Thundthornthep Yamoutai, Ph.D. | Legal Advance Solution Co., Ltd. | 17 April 2026 | ภาษาไทย (Thai Version)
LAS C&C — Contract & Control #11
Consider this scenario: on a Monday morning, Company A's IT team discovers that a database containing over 50,000 customer records has been accessed by an unauthorized external party. Names, addresses, national ID numbers, and order histories have been downloaded. The clock starts ticking — the company has 72 hours to assess the risk and notify the Office of the Personal Data Protection Committee (PDPC). Every hour that passes without action represents an escalating legal exposure.
A personal data breach is no longer merely an IT problem. It is a legal and business issue that directors, executives, and DPOs must understand thoroughly. Since the Personal Data Protection Act B.E. 2562 (2019) (PDPA) came into full force, organizations without clear breach assessment and notification procedures have exposed themselves to attacks on two fronts: legal liability and reputational damage.
The PDPC's Guidelines on Personal Data Breach Risk Assessment and Notification, Version 1.0 (published 15 December 2022), establish a clear operational framework for what organizations must do when a breach occurs. This article summarizes all key points in a format that business lawyers and C-Suite executives can apply immediately.
"When data leaks — what matters most is not what leaked, but how fast and how correctly you respond."
Under the PDPC Guidelines and consistent with international standards, personal data breaches are divided into three principal categories, which may occur simultaneously within a single incident.
A Confidentiality Breach occurs when personal data is accessed or disclosed by a person who lacks authorization, or for a purpose not permitted. This is the most common type and typically causes the most serious harm.
An Integrity Breach occurs when personal data is modified, altered, or destroyed without authorization. The data remains in place but its content has been changed, which may affect decisions based on that data.
An Availability Breach occurs when personal data is lost or becomes inaccessible, whether temporarily or permanently. Even if data is not disclosed externally, the organization's inability to access it still constitutes a breach.
In practice, a single event often falls into multiple categories simultaneously. A Ransomware Attack may constitute a Confidentiality Breach (if the attacker copies data before encrypting), an Integrity Breach (if some data is altered), and an Availability Breach (if the data is encrypted and inaccessible). Risk assessment must address all dimensions — not just the most obvious type.
| Type | Nature | Common Examples | Risk Level |
|---|---|---|---|
| Confidentiality | Unauthorized access or disclosure | Hacking, misdirected email, data sale | Very High |
| Integrity | Unauthorized modification or alteration | Ransomware data alteration, bug overwrite | High |
| Availability | Loss or inaccessibility | Failed HDD, fire, accidental deletion | Medium–High |
The foundation of the data breach notification obligation is Section 37(4) of the Personal Data Protection Act B.E. 2562 (2019), which requires the Data Controller to notify the PDPC of a personal data breach without delay and within 72 hours of becoming aware, unless the breach is unlikely to result in any risk to the rights and freedoms of individuals.
This provision contains three critical components that every Data Controller must understand:
This document is the primary reference issued by the PDPC to assist Data Controllers in understanding and complying with Section 37(4). Its key content covers:
The 72-hour window begins when the Data Controller "becomes aware" of the breach — not from when it actually occurred. However, ignorance is not a valid defense. Section 37(1) of the PDPA requires Data Controllers to implement appropriate security measures, including effective detection systems. If poor detection causes delayed discovery, the organization may also be found in breach of Section 37(1) on a separate basis.
Risk assessment is the cornerstone of the breach response process. The outcome determines what actions the organization must take. Under the PDPC Guidelines, the assessment uses two primary dimensions: Severity and Likelihood.
Severity is assessed based on the following factors:
| Factor | Low Severity (1) | Medium Severity (2) | High Severity (3) |
|---|---|---|---|
| Data Type | Basic data (name, business email) | Personal data (address, phone, date of birth) | Sensitive data (health, financial, biometric, criminal history) |
| Number of Data Subjects | Fewer than 100 | 100 – 10,000 | More than 10,000 |
| Potential Impact | Minor inconvenience | Financial or reputational harm | Serious harm (fraud, discrimination, harassment) |
| Data Subject Group | General adults capable of self-protection | Employees or regular customers | Children, patients, or other vulnerable persons |
Likelihood is assessed based on the following factors:
| Factor | Low (1) | Medium (2) | High (3) |
|---|---|---|---|
| Nature of the Breach | Lost within a controlled area / accidental deletion | Misdirected to a trusted recipient | Hacked / stolen / publicly disclosed |
| Evidence of Actual Use | No evidence of exploitation | Possible exploitation but requires effort | Evidence of exploitation / published on Dark Web |
| Protective Measures in Place | Data is fully encrypted | Partial encryption in place | Data is plaintext — no encryption |
| Risk Score | Level | Required Action |
|---|---|---|
| 1–2 | Low | Internal Record only — notify PDPC not required, but documentation supporting the decision is mandatory |
| 3–4 | Medium | Notify PDPC within 72 hours — direct notification to data subjects generally not required (unless specific circumstances apply) |
| 6–9 | High | Notify PDPC within 72 hours and notify affected data subjects without delay, with recommended remedial actions |
In practice, data privacy legal experts consistently advise "when in doubt, notify." Deciding not to notify and later discovering notification was required is far more damaging than notifying unnecessarily. The former risks administrative fines and compounded reputational harm; the latter merely creates additional paperwork.
The 72-hour window under Section 37(4) of the Personal Data Protection Act B.E. 2562 (2019) is tight — identical to the EU's GDPR standard. The practical time available for substantive work is even shorter because multiple tasks must occur simultaneously.
| Hour | Action Required | Responsible Party |
|---|---|---|
| 0–4 | Detection + Confirm breach (not false alarm) + Notify DPO + Management + Begin Containment | IT Security + DPO |
| 4–12 | Initial investigation: identify scope, data types, number of data subjects affected, cause | IT + Legal + DPO |
| 12–24 | Conduct Risk Assessment per Matrix + Decide whether PDPC notification is required + Begin drafting report | DPO + Legal |
| 24–48 | Draft notification report + Verify accuracy + Obtain management approval | DPO + Management |
| 48–72 | Submit notification to PDPC + Notify data subjects (if High Risk) + Begin Remediation | DPO + Communications |
| After 72 | Submit supplemental information (if initial report was incomplete) + Post-Incident Review + Update measures | DPO + All Teams |
Under PDPC Guidelines v1.0, a notification to the PDPC must contain at minimum the following elements:
The following scenarios are based on common real-world incident patterns and PDPC guidance, designed to help DPOs and legal teams quickly classify and respond to breaches. All organization names are fictional.
Incident: Hospital A's electronic medical record system is hit by ransomware. Records of 30,000 patients become inaccessible, and the attacker claims to have exfiltrated a copy of the data.
Breach Type: Confidentiality Breach + Availability Breach
Risk Score: Severity 3 (health data + vulnerable group) × Likelihood 3 (evidence of exfiltration) = 9 — Very High
Required Action: Notify PDPC within 72 hours + Notify all affected data subjects + Recommend password changes + Advise monitoring of financial transactions
Incident: An employee of Company B accidentally sends a spreadsheet containing the salary data of 200 employees to an external recipient. The recipient confirms deletion but this cannot be independently verified.
Breach Type: Confidentiality Breach
Risk Score: Severity 2 (financial/salary data) × Likelihood 2 (recipient claims deletion but unverifiable) = 4 — Medium
Required Action: Notify PDPC within 72 hours + Consider notifying affected employees + Review email misdirection prevention controls
Incident: A sales employee of Company C loses a laptop while travelling. It contains a database of 500 customers. However, the hard drive is protected by Full Disk Encryption (BitLocker) with a strong password.
Breach Type: Confidentiality Breach + Availability Breach (even with cloud backup)
Risk Score: Severity 2 (500 customer records) × Likelihood 1 (data encrypted — effectively inaccessible) = 2 — Low
Required Action: Internal record + Remote Wipe + Notification to PDPC not required (encryption makes risk negligible) — but written justification of the decision is mandatory
Incident: Company D's e-commerce website inadvertently exposes a database of 100,000 customers without authentication for over two weeks before discovery. The database contains names, emails, phone numbers, shipping addresses, and purchase history.
Breach Type: Confidentiality Breach
Risk Score: Severity 3 (personal data + over 10,000 subjects) × Likelihood 3 (exposed for 2 weeks — unknown who accessed) = 9 — High
Required Action: Notify PDPC + Notify all affected data subjects + Engage Forensic Audit + Close vulnerability immediately
Incident: A sales employee of Company E resigns and copies a database of 3,000 customers to use at a competing firm. The breach is detected through USB access logs.
Breach Type: Confidentiality Breach
Risk Score: Severity 2 × Likelihood 3 (evidence that data is actively being used) = 6 — High
Required Action: Notify PDPC + Consider notifying affected data subjects + Initiate legal proceedings against the employee (civil and criminal)
Incident: Company F's cloud provider suffers an outage for 48 hours, making data of 5,000 customers temporarily inaccessible. No external access to the data occurred.
Risk Score: Severity 1 × Likelihood 1 = 1 — Low (unless data is health data urgently needed for treatment)
Required Action: Internal record + Review SLA with cloud provider + Consider Multi-Cloud Strategy
Incident: A staff member of Bank G is phished, resulting in stolen credentials. The attacker gains access to account information of 800 customers, including account numbers and balances.
Risk Score: Severity 3 (financial data) × Likelihood 3 = 9 — Very High
Required Action: Notify PDPC + Notify Bank of Thailand (additional sector regulator) + Notify all affected customers + Reset credentials + Review historical transactions
Incident: Clinic H loses 50 patient record files during an office relocation.
Risk Score: Severity 3 (health data) × Likelihood 2 (lost — unknown if discovered by others) = 6 — High
Required Action: Notify PDPC + Notify affected patients + Search for documents + Review document retention procedures
Incident: An outsourcing company (Processor) engaged by Company I is found to have used customer data for purposes not agreed in the Data Processing Agreement (DPA).
Risk Score: Severity 2 × Likelihood 3 = 6 — High
Required Action: The Data Controller (Company I) must notify PDPC + Notify affected data subjects + Terminate the DPA + Pursue damages against the Processor + Review all Processor oversight arrangements
Incident: University J's website is hacked, and data of 20,000 students (names, student IDs, grades) is published on the Dark Web.
Risk Score: Severity 2 (education data + over 10,000 subjects) × Likelihood 3 (already published on Dark Web) = 6 — High
Required Action: Notify PDPC + Notify all affected students + Coordinate with cyber police + Conduct Forensic investigation + Close vulnerability
When a personal data breach occurs, the Data Protection Officer (DPO) must act on the following items urgently.
Section 39 of the Personal Data Protection Act B.E. 2562 (2019) requires Data Controllers to maintain Records of Processing Activities (ROPA) — a comprehensive register of all data processing operations. This is a distinct obligation from the Breach Register.
The requirement to maintain a Breach Register (recording every data breach event, including "Low Risk" incidents not requiring PDPC notification) derives from the PDPC Notification on Personal Data Breach Risk Assessment and Notification B.E. 2565 (2022), not directly from Section 39 of the Act. Even where PDPC notification is not required, all incidents must be recorded in the Breach Register, because the PDPC may request inspection at any time.
Failure to comply with breach notification obligations carries legal consequences across three concurrent dimensions: administrative, civil, and criminal.
| Offense | Provision | Maximum Penalty |
|---|---|---|
| Failure to notify breach per Section 37(4) | Personal Data Protection Act B.E. 2562 (2019), Section 83 | Administrative fine not exceeding THB 3,000,000 |
| Failure to implement appropriate security measures (Section 37(1)) | Personal Data Protection Act B.E. 2562 (2019), Section 83 | Administrative fine not exceeding THB 3,000,000 |
| Failure to maintain records of processing activities — ROPA (Section 39) | Personal Data Protection Act B.E. 2562 (2019), Section 82 | Administrative fine not exceeding THB 1,000,000 |
Under Section 77 of the Personal Data Protection Act B.E. 2562 (2019), a Data Controller or Data Processor that violates or fails to comply with the Act is liable to compensate for resulting damages, whether actual loss or reputational harm. Under Section 78, courts have the authority to order additional punitive damages of up to twice the actual loss (Punitive Damages).
Where the breach constitutes unlawful disclosure of personal data without consent, criminal penalties may apply: imprisonment not exceeding 6 months and/or a fine not exceeding THB 500,000 under Section 79 of the Personal Data Protection Act B.E. 2562 (2019). For disclosure of sensitive personal data, the penalty increases to imprisonment not exceeding 1 year and/or a fine not exceeding THB 1,000,000.
Beyond legal penalties, reputational damage often inflicts greater harm than any fine. Media coverage of a data breach, loss of customer trust, and impact on share price (for listed companies) represent costs that cannot be easily quantified. A rapid, transparent, and professional response is the only way to preserve confidence.
The LAS Risk Methodology applies the principle of Eliminate → Reduce → Distribute to risk management, and translates directly to data breach prevention and response.
| Level | Principle | Application to Data Breach |
|---|---|---|
| Eliminate | Remove the risk | Data Minimization — collect only what is necessary / delete data no longer needed / Pseudonymize sensitive data |
| Reduce | Reduce the risk | Encryption at every layer / Access Control / MFA / Network Segmentation / Incident Response Plan |
| Distribute | Spread the risk | Cyber Insurance / DPA with Processor (including Indemnity + Liability clauses) / Multi-location Backup |
From a LAS C&C Series perspective, a well-drafted DPA must include provisions that protect the organization in the event of a breach — at minimum: