The Personal Data Protection Act B.E. 2562 (“PDPA”) mandates prompt notification to the authority and/or affected data subjects in the event of a data breach. Despite this requirement, many operators have historically hesitated to report breaches due to fear of potential non-compliance with the PDPA. However, it is noteworthy that breaches are often brought to light by data subjects, who may take to social media to share their experiences or approach the authority directly without consulting with the operator first. This heightened and abrupt visibility can attract the attention of the authority and the public, potentially damaging the operator’s reputation and increasing the risks of non-compliance. Although the authority has not imposed any penalties on operators, this period of leniency is coming to an end.
On the other hand, proactive reporting to the authority can lead to more favorable outcomes. The authority may request evidence demonstrating that the operator has taken reasonable steps to mitigate the risks, potentially avoiding further punitive action. Therefore, unless operators can definitively conclude that there is no risk to any data subjects, it is advisable for them to promptly notify the authority upon discovering the unfortunate occurrence. Furthermore, operators are advised to have necessary documents in place, as the lack of proper documentation may be discovered by the authority upon reporting.
Data breaches can be caused not only by hackers but also by human error and natural disasters. The rule of thumb is, regardless of the cause, prompt notification to the authority and affected data subjects must be considered. If deemed necessary, operators must report the incident to the authority within 72 hours. To expedite this process, it is crucial to educate employees about data breaches and establish clear protocols for reporting incidents. Some operators have implemented internal data breach notification forms to ensure that employees can report incidents promptly and with sufficient detail. Additionally, simulating breach scenarios through workflow exercises can help prepare operators for swift and effective responses. Lastly, a common question is whether to report right away upon discovery or to wait for more information and report at a later date. The answer is that if there is probability that personal data has been accessed, a prompt notification must be undertaken to avoid any risks involving the authority.
In conclusion, operators should prioritize preparedness over fear of reporting. Timely and transparent reporting not only aligns with legal obligations but also minimizes potential damage from breaches.