On 17 July 2020, the Ministry of Digital Economy and Society (“MDES”) issued an Official Notification on Standards for Personal Data Security B.E. 2563 (2020); effective from 18 July 2020 until 31 May 2021, which is the same period as the postponement of partial enforcement of the PDPA.

This Notification has been issued by virtue of the previous Royal Decree published on 21 May 2020, to postpone partial enforcement of the Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”) for data controllers of certain entities; who have obligations under the law to provide appropriate measures to secure personal data, as prescribed by the MDES.

In brief, the Notification sets minimum security standards for data controllers during the period of postponement of partial enforcement of the PDPA. The Notification defines “Personal Data Security” as maintenance of the following three key components, i.e. “confidentiality of data”, “integrity of data” and “availability of data”.

It requires data controllers to inform their security measures for protection of personal data to their staff and other relevant parties, as well as ensure the staff are fully aware of the importance of personal data protection.

Moreover, data controllers must implement security measures which include administrative safeguards, technical safeguards and physical safeguards for control of data use and access. These measures shall at least include the following:

  • Data access control;
  • Designation of data access permission and rights;
  • User access management;
  • Designation of user responsibilities; and
  • Provision of monitoring and checking methods relevant to access, alteration, deletion or transfer of personal data.

Overall, these minimum standards set forth by the Notification are in line with the concepts and principles in the ISO/IEC: 27001, which is an international standard for information security management systems.