A data privacy breach refers to the unauthorized access, use, disclosure or destruction of personal data, either by an individual or by an organization. Data privacy breaches can occur in a variety of ways, including hacking, malware attacks, insider threats or simply human error.

Data privacy breaches can have serious consequences for both individuals and organizations. For individuals, a data privacy breach can lead to the theft of personal information, such as financial data or identity information, which can be used for fraud or identity theft. For organizations, data privacy breaches can lead to legal and regulatory consequences, as well as damage to their reputation and financial losses.

Under the General Data Protection Regulation (GDPR), a data privacy breach is defined as any unauthorized access, use, disclosure or destruction of personal data. This includes both accidental and intentional breaches. If an organization experiences a data privacy breach, it is required to notify the relevant supervisory authority and the individuals whose personal data has been breached. In Thailand, Personal Data Protection Committee (“PDPC”) has officially announced on how to report an incident of personal data breach to the Office of Personnel Data Protection (“Announcement”) which describes Data Controller’s duty to notify of data breach under Section 37(4) of Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) where this Announcement shall come into force and effect since this date of the announcement, i.e. 15 December 2022.

As we all know, the Data Controller is required to notify the Office of PDPC of any personal data breach without delay and, where feasible, within 72 hours. A data breach shall have the meaning as a breach of security measures that results in unauthorized or illegal loss, access, use, amendment, alteration or disclosure of personal data, whether committed intentionally, negligently, unauthorizedly, unlawfully, through computer crime, cyber threat, flaw or other means occurred by the act of the Data Controller, Data Processor, employee, staff, contractor, agent, any related person or any other factors resulting in the Confidentiality Breach, Integrity Breach and/or  Availability Breach.

When Data Controller becomes aware of or is informed of a personal data breach, the Data Controller shall evaluate the reliability of such breach without delay, whether the breach has occurred or reasonably being suspected by taking into account of organizational, technical and physical measures to confirm that a personal data breach has actually occurred. The Data Controller must conduct a risk assessment of all potential consequences for the Data Subject. For a high-risk case, the Data Controller must act independently or instruct the Data Processor to take preventive, suspending or corrective actions to ensure that the data breach is terminated or has no further impact. Furthermore, if a confirmed or reasonably suspected data breach is considered to jeopardize the Data Subject’s rights and liberties, the Data Controller must notify the Office of PDPC without delay and, where feasible, within 72 hours of becoming aware of it. Plus, the Data Controller must notify such high-risk data breaches and the remedial measures of the Data Subject as well.

Since 72 hours may be insufficient for the Data Controller and Data Processor to collect all data resulting in an inability to notify the Office of PDPC in time, in this case, the Data Controller shall prepare a reason clarification along with all documents mentioned in this Announcement and submit the same to the Office of PDPC within 15 days of becoming aware of such breach in order to have Office of PDPC consider exempting the Data Controller from liability under Section 37(4) of the PDPA, respectively.

As a result, Data Controllers and Data Processors should thoroughly read the Announcement in order to comply with the PDPA and protect the personal data that are being collected.

Author: Panisa Suwanmatajarn, Managing Partner