Thailand: Implemented Personal Data Protection Act (PDPA) including cybersecurity regulation

On 1 June 2022, the Personal Data Protection Act (PDPA) will enter into force. It mandates that data controllers implement security measures to prevent unauthorized or unlawful access, use, alteration, or disclosure of personal data, with regular reviews to ensure their effectiveness. In the event of a data breach, controllers are required to notify the Office of the Personal Data Protection Committee within 72 hours and inform affected individuals if the breach poses significant risks to their rights. Access to personal data must be restricted to authorized individuals, and systems should be in place for data deletion or destruction when no longer needed. Additionally, when sharing data with third parties, controllers must ensure that the recipients handle the data in accordance with legal requirements.