PDPA Update: Thailand Issues Security Standards for Personal Data

July 30, 2020

On July 17, 2020, Thailand’s Ministry of Digital Economy and Society (MDES) issued a notification in the Government Gazette setting out the minimum security standards for personal data under the Personal Data Protection Act (PDPA). This MDES notification is effective from July 18, 2020, to May 31, 2021.

The minimum standards imposed by the notification are broadly in line with generally accepted security standards around the world, which are codified in the ISO/IEC: 27001 information security standard published by the International Organization for Standardization (ISO). However, those already familiar with the ISO/IEC standards will notice that the MDES Notification does not go into the same amount of detail or guidance.

Comparisons of key elements of the MDES notification with the corresponding elements of the ISO/IEC: 27001 standard are provided below for ease of reference.

The security standards prescribed by the MDES notification require the implementation of administrative safeguards, technical safeguards, and physical safeguards for access control when using personal data. These safeguards should be achieved by implementing the measures listed in the left-hand column below (again compared to the corresponding measures in the ISO/IEC: 27001 standard).

The standards set out in the notification are the minimum measures that must be taken by data controllers, and there is no limitation on standards or measures that provide additional levels of security to the minimum requirements (such as ISO/IEC 27001). As such, many international organizations may wish to consider adopting data protection standards that go above and beyond the requirements of the new Thai notification in order to standardize their data protection requirements across multiple jurisdictions, ensuring legal compliance. The MDES minister is empowered to enforce this notification.