Thailand: Adopted PDPC guideline for personal data breach risk assessment and reporting

On 15 December 2022, the Personal Data Protection Committee (PDPC) adopted a guideline for risk assessment and reporting personal data breaches. The guideline serves as a reference for personal data controllers on the procedures for reporting breaches to the Office of the Personal Data Protection Committee and the affected data subjects. It outlines the obligations under the Personal Data Protection Act B.E. 2562 (2019) for controllers to report breaches within 72 hours of awareness unless the breach is unlikely to pose a risk to individuals' rights and freedoms. The guideline also provides examples of risk assessments for different breach scenarios, aiding controllers in determining when and how to notify both the Office and data subjects.