Data Breaches Root Cause Trends

Data Breaches Root Cause Trends

Introduction: data Breaches how can organisations improve?


With the new focus on digital privacy and data privacy regulations, data breaches are increasingly in the news. Global data privacy regulations have outlined the types of data that are considered sensitive and the penalties for a breach. Global data protection laws, as well as the number of high-profile data breaches, have caused organizations to commit to a greater focus on privacy. Organizations are actively working to decrease their potential exposure to a data breach by enhancing their cyber-security defenses.


When trying to design and implement a strategy for protecting against data breaches, it’s useful to understand what the most common causes of these breaches are. This article looks at the data from the first quarter of 2019 and classifies breaches into several common categories.


Common causes of data breaches


Data breaches involve the release of sensitive data to unauthorized parties. While most people’s first thought when hearing of a data breach is that external attackers have gained access to the organization, data breaches can be caused by a variety of different reasons.


Here we define seven different causes of data breaches:


  1. Accidental Web/Internet Exposure:Sensitive data is accidentally placed in a location accessible from the Web. The news stories about improper usage of Amazon S3 permissions (and other cloud storage) fall into this category
  2. Data on the Move:Securing data in transit is often a challenge for companies. Using HTTP and other insecure protocols is a common cause
  3. Employee Error/Negligence/Improper Disposal/Lost:This category covers all data breaches caused by employee negligence. Data security policies that are weak and/or unenforced can lead to unintentional data breaches
  4. Hacking/Intrusion:Data breaches involving an external party (i.e., a hacker) are what most people expect when they hear of a data breach. This category includes phishing, malware/ransomware and skimming
  5. Insider Theft:This category also deals with employees, but covers cases where insiders are intentionally breaching sensitive data
  6. Physical Theft:Laptops and mobile devices commonly store sensitive or valuable data. These devices can easily be lost or stolen when brought to public areas
  7. Unauthorized Access:Poorly designed or implemented access controls can allow people to access data that they are not authorized for

Data breaches involving external parties gaining access to an organization’s network are only one of several different types of breaches.


Causes of large data breaches


Data breaches occur practically every day. According to statistics there were 264 breaches in Q1 2019, or almost three breaches per day on average.

However, we don’t hear about most of these breaches on the news. Only the “huge” breaches make the headlines. In this section, we’ll break down the major causes of breaches in two ways: based on the number of records exposed in a single breach and based on the number of records in exposed in Q1 2019 by each breach type.


Causes of the largest breaches


In Q1 2019, the ITRC recognized eight breaches that exposed at least 100,000 records. These breaches are summarized in the following table.


OrganizationPublication DateExposed RecordsRoot Cause
Centerstone Insurance and Financial Services d/b/a Benefitmall1/4/2019111,589Hacking/Intrusion
Columbia Surgical Specialist of Spokane2/18/2019400,000Hacking/Intrusion
UConn Health2/21/2019326,629Hacking/Intrusion
University of Washington Medical Center2/19/2019973,024Accidental Web/Internet Exposure
Health Alliance Plan3/7/2019120,344Hacking/Intrusion
Navicent Health3/22/2019278,016Hacking/Intrusion
Federal Emergency Management Agency (FEMA)3/15/20192,300,000Employee Error
ZOLL Services LLC3/18/2019277,319Not Disclosed


You can see that while Hacking/Intrusion may be the most common cause of data breaches, that doesn’t make it the most damaging. The FEMA breach exposed more records than all Hacking/Intrusion breaches put together, but it was caused by employee negligence. The second-largest breach (UW Medical) was also not caused by hacking.


Causes of most lost records in March 2019


In March 2019, ITRC began including additional information in their breach reports. This information included a breakdown of the number of records breached in that month, based on the cause of the breach.


Root causeExposed Records (%)
Employee Error/Negligence/Improper Disposal/Lost2,313,460 (69.6%)
Unauthorized Access427,356 (12.9%)
Accidental Web/Internet Exposure381,812 (11.5%)
Hacking/Intrusion178,038 (5.4%)
Physical Theft21,221 (0.6%)
Data on the Move2,088 (0.1%)
Insider Theft0 (0%)

As shown, employees were the cause of the majority of breached records in March 2019. While this information is skewed by the fact that 2,300,000 of the breached records were included in a single breach, the fact that the top three causes of breaches can all be considered internal errors means that organizations need to focus on fixing internal process errors as much as they need to devote time and resources to keeping attackers out.

Many Organizations  purchase generic online training materials and privacy awareness materials. Whilst these can be informative they are generalized and often do not reflect your organisations data processing operations. Bespoke training for your organization ensures your employees fully understand the importance of data privacy, enhance their data handling processes, leading to high levels of customer satisfaction

Global Data Privacy Enquiry


6 + 14 =


The Relentless  GDPR  Data Privacy  model   can be used to set benchmarks for organizations starting out can be used by organizations that have an existing privacy function and some components of a privacy program. The Relentless  GDPR  Data Privacy  model​ provides structured means to assist in identifying and documenting current privacy initiatives, determining status and assessing it against the Global privacy maturity model criteria. Complete the enquiry form for more details 

Thailand PDPA Embedding Privacy by Design and Default

Thailand PDPA Embedding Privacy by Design and Default

What is data protection by design exactly?


PDPA  guides that  consideration of the impact of any processing activities when developing a new product, technology or service should be taken into account and from the beginning  and throughout the life cycle of the product. Security and privacy measures should be integrated into the project, rather than an afterthought in a post design “checkbox” exercise. Companies and organisations who act  quickly and proactively to implement the new regulatory requirement, will be in pole position to ensure their products and services are compliant for the new, world PDPA era.


The origins of data protection by design and it’s seven principles


The concept of data protection by design is far from a new concept, with some of the initial discussion and considerations for the topic extending back as far as the 1970’s. What is new is the fact that the Thailand Data Protection Regulation – PDPA) now provides  organisations an opportunity to take privacy by design into account from the conception of a new product, technology or service

The modern version of data protection by design (and default) can be traced back to seven principles of privacy by design,


Proactive not reactive, preventative not remedial


Being proactive means that data privacy risk should be foreseen, be at the center of planning and mitigated before they can manifest rather than rectified on a reactive basis. This ancillary benefit of this type of approach is potential protection from public exposure of data privacy issues which could cause reputation harm (e.g., Marriott Hotel Group breach  From the initial conception design of developing a new product, technology or service, organisations should begin to plan the implementation of data-protection-enhancing measures

  • A clear commitment, at the highest levels, to set and enforce high standards of privacy − generally
    higher than the standards set out by global laws and regulation.
  • A privacy commitment that is demonstrably shared throughout by user communities and stakeholders,
    in a culture of continuous improvement.
  • Established methods to recognize poor privacy designs, anticipate poor privacy practices and
    outcomes, and correct any negative impacts, well before they occur in proactive, systematic, and
    innovative ways.


Privacy as the default


The highest settings of privacy should be enabled by default for the user when they utilize  any system or access any service or system. This means that if the user does nothing to change the standard settings, their protection remains full. This guarantees that no action is required on the part of the user to protect their privacy.

Privacy by default also expands to data retention periods: personal data should only be kept and stored as long as it is necessary for the operation of the product or service, and this often translates into creating the mandated data retention schedule and the design and testing of  processes for the operation of executing retention periods. Products, technologies and services should by default protect individuals’ data to the maximum, even if organisations may still want to include options where the data subject can disable these measures. Presenting data subjects with choice over what happens with their data is the cornerstone  of any new data protection administration within a forward thinking organisation.

  • Purpose Specification – the purposes for which personal information is collected, used, retained and
    disclosed shall be communicated to the individual (data subject) at or before the time the information
    is collected. Specified purposes should be clear, limited and relevant to the circumstances.
  • Collection Limitation – the collection of personal information must be fair, lawful and limited to that
    which is necessary for the specified purposes.
  • Data Minimization − the collection of personally identifiable information should be kept to a strict
    minimum. The design of programs, information and communications technologies, and systems
    should begin with non-identifiable interactions and transactions, as the default. Wherever possible,
    identifiable, observability, and link-ability of personal information should be minimized.
  •  Use, Retention, and Disclosure Limitation – the use, retention, and disclosure of personal
    information shall be limited to the relevant purposes identified to the individual, for which he or she
    has consented, except where otherwise required by law. Personal information shall be retained only as
    long as necessary to fulfil the stated purposes, and then securely destroyed.


Data protection embedded into the design 


Privacy measures should form the foundation stone upon which the whole system/service is built upon rather than being glued  on at the end of the development cycle. The advantages to “securing” these   measures are that data protection becomes an essential part of the product, technology or service, affording the highest degree of protection from the very start.

  • A systemic, principled approach to embedding privacy should be adopted − one that relies upon
    accepted standards and frameworks, which are amenable to external reviews and audits. All fair
    information practices should be applied with equal rigor, at every step in the design and operation.
  • Wherever possible, detailed privacy impact and risk assessments should be carried out and published,
    clearly documenting the privacy risks and all measures taken to mitigate those risks, including
    consideration of alternatives and the selection of metrics.
  •  The privacy impacts of the resulting technology, operation or information architecture, and their uses,
    should be demonstrably minimized, and not easily degraded through use, reconfiguration or error.


Full functionality, positive-sum, not zero-sum


Functionality of a product or service should not be compromised as a result of trade-offs from “false disagreements” such as privacy vs security, but rather an approach should be adopted where both can be  achieved in a “win-win” situation.

  • When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired, and to the greatest extent possible, that all requirements are optimized.
  • Privacy is often positioned in a zero-sum manner as having to compete with other legitimate interests,design objectives, and technical capabilities, in a given domain.Privacy by Design rejects taking such an approach – it embraces legitimate non-privacy objectives and accommodates them, in a innovative positive-sum manner.
  • All interests and objectives must be clearly documented, desired functions articulated, metrics agreed upon and applied, and trade-offs rejected as often being unnecessary, in favor of finding a solution that enables multi-functionality.


End-to-end security for the life-cycle of the product


Privacy by design must consider security from the “cradle to the grave”. Information is always afforded the appropriate security throughout the life cycle of the product (from collection to processing and finally  destruction). There should be discrepancies  where security measures are not applied to data processed. Choosing and implementing the correct levels of data security measures are applied to the product, technology or service from the beginning of the project is essential to meeting this requirement.

  • Security − Entities must assume responsibility for the security of personal information (generally
    commensurate with the degree of sensitivity) throughout its entire life cycle, consistent with standards
    that have been developed by recognised standards development bodies.
  •  Applied security standards must assure the confidentiality, integrity and availability of personal data
    throughout its life cycle including, inter alia, methods of secure destruction, appropriate encryption,
    and strong access control and logging methods


Visibility and transparency


Data subjects who are having their information processed are entitled to be fully informed  of what is actually happening with their personal data from the point it is collected to the point it is deleted.
The PDPA takes an active role in heightening visibility and transparency for data subjects by increasing the rights over their personal data. Having strong processes for rights such  as  Data Subject Access Requests or Right to Erasure requests is a vital step for the privacy by design approach.

  • Accountability – The collection of personal information entails a duty of care for its protection.
    Responsibility for all privacy-related policies and procedures shall be documented and communicated
    as appropriate, and assigned to a specified individual. When transferring personal information to third
    parties, equivalent privacy protection through contractual or other means shall be secured.
  • Openness – Openness and transparency are key to accountability. Information about the policies and
    practices relating to the management of personal information shall be made readily available to
  • Compliance – Complaint and redress mechanisms should be established, and information
    communicated about them to individuals, including how to access the next level of appeal. Necessary
    steps to monitor, evaluate, and verify compliance with privacy policies and procedures should be


Respect for user privacy

Privacy for the user should be a central  concern for the product, technology or service. The goal is to provide a user-centric experience, rather than one which harbors illicit data processing practices such as mass collection of data or invasive profiling.Having the data subject feel like they are king of the product, technology or service, rather than just a number, is also a good way to increase consumer confidence. Big-data is ever coming under increased attack for treating individuals like cattle, milking them for personal data which is then commoditised.

  • Consent  The individual’s free and specific consent is required for the collection, use or
    disclosure of personal information, except where otherwise permitted by law. The greater the
    sensitivity of the data, the clearer and more specific the quality of the consent required. Consent may
    be withdrawn at a later date.
  • Accuracy – personal information shall be as accurate, complete, and up-to-date as is necessary to
    fulfil the specified purposes.
  • Access  Individuals shall be provided access to their personal information and informed of its
    uses and disclosures. Individuals shall be able to challenge the accuracy and completeness of the
    information and have it amended as appropriate.
  • Compliance   Organisations must establish complaint and redress mechanisms, and
    communicate information about them to the public, including how to access the next level of appeal



PDPA Consultation Request


3 + 6 =

Privacy by Design and by Default, what is not to like?

Mandating Privacy by Design and by Default is the formalization of a good idea. The PDPA aims to give data subjects more power over their personal data. Implementing Privacy by Design and Privacy by Default clearly reflects that aim.

Relentless Privacy and Compliance advise and train project and  development teams to embed privacy by design and default into everyday operations


Relentless Outsourced PDPA DPO Service

Relentless Outsourced PDPA DPO Service

Are you tired of experiencing inadequate protection support for your organization data?

Our PDPA outsourced Data Protection Officer (DPO) is waiting for that role


Don’t get stranded from lacking protection, support, or advice for your organization data. We provide all of our clients with a knowledgeable and experienced Data Protection Officer (DPO) that tackles your organization’s challenges.

Using the service of our Data Protection Officer will show that your organization takes data protection seriously. In the view of your clients, it assurances them that there’s a dedicated person available to maintain compliance and handle privacy-related tasks.

With our impeccable outsourced DPO services, your company can get access to both expert guidance and practical support for board-level data privacy tasks, including:

  • Monitoring, management, and reporting of issues concerning data breach.
  • Data Protection Impact Assessments assistance.
  • Design and creation of policies and procedures.
  • Development and maintenance of your Personal Data Processing Register.
  • Maintenance of Data Mapping
  • Maintenance Record of Processing Activities
  • The organization of policy and contract reviews
  • Designing a data governance structure
  • Serving as your organization’s official point of contact to data
  • Manages all data protection issues.

Even with the above-mentioned services from our Data Protection Officer, there are still lots of benefits attached when you use Relentless Data privacy, which includes:

  • 1 day per month of dedicated support working solely for your organization onsite/ virtually.
  • Unlimited Support Calls.
  • Unlimited Email Support.
  • Monthly C board-level report.

At Relentless, our Data Protection Officer (DPO) has the correct qualifications and expertise in international and European -data protection laws, with an in-depth understanding of business practices that will allow them to secure and control both data security and data protection of any organization. Whether you are running a larger or small enterprise, outsourcing the role of the Data Protection Officer (DPO) will allow your organization to deal with complex, multinational data protection legislation and other regulatory demands.

Free One Hour Consultation


1 + 8 =

Relentless we are here for you

With the use of centralized technology, and streamlined structure we strive to serve all clients with the highest level of efficiency. It’s this improved determination along with modern resources that aid us in providing a unique model and approach to clients. We have received many compliance and assurance based on our experience for being committed throughout the past 20 years because of the personalized and responsive service we provide.


We make sure that all clients project is completed successfully according to the initial requirements to build long-term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.

Thailand PDPA Planning for the New Regulations

Thailand PDPA Planning for the New Regulations

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA“) will come into full force on 27 May 2020. In view of the impending target date, this article provides a concise overview of the new law.


Scope of Enforcement – The PDPA applies to the collection, use or disclosure of personal data by a data controller or data processor located in Thailand, regardless of whether or not such acts occur in Thailand. If a data controller or data processor is located outside of Thailand, the PDPA applies if the data subject whose data is collected, used or disclosed is located in Thailand, provided that the data controller’s or data processor’s activities are:

(i) the offering of goods or services to a data subject who is located in Thailand (irrespective of whether or not the payment for such goods/services is made by the data subject); or

(ii) the monitoring of the data subject’s performance, where such performance takes place in Thailand.


Personal data is not subject to PDPA if collected for:

    • personal benefit or household activity.
    • operations of public authorities having duties to maintain state security.
    • activities of mass media, fine arts or literature which are in line with professional ethics or public interest.
    • consideration by House of Representatives, Senate, Parliament or their appointed committees under their duties and power.
    • courts’ trial and adjudication and officers’ work operations in legal proceedings, legal execution and deposit of property.
    • credit bureau companies’ and its members’ operations under relevant law; and
    • of deceased persons.

Definition of Personal Data – Section 6 of the PDPA defines “personal data” as information pertaining to a natural person which enables the identification of such natural person whether directly or indirectly. There are two types: (i) “Non-Sensitive Personal Data” (e.g., name, surname, home address, email address, bank account number, etc.); and (ii) “Sensitive Personal Data” (e.g., race, political opinions, religion, sexuality, criminal records, disability, etc.).


Definition of Data Controller – Section 6 defines “data controller” as a person or juristic person having the power to make decisions regarding collection, use or disclosure of personal data.


Definition of Data Processor – Section 6 defines “data processor” as a person or juristic person operating in relation to collection, use or disclosure of personal data further to orders given by or on behalf of a data controller.


Basic Elements of Collection, Use and Disclosure 

    • Consent of data subjects must be obtained in writing or electronic form by data controllers prior to or at the time of collection, use, processing or disclosure of personal data (unless otherwise permitted by law);
    • collected personal data must be used in accordance with intended purpose that was informed to data subjects;
    • collection is limited to extent necessary for the lawful purpose;
    • personal data must be collected directly from data subjects (unless otherwise permitted by law); and
    • transfer of personal data to a foreign country, destination country or international organization is only permitted if recipients have adequate data protection standards.

Details Required to be Informed to Data Subject 


    • Data to be collected (e.g., name, surname, email address, etc.);
    • purpose of collection, use or disclosure (e.g., for human resources management);
    • reasons why personal data shall be collected;
    • possible effect of not providing personal data;
    • estimated data retention period;
    • persons or entities to whom the collected personal data may be disclosed;
    • contact information of data controller or its representative / data protection officer (who must be an employee of the data controller); and
    • rights of the data subject.


Exemption of Consent Requirement – Section 24 (General Personal Data) and Section 26 (Sensitive Personal Data) collectively set out ten exemptions where no consent is required from a data subject for collection, use or disclosure of personal data, such as for performance of a task carried out for the public interest.


Personal Data Previously Collected – Section 95 allows data controllers to continue collecting and using personal data collected prior to the effective date of the PDPA for the original intended purpose.


Rights of a Data Subject – A key element of the PDPA are the rights protecting data subjects, such as Section 19 which grants data subjects the right to withdraw consent at any time, Section 32 the right to object to collection, use or disclosure of personal data and Section 73 the right to file a complaint in case of violation, among others.


Obligations of a Data Controller – Chapter III of the PDPA sets out specific obligations of a data controller, such as the obligation to ensure that personal data remains accurate, up-to-date, complete and not misleading and to provide appropriate security measures to prevent unauthorized access to personal data, among others.


Obligations of Data Processor – In case the data processor is not a data controller, obligations of data processors apply such as to collect, use or disclose personal data only pursuant to instructions given by a data controller and to provide appropriate security measures, among others.


Data Protection Officer – Under Section 41, a data controller and data processor shall appoint a data protection officer in circumstances, such as their core activity is the collection, use or disclosure of sensitive personal data.


Obligations of Data Protection Officer – To give advice to data controller or data processor including employees and service providers on compliance with the PDPA and to monitor their performance, among others.


Penalties – Violation of or failure to comply with the PDPA may incur penalties including civil liability, criminal liability and administrative liability.


The PDPA is very new to Thailand and further regulations and guidelines will be issued to supplement the implementation and enforcement of the PDPA. As the PDPA will come into full force soon, appropriate measures should be taken to prepare for and ensure compliance with the new law.


Relentless Privacy and Compliance Services are experts in Global data regulations and can help organisations achieve PDPA compliance before 27th May 2020

Free One Hour Consultation


11 + 1 =

Relentless is here for you

We are there for you

With the use of centralized technology, and streamlined structure we strive to serve all clients with the highest level of efficiency. It’s this improved determination along with modern resources that aid us in providing a unique model and approach to clients. We have received many compliance and assurance based on our experience for being committed throughout the past 20 years because of the personalized and responsive service we provide.

We make sure that all clients project is completed successfully according to the initial requirements to build long-term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.

Thailand PDPA and it’s Effect on the Hotel Industry

Thailand PDPA and it’s Effect on the Hotel Industry

The Thailand PDPA data regulation which becomes law on the 27th May 2020  brings to an end, the grace period that the government allowed was created to bring as much uniformity into data protection as possible, giving control back to citizens and residents over their personal data and to simplify the regulatory environment for international business with a regulation that is far better suited to the challenges today’s digital world poses.

And before you say Thailand, it  will also apply to non-Thai companies . Despite the fact that this is an Thailand  regulation, PDPA will apply to any organization that is processing or holding Thai personal data, regardless of the location in which the organisations  are situated.


How will hotels be impacted?


There are a number of requirements that hotels will need to provide and prove when it comes to the use of personal data such as:

  • A hotel must provide very detailed information on why it needs to process personal data, and how long it plans to keep it. This procedure involves organized retention policies so that a hotel always knows the status of such information.
  • A hotel must keep technical and organizational records to prove it is protecting data.
  • A hotel must outline its guidelines for collecting and managing personal data.
  • When it comes to digital marketing and collating of personal information, Hotels need a section on their website that permits “opting in,” thus allowing hotels to store personal data of its customers, vendors and staff.  Hotels also must be able to prove that their audience has given consent for their data to be used for marketing purposes, must also specify which data they wish to be used, and explain the process, enabling guests to access, modify and delete information. If a list of potential customers has been purchased, the hotelier must also receive assurance from the data exporter  that proves that consent has been given for the data to be used.


What are the Main Requirements For Compliance with the PDPA


In order for hotels to comply effectively with the PDPA they need to ensure they review their connections to data processors, their own security policies, and if they have the necessary qualified staff on hand to negotiate the new laws. This includes all departments including CCTV.

  1. Data Mapping: Hotels receive personal data details through multiple channels and touchpoints including email, fax, phone, website, forms, etc., and this data is often stored on multiple platforms across several departments, so one of the first issues a hotel needs to tackle is to complete a full data map to become aware of what data is captured, where this information is stored, who manages the data, how it is used, including where it ends up, before beginning the process of how to protect and monitor it moving forward.
  2. Data Security Assessment: Once data mapping is completed hotels need to decide how information will be stored and handled, and then tested and documented on how to secure the data is and identify any weaknesses. Hardware and software applications should also be reviewed along with hard copy files. If the information is stored electronically, a series of encryption codes, passwords or limitations on access may need to be implemented to protect access to, and the integrity of the data.
  3. Update Data Policies: Hotels now have an obligation to make individuals aware of their rights under the PDPA as part of the data collection process. As such, hotels will need to review all current data protection policies, such as privacy policy, retention etc. as well as policies relating to third-party data contractors and updated accordingly.
  4. Implementation of new PDPA policies: One of the key principles of the PDPA is not to retain personal data for longer than necessary. Although onerous, your current data records will need to be cleaned up – deleting what is not required and validating the data that is required.
  5. Ongoing compliance and monitoring: Maintaining GDPR will be an ongoing process. To ensure you continue to comply and reduce the risk of data breaches, hoteliers should:
    1. Invest in training of all relevant staff members to ensure they have a thorough understanding of the new procedures and the implications of the regulation.
    2. Provide regular refresher training for all staff to ensure an awareness culture exists and protect against possible breaches.
    3. Ensure employees know the processes in the event of a breach and to report any mistakes immediately to the DPO or the person or team responsible for data protection compliance.

Hotels, both large and small, often make mistakes when it comes to personal data but under the new PDPA, the penalties for doing so will now be far higher. A misuse or breach of personal data will carry the risk of administrative fines of up to 5 million Baht,  a prison sentence of up to one year not only that but you also run the risk of tarnishing your reputation and end up paying out for damage claims.

No matter what you decide to do to achieve PDPA compliance if you haven’t already started, it is vital that you begin preparing for PDPA now. Becoming PDPA compliant will not only take longer than you realize, but failure to comply and update your data protection processes to safeguard guest data means you run the risk of severe financial penalties.

Free One Hour Consultation


14 + 10 =

We are there for you

With the use of centralized technology, and streamlined structure we strive to serve all clients with the highest level of efficiency. It’s this improved determination along with modern resources that aid us in providing a unique model and approach to clients. We have received many compliance and assurance based on our experience for being committed throughout the past 20 years because of the personalized and responsive service we provide.

We make sure that all clients project is completed successfully according to the initial requirements to build long-term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.

Thailand PDPA Compliance is Still Achievable for 27th May 2020

Thailand PDPA Compliance is Still Achievable for 27th May 2020

In search of secured controls for asset or data protection?.

Don’t miss the 27th of May!


Are you curious about missing the 27th May deadline without implementing PDPA or complaint? Well, with you adjusting your schedules, the 27th May privacy program is still achievable from now. We Relentless data privacy has designed a PDPA assessment with a positive strategy for every department level to meet the complex needs of operations for businesses and educational schools.


The impeccable Relentless PDPA 27th May privacy program includes:

  • PDPA Privacy assessment built on internationally recognized standards.
  • Full gap analysis and remediation report.
  • Full data discovery and data mapping of all personal data processing activities.
  • Record of processing activities including lawful basis and retention periods.
  • PDPA Training Customised to school operations.
  • Ongoing Outsourced DPO (Data Protection Officer) services available.
  • Native Thai speaking staff available for adequate communication.
  • GDPR is available for the recruitment of UK staff and EU Alumni data processing.

Even with the above benefits included in the 27th May privacy program, we the Relentless Privacy and Compliance Services provide quality, cost-effective compliance, assurance and global privacy maturity assessments to companies of all sizes. Relentless Privacy and Compliance Services is different from other traditional compliance firms that use four or five layers of management.


With the use of centralized technology, and streamlined structure we strive to serve all clients with the highest level of efficiency. It’s this improved determination along with modern resources that aid us in providing a unique model and approach to clients. We have received many compliance and assurance based on our experience for being committed throughout the past 20 years because of the personalized and responsive service we provide.


We make sure that all clients project is completed successfully according to the initial requirements to build long-term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.

Complete the form below and choose the PDPA service of interest from the drop down field and we will be in touch with you within 24 hours

Thailand PDPA Service Enquiry


2 + 14 =

Thailand PDPA 5 Key Provisions to Deliver

Thailand PDPA 5 Key Provisions to Deliver

PDPA Key Provisions

(1) Notice & Consent: Controllers and Processors must obtain consent from each Data Subject prior to or at the time of any collection, use or disclosure of person data. The intended purpose of the data collection must also be notified to the data subject.


Organisations are permitted to use personal data collected before the effective date of the PDPA for the purposes for which the data was collected. To do so, organisations through their Data Controllers must notify its data subjects of its intention to do so and permit data subjects to opt-out. This process is likely to be costly for large organisations that hold vast volumes of personal data, such as healthcare service providers, telecommunications services, financial institutions and government departments.


(2) Limitations to Collection, Use and Disclosure:

 a: Purpose limitation.

The Controller cannot collect, use or disclose personal data for any purpose other than the intended purpose as notified to and consented by the data subject.


The Controller cannot collect, use or disclose more personal data that is necessary to achieve the intended purpose.

 c: Source limitation.

Personal data may only be collected directly from the data subject, subject to only a few exceptions.

 d: Retention limitation.

The Controller cannot keep personal data for longer that is necessary to achieve the intended purpose.

 e: Transfer limitation.

Personal data cannot be transferred to countries having  adequate data protection standards, except for a transfer under a data privacy policy verified and certified by the OPDPC.


(3) Access, Correction and Portability:

The Controller must ensure that personal data is up to date, accurate and not misleading by allowing the data subject to access to and ask the

Controller to correct his or her personal data collected by the Controller. The Controller must ensure that each data subject can obtain his or her personal data in a format possible to be used with ease by other Controllers.


(4) Security:

The Controller must provide appropriate security measures to prevent any loss, access, use, modification or disclosure of personal data without authorization.


(5) Openness:

The Controller must disclose personal data of a data subject for him or her to examine and verify.


Compliance with the Thailand PDPA cannot be bought via a template. Data privacy needs to be built from the ground up with a framework that delivers on all aspects or your operations.

Find Out More

Thailand PDPA Its impact and the need to prepare

Thailand PDPA Its impact and the need to prepare



In May 2019, Thailand’s first comprehensive data privacy law- the Personal Data Protection Act or the PDPA- emerged amidst growing concerns regarding the collection and use of mass data by corporations. The PDPA is a prescriptive and detailed data security regime that sets high standards for protecting personal information. It grants individuals greater rights over how their data is collected and used and equips the regulators with the power to impose heavy fines on companies for non-compliance. The PDPA is modeled after the General Data Protection Regulation (679/2016/EU) or the GDPR which was implemented by the European Union in 2018. Since its inception, the GDPR has become the global standard for personal data protection and many other jurisdictions, including Thailand, have followed suit by introducing their own version of data privacy laws that were drafted based on the GDPR.


PDPA Impact


The impact of the PDPA on businesses operating in Thailand is significant as it requires them to make several changes within the organisation regarding their data-handling practices to comply with PDPA mandatory requirements regarding the collection, use and disclosure of personal data. The government has allowed a one-year transition period for businesses to make the necessary preparations and arrangements to comply with the PDPA requirements before they come into full force on 27 May 2020.


Territorial Reach 


The PDPA is far-reaching in its scope and applies extraterritorially. It applies to businesses located in Thailand if they collect, use and disclose personal data, regardless of whether such collection, use or disclosure takes place in or outside Thailand. The PDPA also applies to businesses located outside Thailand if they collect, use and disclose personal data from individuals located in Thailand, for purposes of offering products or services to them (irrespective of whether payment is required) or monitoring their behaviours.


Personal Data Definition


Personal data is broadly defined in the PDPA. Similar to the GDPR, it is defined to include “any information relating to an identified or identifiable natural person (“data subject”) either directly or indirectly”. This could include anything from a customer’s name, mobile phone number, shipping address, credit card information, information relating to a customer’s membership programs, HTTP cookies to comments made on social media. Often businesses with an online presence collect that information regardless of whether they are selling any products or services. This could also include the kind of information which, on its own, does not identify a specific person but when combined with information from other sources – whether from a third party or the public – could be used to identify a person.


Legal Obligation


But perhaps the most fundamental requirement under the PDPA is the call for businesses to ensure that their data privacy policy is legally compliant. Central to the PDPA is the issue of consent being obtained from data subjects prior to the collection, use and disclosure of their personal information. The PDPA sets out several mandatory requirements regarding how consent from the data subjects should be obtained, the manner in which consent is to be requested and additional requirements if the data to be collected is classified as sensitive personal data. Businesses that fail to comply with the requirements under the PDPA risk heavy civil and criminal liabilities and public reputation damage that could be irreparable.


Understanding PDPA Requirements 


The PDPA’s breadth of application and the adverse consequences for businesses do not comply with its terms make it crucial for all companies to fully understand the requirements and potential impacts on their businesses. Moreover, though there are similarities between the PDPA and the GDPR, compliance with one does not necessarily ensure compliance with the other as there are differing requirements under the two regimes. Now that the PDPA compliance deadline is looming, it is fundamental that all companies potentially affected by the PDPA spend the next few months formulating and strengthening their personal data privacy schemes to ensure successful implementation of its terms within the organisation and demonstrate they are compliant when the deadline arrives.

Relentless will be visiting Bangkok between 2nd to 12th of march Get in touch and book a meeting


Meet Us In Bangkok