Microsoft urges organizations to make security the foundations for privacy, ensuring compliance with new Thai law and global standards

Woman using a laptop with two monitors

Three key items highlighted for security preparations
ahead of full enforcement of Personal Data Protection Act

Bangkok, 11 May 2021 – Microsoft Thailand is encouraging organizations to strengthen their security capabilities and ensure data privacy as the country prepares for full enforcement of the Personal Data Protection Act (PDPA). In response, Microsoft is offering products and services that help establish this foundation of trust, enabling every person and every organization to take full advantage of technology.

While the new law will not come into full effect before June 1, 2022, every organization in Thailand remains on course to adopt the same standard. Under PDPA, data owners must be informed of the purpose and details regarding the collection and processing of their personal data. They must also have the right to access, change, erase, and transfer this data as well as withdraw their consent and prevent or stop any processing of the data.

Ome Sivadith, National Technology Officer, Microsoft (Thailand) Limited, said, “Before discussing data privacy and rights over personal data, we must not forget that we can only keep personal data truly personal under the standards of PDPA by enhancing our cybersecurity capabilities. In essence, security is the foundation for privacy – and vice versa.”

Three key items in checklist to ensure security for personal data

Diagram showing Discover, Manage and Protect as three main steps in security

No matter the industry or the scale, each and every organization is required to handle personal data in a similar fashion. This means that any organization will have to go through these three key steps to ensure compliance with PDPA:

  1. Know your data

An organization’s systems are much like a house. To keep things inside the house secure and safe from prying eyes and hands, one must know what item is being stored where – which is exactly what we need to know about personal data.

Today, organizations have to manage data of different types from many different sources – from structured data such as databases to unstructured data like document files. This makes the task of putting things in order considerably difficult. With Microsoft Azure Purview, a new cloud service that scans for data from databases all across the entire organization, everything can be organized in one place. Furthermore, Purview reveals the flow of data as it is used and transferred in the organization, highlighting areas that need further attention to ensure security.

Beyond Purview, Microsoft 365 also offers a full suite of tools to keep your data in order. Content Explorer, for instance, makes the status of important data from all over the organization visible in a single screen.

  1. Manage your data

With items in the house now identified systematically, the next step is to make sure that each item is properly put to use so that damage or loss can be prevented.

With Microsoft 365, organizations can employ data classification capabilities to determine which pieces or types of data require special protective measures – such as preventing sharing with external recipients or requiring data to be stored within the system for a minimum period of time – using sensitivity and retention labels. This classification can be done automatically through sets of customizable rules, which can then be applied on a larger scale through Azure Purview. All of these capabilities form part of Microsoft’s Information Protection and Governance offering.

With usage and purpose of data already clarified, user and device authentication must also be taken care of in order to prevent risk from unsafe devices or unauthorized users getting access. On the device front, Microsoft Endpoint Manager can help handle all kinds of endpoint devices – from PCs to smartphones – while Azure Active Directory handles user authentication and ensures that each user receives a suitable level of access clearance to minimize risk of leaks.

  1. Protect your data

No matter how orderly things get in the house, there is always a chance that an accident will happen, or that someone will target the house for malicious purposes. A strong security system is required as the last line of defense that puts a stop to attacks and limits any damage caused.

Microsoft’s cloud-based databases – including Azure SQL DB, Azure Synapse, and more – all support data masking to ensure that confidential parts of your data will not fall into the hands of those who are not meant to have them. Meanwhile, all data on the Microsoft 365 service is encrypted with a Microsoft-owned key to ensure safety. Customers can also opt for even greater security by using their own key for the end-to-end encryption available on the Microsoft platform.

In the event of accidents such as someone attaching a confidential document – or valuable data like credit card numbers – in an email meant for external recipients, Microsoft 365’s Data Loss Prevention functionality can automatically step in – under conditions specified by the system administrator – to prevent leakage.

Azure Active Directory and Multi-Factor Authentication, meanwhile, ensure that the user attempting to access the system is the right person with correct access permissions. Should an attacker slip through, Microsoft 365 Defender can detect and defend against their weapons – from simple malware detection to scanning for unusual behaviors and signs of a possible breach, such as a single user trying repeatedly and unsuccessfully to access the system.

“All of these security technologies are driven by the cloud, which makes the choice of a secure cloud platform very important to any organization,” said Ome. “Microsoft Azure and Microsoft 365 have both attained more than 90 standard certifications worldwide – including 35 industry-specific regulations and data privacy laws such as the EU’s GDPR and Thailand’s PDPA. Our platform is ready to meet the needs of every Thai organization. Those interested in deeper details on our security and privacy conditions can access them directly through Microsoft to ensure clarity and confidence moving forward.”

To learn more about enhancing security and ensuring PDPA compliance, sign up for the online workshop series “Digital Clinic for Your Business” and join the following session hosted by Microsoft partner M.I.S. Outsourcing:

  • “Preparing for the Personal Data Protection Act”
    Wednesday, May 19, 2021 – 13:00-15:00
    Register here

Furthermore, Microsoft offers a special on-demand online session titled “Express Route to comply with PDPA for Data Processor” specifically for people and organizations directly handling personal data. Sign up for the session at https://aka.ms/ExpressPDPA_OnDemandTH