The Personal Data Protection Act (PDPA) came fully into effect on 1 June 2022, and four new regulations under the PDPA have recently been issued and took effect on 21 June 2022. We understand that more regulations are expected soon. To summarize the four new regulations mentioned:
- There are two regulations for Data Controllers, specifying
- Data Controllers who are exempt from the duty to keep records under section 39 paragraph 1 (1)(2)(3)(4)(5)(6) and (8)); and
- Security measures required for Data Controllers.
- There is one regulation for Data Processors, specifying rules and methods for preparing and maintaining records of Personal Data processing activity.
- There is one regulation for Personal Data Professional Committees, specifying guidelines for issuing administrative penalties.
Further details of (A) and (B) appear in the table below.
|Data Controllers||Data Processors|
|Data Controllers who are exempt from the duty to keep records under section 39 paragraph 1 (1)(2)(3)(4)(5)(6) and (8))||Security measures required for Data Controllers
|Rules and methods for preparing and maintaining records of Personal Data processing activity|
Organizations[This does not apply to
– Persons handling sensitive data; and
– Service providers who need to keep data traffic under the Computer Crimes Act, but excluding internet cafes]
|· Small or Medium Enterprise under the SME law
· Community Enterprises under the Community Enterprise law
· Social Enterprises under the Social Enterprise law
· Foundations, Associations, Religious organizations, or Nonprofit Organizations
· Household enterprises or suchlike
|Data Controllers are required to have and from time to time to update security measures covering at least the following topics;
1. How to collect, use and disclose Personal Data;
2. What are the organizational measures, technical measures, and physical measures;
3. Risks and protective measures for information assets, protocol for any leakage of Personal Data
4. How to keep Personal Data confidentiality, integrity, and availability
5. For electronic collecting, using and disclosing Personal Data, the technical information such as server, computer system etc.
6. Securities measure for
(A) identity proofing for access control, and authentication of information and information authorization
(B) manage user access appropriately include user registration and de-registration, user access provisioning, management of privileged access rights, management of secret authentication information of users, review of user access rights and removal or adjustment of access rights
(C) specify user responsibilities
(D) Provide audit trail methods
7. Privacy security awareness raising e.g. to distribute policies to users.
|Prepare and maintain records of Personal Data processing activities with this information
1 Data Processor’s name and identifying information;
2 Data Controller’s name and identifying information;
3 Personal Data Protection Officer’s name (if any such is appointed) and identifying information include his/her contact details;
4 Methods of collecting, using or disclosing Personal Data; including Personal Data and purposes of such collecting, using or disclosing;
5 The categories of individual or entity abroad who are ever sent Personal Data; and
6 Explanation of security measures.
If you have questions, please feel free to contact us at firstname.lastname@example.org.