fails to notify the Office in due time, the Data Controller must clarify reasons and details regarding the inevitability of such an offense to the Office within 15 days of becoming aware of the data breach in order for the Office to consider exempting so. The failure to comply with all of the above is an offense under the PDPA penalized by Administrative Liability with a fine of not exceeding three million Baht.
The Announcement also contains details and sample cases on data breach notification, which will guide Data Controllers in determining which cases must be reported and who must be notified. Therefore, Data Controllers should study this Announcement in order to prepare themselves in case that the data breach occurs and to be in compliance with the PDPA.