Organizations of all sizes in Thailand are moving towards digitalization and developing their own personal data protection systems to comply with the Personal Data Protection Act of 2019 (PDPA). The Cabinet approved postponing the full enforcement of the Thai Personal Data Protection Act (PDPA) for one further year due to the severe outbreak of COVID 19 in Thailand. Organizations then are looking for the robust, comprehensive, standard and easy to begin with solution.
Referring to the Thailand Data Protection Guideline V3.0 Extension developed by the Faculty of Law at Chulalongkorn University guiding how organizations in Thailand can implement the granular personal data protection system, Fortinet recommends the organizations begin with Risk Assessment.
Risk assessment is an essential activity that helps the organizations to develop adequate measures in three aspects: confidentiality, integrity and high availability of the data. By assessing the threat occurrence probability together with the impact, the organization will obtain their risk level that can be high, medium or low. Such risk level then leads to the exercise to identify 3 strategic security pillars that are process, technology and human resources (people) appropriately for each area, to achieve the policy objectives determined by chief information security officer and security personnel.
Organizations should carefully evaluate suitable implementations that meet specific business requirements, compliance, and other related measure controls. The small and medium enterprises may consider designing additional granular security processes to technology and people pillars to help reduce the risk, such as establishing a clear definition of the right for high-privilege user accounts or least privilege access, and so on.
After security risk level assessment, the organizations will be able to define further appropriate organizational security measures and technical security measures. The organizational security measures shall include 3 strategic concerns, for instance. Firstly, security management covers the relevant policy and procedure guidance as well as roles and responsibilities, etc. definition. Secondly, the incident response and business continuity management are needed to handle the threat incidents and personal data breach events. Lastly, human resources management normally requires the organizations to provide their employees the regular information security training sessions and promoting secure environments, for example.
Technical measures can be defined as the measures and controls afforded to systems and any technological aspect of an organization, such as devices, networks and hardware. Protecting such aspects is crucial for the security of personal data and is the best line of defense against data breaches. Here are the most common technical measures the organizations should consider:
A frequently asked question to Fortinet is what additional tools or technologies organizations need to purchase? The answer is it depends upon the organization's own risk level. The higher the risk, the more tools organizations will need to help. The small and medium-sized organizations with limited budgets may opt to establish the processes and people policy to help reduce the risk. Organizations with less risk require less tools as a result. Good news is many Fortinet security devices such as FortiGate, FortiWeb, or FortiMail contain data protection capabilities. Therefore, the organizations currently deploying Fortinet's security appliances in complying to Cybersecurity Act (2019) or NIST, ENISA, ISO27001 frameworks, can deploy them for data protection purpose immediately. This empowers organizations to reduce their level of security risks and budget in tools procurement.
For example, a customer who is currently using the FortiGate Next-Generation Firewall together with additional technology and people resource programs, can turn DLP, 2FA, Breach Prevention functions to immediately reduce risks until reaching the acceptable level.
On the other hand, the large enterprises with high risk shall need more tools to help reduce the time spent on identifying, responding to incidents, and on supporting the overburdened security personnel in the organization. In this case, Fortinet provides tools such as FortiSIEM, FortiSOAR to support the granular operations of large enterprises.
It is admitted the impact and damage to business and corporate reputation is invaluable. Although the Cabinet has extended the enforcement deadline of the PDPA Act, organizations still have to accelerate the completion of PDPA solutions. You need to do your best to ensure the security of personal data you handle and be able to prove it. Fortinet can bring its experience, expertise and industry-leading products and services to help organizations meet the personal data protection requirement of the businesses of all types.