Microsoft recommends guidelines for Personal Data Protection Act compliance as implementation date looms, underscores importance of security as foundation of privacy

Man in white shirt and man in dark jacket in front of Microsoft logo

Bangkok, 30 March 2020 – Microsoft Thailand is emphasizing the importance of data security and privacy alongside the safety of employees in the face of today’s unusual circumstances. Organizations across Thailand are advised to make their final preparations prior to the official implementation of the Personal Data Protection Act (PDPA) this May. 

“Following the Act’s passing and publication in the Royal Gazette in mid-2019, many organizations and businesses in Thailand have taken action in enhancing their own operational standards to ensure compliance with the new law’s privacy standards,” said Ome Sivadith, National Technology Officer, Microsoft (Thailand) Limited. “However, many more organizations are still to complete their adaptation process, while demand for data discovery, storage, and processing continues to increase at great pace as more and more data types come into the picture. Achieving full compliance with the new law is proving to be a daunting challenge.” 

Gear up for Thailand’s new privacy law 

Nipon Nachin, Ph.D., Chief Executive Officer of ACIS Professional Center Co., Ltd., said, “It can be said that Thailand’s PDPA is a law rooted in the data protection and privacy standards implemented by the European Union under GDPR – which came into effect two years ago. Many European businesses have already faced penalties from failure to comply to these new standards, and Thai companies have to step up their work to meet new expectations under PDPA as well. By doing so, they can free themselves from the risk of lawsuits while also reinforcing the confidence and trust placed in them.” 

One of the biggest factors in ensuring compliance is the understanding of the organization’s roles as data controller – the party authorized to make decisions as to how personal data is gathered, stored, used, and shared – and data processor – the party taking the aforementioned actions under the direction of the data controller. Furthermore, data owners must be guaranteed of their rights to approve or reject the access or use of any personal information. Under PDPA, they must be able to access, obtain a copy, remove, or destroy any of their personal data in the hands of a given data controller. 

Data controllers and processors must also appoint a data protection officer within the organization in situations where the controllers or processors are either working for a government agency, handling large amounts of personal data that need regular reviews and inspections, or when their primary activity concerns personal data on nationality, race, political opinions, religious beliefs, sexual behaviors, criminal history, health and disability, labor unions, genetics, biometrics, or other data with similar implications. 

“Once the roles have been properly defined, organizations must discover and categorize personal data in their systems, develop personal data flow diagrams, and define strategies, frameworks, regulations, rules, and responsible parties for every activity – including potential coordination and communication with data owners and related external stakeholders,” Nipon added. “This entire process, however, will not succeed without the foundations of strong security, which must cover personnel, procedures, and technologies.” 

Microsoft is ready to support Thai businesses in this undertaking with the world-class Azure cloud platform and a wide range of services under the Microsoft 365 umbrella – including Windows and Office 365. These products and services all embrace three key aspects in ensuring personal data privacy: identity and access management, information protection, and threat protection. To simplify the compliance journey, Microsoft is recommending organizations to undergo a 7-step process that includes: 

  1. Discovering personal data in unstructured data, which may include data sources from on-premises systems, the Microsoft cloud (including Office 365), and other cloud applications
  2. Ensure protection across on-premises systems, cloud, and devices through encryption, which may take place at the data, device, or application level. Office 365 also offers tools that assist in data classification and labeling to help recommend or even enforce data usage policies and prevent security breaches.
  3. Control access to data with measures that extend beyond simple passwords – from biometrics like fingerprint or facial recognition to the use of smartphones or smart cards as companion devices for authorized users.
  4. Gain visibility and control of data in cloud applications by assessing every application of potential risks under new privacy standards versus impact to operational performance, defining clear rules on the use of data in these applications, and protecting this data from falling into risky or uncontrolled spaces.
  5. Detect, defend against, and mitigate impact from data breaches, which may be caused by anything from external attacks to insider misconduct – regardless of intention. Office 365’s Advanced Threat Protection offers organizations the ability to reduce risks at many different levels – including features such as advance detection of potentially harmful email attachments and links before the user accesses these assets.
  6. Assess and ensure compliance in every data-related action with solutions such as Compliance Manager, which evaluates and scores the organization’s compliance with various standards and laws based on the system administrator’s input, resulting in useful recommendations that feed directly into further development.
  7. Prepare for Data Subject Requests (DSRs) with services such as Office 365’s Data Privacy Dashboard, which helps in handling and tracking of DSR cases while also providing visibility of personal data across assorted Office applications in the organization. 

Ome added: “Microsoft’s cloud platform offers technologies that work together seamlessly across the entirety of the platform and comes with full support from our partners nationwide. We are ready to help companies achieve full compliance with the Personal Data Protection Act no matter where things stand now for their technological infrastructure, and we provide proven security systems that minimizes risks, mitigates impact, and facilitates fast recovery in the event of attacks or breaches.” 

For more on Microsoft’s principles in data security and privacy, visit or contact us at