Since the Personal Data Protection Act was enacted in 2019, with several delays and adjustments along the way, many private companies, as well as government agencies, have been unsure about the direction to take. Some have begun to neglect the importance of data protection, or even ignore it due to the unclear nature of the law and regulations. However, on August 21, 2024, the Personal Data Protection Committee (PDPC) imposed a fine of over 7 million baht on a private company for a data breach, as detailed in the video below.
The Reasons and Details Behind the Fine are as Follows:
1) The company that was fined collected personal data from over 100,000 customers and used this data in its core business operations but did not appoint a Data Protection Officer (DPO) as required by law. This failure resulted in the company being unable to address or resolve the issue when a data breach occurred, violating Section 41 of the Personal Data Protection Act (PDPA) of 2019.
2) The company lacked appropriate security measures as mandated by the PDPA, leading to a data breach that exposed customer data to criminal groups, such as call center scams, causing widespread damage. This action violated Section 37(1) of the PDPA.
3) When complaints were made by the affected individuals, the company ignored them and delayed notifying the Personal Data Protection Committee (PDPC). As a result, the issue could not be rectified in a timely manner, violating Section 37(4) of the PDPA.
Summary of the Fines
Failure to appoint a Data Protection Officer (DPO): A fine of 1 million baht.
It's important to note that simply appointing a DPO is not enough; organizations must follow proper procedures for the DPO’s role, which includes conducting audits, liaising with external agencies, and ensuring that the DPO is actively involved in compliance processes. Failure to implement these practices can lead to penalties, including imprisonment.
Failure to report the data breach to the PDPC within the legal time frame: A fine of 3 million baht.
Section 37(4) of the PDPA requires data controllers to report data breaches to the relevant authorities within 72 hours after becoming aware of the breach unless the breach poses no risk to individuals’ rights and freedoms. If the breach presents a high risk, the company must also inform the affected individuals and provide a remediation plan. In this case, the company failed to notify the PDPC promptly, which further exacerbated the violation.
Inadequate data security measures: A fine of 3 million baht.
Under Section 37(1), data controllers must implement appropriate security measures to protect against unauthorized access, use, modification, or disclosure of personal data. These measures should be regularly reviewed and updated in response to technological advancements. Given the company’s size and the amount of data involved, the lack of adequate IT security measures was a significant violation.
Just thinking about...
Your company must take the PDPA seriously. While the fine of 7 million baht is substantial, it does not include the compensation the company may have to pay to the affected individuals. This could lead to prolonged court cases, further financial loss, damage to reputation, and a loss of trust, not to mention the time and resources that will be consumed.
Refferent