Thai Language version available here: https://fosrlaw.com/2026/การแจ้งเหตุละเมิดข้อมู/
Why the 72-Hour Rule Is Only the Beginning
Data breach notification under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) is often reduced to a single rule: notification to the Office of Personal Data Protection Committee (“PDPC”) should be made without delay and, where feasible, within 72 hours of becoming aware of a personal data breach.
That formulation is accurate as far as it goes. It is also incomplete.
In practice, the most difficult questions in a live cyber incident rarely arise after the facts are clear. They arise while the facts are still developing: when unauthorized access is suspected but not fully confirmed, when affected systems contain data from multiple jurisdictions, when it is unclear whether Thai data subjects are involved, when forensic review remains ongoing, and when the distinction between access, copying, exfiltration, publication, and misuse has not yet been established.
In those circumstances, breach notification analysis is not a mechanical countdown exercise. It requires judgment.
This does not diminish the importance of timely notification. Rather, it underscores that timing must be assessed together with the controller’s factual awareness, risk assessment, and continuing duty to supplement material information as it becomes available.
This article builds on our earlier discussion of personal data breach notifications under Thailand’s PDPA (See https://fosrlaw.com/2022/personal-data-breach-notifications/ )and reflects the broader transition discussed in Thailand PDPA in Its Second Phase: What Recent Developments Really Indicate (See https://fosrlaw.com/2026/pdpa-phase-2/ ), namely the movement from first-generation documentation toward operational accountability.
The relevant questions include when the controller can properly be regarded as aware of a reportable breach, whether an initial notification should be submitted while the investigation remains incomplete, whether the incident creates risk or high risk to affected individuals, whether separate Thai legal entities require separate analysis, and whether later developments require supplementary engagement with the PDPC or affected data subjects.
The 72-hour rule is therefore only the beginning. The more important issue is how an organization demonstrates accountability while operating under factual uncertainty.
Awareness Is Not Always the First Technical Signal
The starting point for breach notification analysis is awareness. However, awareness should not be confused with every preliminary technical indication, system anomaly, threat communication, or unverified internal report.
In a live incident, organizations may initially know only that suspicious activity has occurred. They may not yet know whether personal data was involved, whether the data relates to individuals in Thailand, whether access resulted in copying or exfiltration, or whether the affected dataset falls within the control of a Thai entity.
That distinction matters.
A data controller should not treat the awareness threshold as a purely technical moment detached from legal characterization. The relevant question is not simply when a system event occurred, but when the controller had reasonable grounds to conclude that a personal data breach, within the meaning of the PDPA, had occurred.
This is particularly important in multi-jurisdictional incidents. A regional or global cyber incident may involve infrastructure used by several affiliated entities, but Thai notification obligations require Thailand-specific analysis. The mere existence of a regional breach does not, by itself, answer whether personal data relating to individuals in Thailand was affected, which Thai entity acts as controller, or whether the incident is reportable in Thailand.
At the same time, factual uncertainty should not be treated as a basis for waiting until every technical and forensic issue is resolved. Once there are reasonable grounds to believe that a personal data breach involving personal data relating to individuals in Thailand has occurred, and that the incident may create risk to affected individuals, the regulatorily responsible approach is to proceed with an initial notification while clearly explaining the limits of the information available and the fact that the investigation remains ongoing.
Preliminary Notification Under Factual Uncertainty
One of the most important practical features of breach response under the PDPA is that notification does not necessarily require a completed forensic investigation.
In many cyber incidents, a complete investigation may take weeks or longer. Waiting for perfect information may be inconsistent with the purpose of breach notification, particularly where affected data may include identification data, financial information, employment records, sensitive personal data, or other categories that could create risk to individuals.
This creates a practical tension. A notification submitted before all facts are known will often necessarily be incomplete. That is not, by itself, a defect where the controller is transparent about what is known, what remains under investigation, what measures have already been taken, and how further information will be supplemented. By contrast, waiting for complete certainty may be inconsistent with the controller’s duty to act without delay once the reporting threshold has been reached.
The solution is not to force certainty where certainty does not yet exist. The better approach is structured transparency.
An initial notification may be appropriate where the controller has sufficient grounds to believe that a breach involving Thai personal data may have occurred, even if the precise number of affected individuals, categories of data, or technical cause remains under investigation. In that case, the notification should clearly identify what is known, what remains under review, what measures have already been taken, what the current risk assessment is, and how the controller intends to supplement information as the investigation progresses.
This is not merely a procedural point. It reflects a broader shift in Thai privacy compliance from document production to operational accountability. For further context on this enforcement trajectory, see Thailand’s PDPA: Enforcement in Action and Cross-Border Data Transfers.
Risk and High Risk Are Different Questions
A further source of complexity is the distinction between notification to the PDPC and notification to affected data subjects.
Under the PDPA framework, notification to the PDPC is linked to whether the personal data breach is likely to result in risk to the rights and freedoms of individuals. Notification to data subjects is generally associated with a higher threshold, where the breach is likely to result in high risk to the rights and freedoms of affected individuals , in which case the data controller must notify the personal data breach and remedial measures to the affected data subjects without delay.
This distinction is critical.
Not every reportable breach will necessarily require direct notification to data subjects. Conversely, where the facts indicate a high risk to individuals, data subject notification cannot be treated as a mere optional courtesy or reputational issue.
The risk assessment should consider the nature of the data, the circumstances of the breach, the likelihood of misuse, the vulnerability of affected individuals, the scale of the incident, and whether the data has been accessed, copied, disclosed, offered for sale, or otherwise made available to unauthorized parties.
Sensitive personal data, identification documents, financial information, payroll data, health data, credentials, or data that may enable fraud or impersonation may increase the likelihood that the high-risk threshold is met. The same may be true where there is evidence that data has moved beyond unauthorized access into actual exfiltration, publication, or attempted dissemination.
The practical issue is that risk assessment may evolve. A breach initially assessed as presenting risk may later require reassessment if further investigation confirms more serious facts.
Entity-Level Responsibility in Group Incidents
Multinational organizations often respond to cyber incidents at group level. That is understandable from an operational and technical perspective. Systems may be shared, infrastructure may be centralized, forensic investigation may be coordinated regionally, and crisis communications may be managed by headquarters or a regional response team.
Thai PDPA analysis, however, still requires entity-level responsibility to be assessed carefully.
Where multiple Thai entities are involved, the fact that the same cyber incident affected them does not necessarily mean that a single notification is sufficient. Separate legal entities may act as separate controllers. They may hold different categories of personal data, relate to different data subjects, operate in different business contexts, and face different levels of risk or impact.
This is a common point of tension in group incidents. A single regional narrative may be operationally efficient, but regulatory responsibility often remains tied to the legal entity that determines the purposes and means of processing personal data in Thailand.
Accordingly, group-level incident management should be aligned with local controller analysis. Where separate Thai entities are affected, each entity’s role, dataset, affected individuals, and risk position should be considered separately.
This is not formalism. It is part of maintaining regulatory traceability.
This entity-level approach also aligns with the broader comparative point made in GDPR vs. Thailand PDPA: Substantive Legal Comparison June 2025: GDPR familiarity may provide a useful reference point, but Thai PDPA compliance still requires local analysis of role, responsibility, and implementation.
Supplementary Notification as Part of the Accountability Process
A breach notification should not be viewed as a one-time event if material facts remain under investigation.
Where an initial notification is submitted on a preliminary basis, later developments may necessitate supplementary communication with the PDPC as part of the controller’s accountability and cooperation with the regulator. This may be appropriate where the organization later confirms material facts that were previously unknown, such as the involvement of Thai personal data, the categories of affected data, the number of affected data subjects, the inclusion of sensitive data, evidence of exfiltration, publication, misuse, or a change in the risk assessment.
Supplementary notification does not necessarily mean that the initial notification was deficient. In many cases, it reflects the reality that breach response is iterative.
This is especially important where a cyber incident develops over time. A controller may initially know that systems were accessed. Later, it may confirm that data was copied. Later still, it may learn that data has been posted, offered, or circulated in a way that materially changes the risk to affected individuals.
Each stage may alter the legal and operational assessment.
The question is therefore not simply whether the controller “already notified.” The question is whether the regulator has been kept appropriately informed of material developments relevant to the risk, impact, and mitigation of the breach.
Data Subject Communications Must Be Operationally Useful
Where data subject notification is required, the communication should not be treated as a generic announcement.
A high-risk notification should help affected individuals understand what happened, what categories of personal data may be involved, what risks may arise, what steps the controller has taken, what practical measures individuals may consider, and whom they may contact for further information.
This matters because breach communications often fail in one of two ways.
Some are too vague. They inform individuals that an incident occurred but do not explain the potential consequences, the relevant data categories, or the practical precautions that may be appropriate.
Others are too broad. They recommend drastic steps without calibrating those recommendations to the actual risk, such as advising individuals to take measures that may be unnecessary or impractical based on the information available.
A legally effective communication should be accurate, proportionate, and operationally useful. It should not speculate beyond the facts, but it should provide enough information for individuals to take reasonable protective steps.
This is particularly important where the affected data may create risks of phishing, impersonation, fraud, identity misuse, unauthorized financial activity, or misuse of sensitive information.
Breach Notification Is Not Only a Legal Filing
The PDPA notification process should be understood as one part of a broader governance response.
A serious breach response may involve forensic investigation, system containment, business continuity measures, communications with employees or customers, vendor coordination, review of records of processing activities, reassessment of security controls, monitoring for publication or misuse, and internal documentation of decision-making.
The PDPC notification is therefore not simply a form. It is a regulatory expression of how the organization has understood, contained, assessed, and managed the incident.
That is why the quality of the underlying governance response matters. A notification that merely reports an incident without showing containment, assessment, mitigation, and ongoing review may be formally submitted but substantively weak.
Conversely, a carefully structured notification that explains known facts, uncertainty, containment measures, risk assessment, and future supplementation can demonstrate seriousness and regulatory accountability even where the investigation is incomplete.
This governance approach is also consistent with broader cybersecurity developments in Thailand. For related discussion of technical and organizational security expectations, see Thailand’s New Website Security Standards 2025: Implications for Compliance Under the Cybersecurity Act.
The Role of Other Authorities
Not every personal data breach will require notification to other Thai authorities beyond the PDPC.
However, depending on the facts, organizations may need to consider whether the incident implicates other legal or regulatory frameworks. This may include cybercrime reporting, law enforcement engagement, sector-specific regulators, or obligations applicable to critical infrastructure or regulated industries.
A police report or criminal complaint may be relevant where the incident involves criminal access, extortion, theft of data, fraud, or subsequent misuse. It may also support the organization’s record of response measures and assist if affected individuals later face impersonation, fraud, or other misuse of personal data.
That said, the PDPA itself should not be conflated with every possible cybersecurity or criminal reporting obligation. The need to engage other authorities depends on the nature of the incident, the affected systems, the sector involved, the data at issue, and the broader legal environment.
This reinforces the central point: breach response requires legal characterization, not automatic escalation.
Where incidents involve online platforms, digital service providers, or intermediary environments, breach response may also intersect with Thailand’s wider platform-governance and cybercrime framework. For related context, see Thailand Digital Platform Regulation 2025.
Practical Implications for Organizations
For organizations operating in Thailand, the key lesson is that breach notification should not be approached as a narrow deadline-management exercise.
The more important questions are whether the organization has a defensible process for identifying awareness, assessing risk, determining controller responsibility, documenting uncertainty, deciding whether to notify, preparing meaningful communications, and updating the regulator when material facts change.
Organizations should therefore ensure that their breach response procedures address not only the 72-hour rule, but also the judgment calls that arise before, during, and after notification.
This includes internal escalation protocols, Thailand-specific data mapping, controller and processor analysis, entity-level responsibility, data subject risk assessment, decision logs, notification templates, regulator communication procedures, and mechanisms for supplementary reporting.
In practice, organizations that prepare only for the filing obligation may find themselves underprepared for the actual governance burden of a live incident.
Key Takeaways for PDPA Breach Notification Compliance
Breach notification under Thailand’s PDPA is often described by reference to the 72-hour rule. That rule is important, but it does not capture the full legal and operational analysis.
The more difficult issues arise in the space between awareness and certainty.
Organizations may need to make decisions while forensic investigations are incomplete, while affected datasets remain under review, while the involvement of Thai personal data is not yet fully confirmed, and while the risk to individuals may change as new facts emerge.
In that environment, the central question is not simply whether a notification was filed within a deadline. The central question is whether the controller acted with structured judgment, documented its reasoning, communicated appropriately, reassessed material developments, and demonstrated accountability throughout the incident response process.
Thailand’s PDPA is increasingly moving in that direction. Breach notification should therefore be understood not as a standalone compliance form, but as part of a broader discipline of operational privacy governance.
Disclaimer
This publication is provided solely for general informational purposes and does not constitute legal advice. The application of law may vary depending on specific facts and circumstances, and readers should seek appropriate professional advice before acting on any of the matters discussed herein.
