By Dr. Paul Crosio
In today’s digital age, data breaches pose a significant risk to businesses, regardless of size or industry. In response to these growing threats, Thailand introduced the Personal Data Protection Act (PDPA), which came into full effect on 1 June 2022. Understanding how to manage privacy risks and develop a comprehensive response plan is essential for businesses operating in Thailand. This article outlines the legal framework under the PDPA and offers a general plan for effectively responding to data breaches.
Understanding the PDPA
Thailand’s PDPA imposes various obligations on businesses within and abroad that handle the personal data of individuals residing in Thailand. According to Section 6 of the PDPA, personal data is defined broadly, encompassing any information that can directly or indirectly identify a person. This includes names and addresses, biometric data, racial or ethnic origin, IP addresses, and other potentially sensitive information. Section 26 adds that sensitive personal data requires heightened protection.
Although the PDPA does not explicitly define the “lawful use” of data, it implies that data should only be collected and used when it is directly relevant or necessary for the business’s activities. This includes everything from collecting and storing data to sharing it with third parties, which must be done with adequate safety measures.
The PDPA demands that businesses make significant investments in resources to ensure compliance. The costs of non-compliance are steep, with potential fines and penalties that could severely impact a business’s operations. As such, companies must prioritize data security to mitigate legal risks.
Understanding Legal Risk and Liabilities
Legal risk refers to the potential for legal action against a company, which can arise from data breaches or failure to secure personal data. This risk is distinct from compliance risk, which involves failing to adhere to government regulations. While legal and compliance risks can overlap, compliance issues are generally more straightforward and do not typically extend into broader legal concerns.
Under the PDPA, like the European Union’s GDPR, data controllers and processors can be liable for actual and punitive damages, potentially reaching up to twice the amount of the actual damages awarded by the court. The PDPA also established an “Experts Committee” to impose administrative fines and enforcement orders for non-compliance.
Data breaches can lead to three main types of liability:
- Civil Liability arises when data controllers or processors fail to meet PDPA requirements, damaging data subjects. Affected individuals have three years from the date of damage acknowledgment or ten years from the date of the wrongful act to file for compensation.
- Criminal Liability occurs when sensitive personal data is acquired or disclosed without consent or for purposes not disclosed to data subjects. Penalties include up to one year of imprisonment and/or fines of up to THB 1 million. Unauthorized disclosure of personal data during PDPA-related duties can result in fines of up to THB 500,000 and/or six months imprisonment.
- Administrative Liability means that various fines can be imposed for failing to inform data subjects about data collection purposes, not providing access to personal data upon request, not notifying the PDPC within 72 hours of a breach and other violations. If a juristic person commits an offence, individuals with authority to represent that entity, such as directors, may also be liable.
Mitigating Legal Risk
Effective risk management is essential for businesses aiming to mitigate legal risks. This process involves identifying, analyzing, evaluating, treating, monitoring, and reviewing potential risks.
To treat legal risks, companies should ensure regulatory awareness and provide training for employees handling personal data. Implementing robust risk management policies and considering insurance coverage for potential damages are also prudent steps. Additionally, businesses may explore smart contracting to enhance data security.
Monitoring and reviewing legal risk involves ensuring adequate controls, analyzing past risk events, and staying vigilant for emerging threats. Continuous improvement and adaptation to changing risk landscapes are crucial for minimizing exposure to legal liabilities.
Creating a Data Breach Response Plan
When a data breach occurs, a swift and effective response is critical. If more than half of the data subjects are likely to be affected, the breach should be considered high risk and reported immediately, along with proposed remedial actions.
The PDPC’s notification on data breach handling, effective from 15 December 2022, defines a personal data breach as a violation of security measures due to intentional, negligent, unauthorized, or unlawful actions, among other causes. Data controllers are required to notify the PDPC within 72 hours of becoming aware of a breach. If this deadline cannot be met, a request for penalty relief must be submitted within 15 days.
Notifications must include a description of the breach, contact information for the Data Protection Officer, details on the likely consequences for affected individuals, and the remedial measures taken or planned. The notification may also advise data subjects on steps to protect themselves or mitigate damages.
A comprehensive response plan should not rely solely on the Data Protection Officer. Forming a dedicated data breach response team with clearly defined roles and responsibilities is advisable. This team should include top executives, IT and cybersecurity experts, legal counsel, and human resources personnel, mainly if employee data is involved.
In addition, companies should maintain a contact list for external stakeholders, including regulatory authorities, third-party service providers, legal counsel, insurers, and cloud service providers (CSPs).
A robust data breach response plan should include the following steps:
- Mitigating the impact: Take immediate action to minimize the damage caused by the breach.
- Activating data loss and recovery processes: Implement pre-defined procedures to recover lost data.
- Informing stakeholders and authorities: Promptly notify all relevant parties and regulatory authorities.
- Continuing data security efforts: Maintain security measures even after the breach has been contained.
- Determining the cause of the breach: Conduct a thorough investigation to identify the breach’s source.
- Eradicating vulnerabilities: Address and fix the vulnerabilities that led to the breach.
- Implementing a follow-up plan: Reassure and support customers affected by the breach.
- Monitoring and improving response efforts: Continuously assess the incident response to identify areas for improvement.
In an era where data is critical, businesses must be prepared to respond effectively to breaches. By understanding the legal landscape under the PDPA and implementing a comprehensive response plan, companies can better protect their interests and those of their customers.
