November 19, 2020
Published in Asian-mena Counsel: Data + Cyber Security Special Report 2020 By Kwang-Wook Lee, Helen H. Hwang, Chulgun Lim and Keun Woo Lee, Yoon & Yang The Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”) was enacted on May 27, 2019. Prior to the end of the original one-year grace period for full enforcement of the PDPA, a Royal Decree was issued which prescribed a list of organisations and businesses that would be temporarily exempted from enforcement. The list was so extensive and the choice of words so overarching that all legal practitioners agreed that it was designed for all business operators and other types of entities as well. Hence, we were effectively given a second grace period which will end on May 31, 2021. Although the enforcement was postponed for another year, all business operators are required to arrange and maintain security and protection of personal data as prescribed by the Ministry of Digital Economy and Society (“MDES”). The MDES issued the Ministerial Notification Re: Standards of Security Protection of Personal Data, B.E. 2563 (2020), with an effective date from July 18, 2020 until May 31, 2021. The descriptions therein regarding notification and safety requirements are comparatively generic and do not prescribe specific standards, applications, or technical measures. Furthermore, the notification itself is thought to be effectively unenforceable given the grace period that has already been announced. It, therefore, is seen as a hybrid message to the operators to remind them to be mindful of this law and that the regulatory environment will be tougher in the coming months. Therefore, operators should start to... 
