Notification of The Ministry of Digital Economy and Society Re: Standards on Security Protection of Personal Data B.E.2563(2020)
On 17 July 2020, the Ministry of Digital Economy and Society has announced the requirements on security standards to be imposed on all data controllers listed in the Royal Decree issued on 21 May 2020. Such requirements are as follows:
1. Data controllers must provide personal data security measures (“Personal Data Security Measures”) which should cover: (1) administrative safeguard, (2) technical safeguard, and (3) physical safeguard, in relation to “access control” with the following minimum requirements:
- Control access to personal data and access to equipment that stores and processes personal data, taking into consideration the usage and security.
- Specify the authorizations or rights to access the personal data.
- Apply user access management to limit access to personal data to authorized persons only.
- Specify user responsibilities to prevent unauthorized access, disclosure, knowledge or reproduction of copy of personal data, or theft of equipment that stores or processes personal data.
- Provide a process that enables the checking of past history in relation to the access, modification, deletion or transfer of personal data, and such process is suitable for the methods and media used to collect, use or disclose personal data.
2. Data controllers must notify their personnel, employees, staff and the relevant persons of the Personal Data Security Measures above, and raise awareness in relation to the personal data protection to these persons in order for them to strictly comply with such measures.
Deviation from the Personal Data Security Measures above is permitted if an organization applies the measures with higher security standards.
 “Personal data security” is defined as the maintenance of confidentiality, integrity and availability of personal data, in order to prevent data loss or unauthorized access, use, modification, revision or disclosure.