When it comes to the Thailand PDPA, companies will often fail by inadvertently allowing inappropriate access to personal data under their control.
Organizations must provide appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data, and such measures must be reviewed when it is necessary, or when the technology has changed in order to efficiently maintain the appropriate security and safety. It shall also be in accordance with the minimum standard specified and announced by the Committee.
The Controller must implement appropriate access measures to protect personal data from unlawful access. To data by employees, contractors or processors.
But what access controls are best suited to Data Privacy within an organisation?
This article discusses:
- Why access controls matter.
- Role-based access controls (RBAC)
- Principle of Least Privilege (POLP)
WHY ACCESS CONTROLS MATTER
It is tempting to give endpoint users administration access on their devices to avoid any complications during the workday. However, this introduces considerable risk to your network because it increases the opportunity for users to compromise personal data.
When you consider that 74% of data breaches happen because of privileged credential abuse, the importance of access control becomes clear.
Deciding who and what has access to certain information and resources is known as access controls. Appropriate access controls are essential to ensuring PDPA compliance.
There are five types of access control methods:
- Mandatory Access Control (MAC)
- Discretionary Access Control (DAC)
- Rule Based Access Control (RB-RBAC)
- Role Based Access Control (RBAC)
- Principle of Least Privilege (POLP)
RBAC and POLP are the most appropriate access controls to implement under PDPA. We breakdown what these are and how to implement them below.
ROLE BASED ACCESS CONTROL (RBAC)
Role Based Access Control provides access to personal data based on employees’ roles when processing data. This means that access permissions are linked to particular positions within the organisation, rather than specific people.
For example, HR associate Jane will have access to salary data. When Jane moves to the Marketing Department, she will no longer have access to salary data, but will now have access to marketing lists, because she needs access to the marketing lists to do her job.
This is a popular model for access control because of its flexibility and ease of use. Because permissions are assigned to roles instead of individuals, IT departments can react quickly to organisational changes. We recommend this is setup in security groups as it easy to remove a person from one group and add to another group.
However, there are several drawbacks to RBAC:
- RBAC can further complicate permission administration for the IT department because the number of roles grows as organisations grow.
- RBAC does not account for differences in roles and day to day to realities. For instance, a marketing team may have two brand coordinators, but only one of them needs access to the marketing list to do their job.
PRINCIPLE OF LEAST PRIVILEGE (POLP)
The Principle of Least Privilege (POLP) is, by definition, synergistic with PDPA. POLP limits the access rights of users to the bare minimum needed to do their jobs (principle of data minimisation). This lays the groundwork for privacy by design security and infrastructure.
POLP has several benefits including:
- Avoiding malware propagation
- Limiting entrances for malicious actors
- Improving data classification
- Complying with global regulatory requirements
POLP is trickier to implement than RBAC. POLP usually requires a privileged access management solution instead of relying on the IT department for all access control management.
No access control model is perfect. However, we recommend the Principal of Least Privilege because it best reflects the principles of PDPA.