On 24 May 2021, the Notification of the Ministry of Digital Economy and Society re: Standards for Maintaining Security of Personal Data, B.E. 2564 (2021) (the "New Security Notification") was published in the Government Gazette. This New Security Notification extends the effective period of the security obligations as set out in the Notification of the Ministry of Digital Economy and Society re: Standards for Maintaining Security of Personal Data, B.E. 2563 (2020) (the "Previous Security Notification") until the end of 31 May 2022, i.e. right before the fully effective date of the PDPA.

This means that while the PDPA is postponed, data controllers must continue to comply with the security obligations.

The Previous Security Notification prescribed rules and requirements concerning the security of personal data, including the maintenance of confidentiality, integrity, and availability of personal data, and the prevention of the unlawful loss, access to, use, alteration, correction or disclosure of personal data.

It further sets out the following key obligations:

  • Implementing the Security Measures: data controllers are required to implement security measures in relation to access control which must cover administrative, technical, and physical safeguards and must at least cover the operations prescribed in the Previous Security Notification.
  • Notifying the Security Measures: data controllers are required to inform its personnel, employees or associated persons of the security measures that the data controller has implemented in accordance with the minimum requirements prescribed in the Previous Security Notification, as well as create awareness among these persons of the importance of personal data protection and ensure their strict compliance with the prescribed security measures.

Companies are required to continue to prepare and implement the security measures and consider whether their existing privacy and security related policies meets the requirements under the Previous Security Notification.