Under the Personal Data Protection Act (PDPA) in Thailand, data controllers and processors are required to implement technical and organizational measures to ensure the security of the personal data they process. The following areas are a good starting point in creating a data protection framework to achieve and maintain personal data protection for your organisation.
- Access controls: Access to personal data should be limited to authorized personnel only. This can be achieved through the use of password-protected accounts, and multi-factor authentication. Two such methods are Role-based access control (RBAC): RBAC and Mandatory access control (MAC): MAC to be covered in our next post.
- Encryption: Personal data should be encrypted both in transit and at rest using industry-standard encryption protocols. Advanced Encryption Standard (AES): AES is a widely used symmetric encryption algorithm that is approved by the National Institute of Standards and Technology (NIST) and Triple Data Encryption Standard (3DES): 3DES is a symmetric encryption algorithm that uses three passes of the Data Encryption Standard (DES) algorithm to provide stronger encryption than single DES. It uses a 64-bit block size and key sizes of 56, 112, or 168 bits.
- Data minimization: Only the minimum amount of personal data necessary for the purpose of the processing should be collected and processed. Data that is no longer needed should be securely deleted or destroyed.
- Data backup and recovery: Regular backups of personal data should be taken and stored securely to ensure that data can be recovered in the event of a system failure or data loss.
- Incident response: Procedures should be in place to detect, respond to, and recover from security incidents or breaches involving personal data.
- Training and awareness: Staff who handle personal data should be trained on the requirements of the PDPA and the measures that are in place to ensure data security. This includes training on how to recognize and respond to security incidents.
- Auditing and monitoring: Regular audits should be conducted to ensure that personal data is being processed in accordance with the PDPA and that the technical and organizational measures are effective. Monitoring should also be in place to detect and prevent unauthorized access or processing of personal data. Formiti Global Privacy Assessment is a comprehensive assessment that is globally recognised.
For additional information, Click Here