Cybersecurity and Customer Data Privacy Protection


To strengthen cybersecurity and customer data privacy protection with enhanced technology and people capabilities in order to improve productivity, ensure compliance and build trust with all stakeholders


In the digital age, information is the most valuable resource for conducting the banking business while data volume and the ability to manage data are key factors that help us differentiate ourselves and gain an advantage over peer banks. The more valuable the information, the more important information security is for businesses. Therefore, we attach great significance to providing data security and personal data protection to mitigate risks related to unauthorized access, unlawful use, data leakage, data theft, loss of data and violation of personal data privacy, which will potentially cause damage to the Bank and data subjects. We have implemented a proper data security mechanism, effective data governance process and appropriate personal data protection measures that include raising awareness and building employee capabilities to tackle cyber threats and comply with personal data protection guidelines to build trust among customers, suppliers and business partners of the Bank.
Management Approach
Cybersecurity Management

Cyber threats in the digital age come in various forms with complexity that can cause widespread damage. Accordingly, we have established a clear IT security and cybersecurity framework that conforms to international standards. We have also reviewed our IT security and cybersecurity policies to ensure they are consistent with international standards of ISO/IEC 27002 and that they are suitable for current technologies and cyber threats. In addition, we have adopted new technologies to monitor and detect anomalies and irregular incidents that may damage the Bank’s data or IT systems. Moreover, we have established security standards for all data collected through the Bank’s services. Our systems are regularly assessed against these security standards, both before and after customers use a service. The Bank has been certified for various international security standards including ISO/IEC 27001:2013 for the Bank of Thailand Automated High-value Transfer Network (BAHTNET) and the Imaged Cheque Clearing and Archive System (ICAS) and is in the process of being certified for PCI/DSS security standard. As a testimony of our commitment to and vigilance on cybersecurity, the Bank received the Certificate of Cyber Hygiene (Gold Level) from the National Cyber Security Agency in 2022 for our compliance with required basic cybersecurity standards.

Cybersecurity Governance Structure

To ensure the efficiency and effectiveness of our information security and cybersecurity, the Bank has clearly defined the scope of responsibility for relevant parties throughout the organization as follows:

Personal Data Protection Management

It is our duty and responsibility to protect customers’ personal data from loss or unauthorized access, usage, change and disclosure. Therefore, we have established principles and practices on personal data protection in accordance with laws and rules imposed by regulators, the Bank’s personal data protection policy, and other related policies. These principles and practices cover personal data privacy protection measures and notifications in cases of violation of personal data privacy. Relevant parties are assigned the responsibility to review and monitor data, oversee the granting of access rights and data classification as well as levels of data classification, so as to determine the extent of personal data security measures that are consistent with the degree of risk and potential impacts from a breach of personal data privacy.

To ensure that the personal data protection processes and practices comply with rules imposed by regulators and the Bank, we have put in place an audit of personal data protection practices by the Audit and Control Division, which is independent from the units that collect, use and disclose personal data. Besides, personal data risk has been recognized as one of the Bank’s major risks, requiring the Data Protection Office, and the responsible officers to participate in the Bank’s risk management process covering personal data risk identification to risk management and control.

Personal Data Protection Policy and Standards

The Bank has established a personal data protection policy and personal data protection standards in accordance with the Personal Data Protection Act B.E.2562 (2019) and related rules and regulations. All involved persons must comply with the policy and standards, which apply to the entire financial conglomerate including business partners and external suppliers. In addition, we disseminate a Privacy Notice through our website, branches and digital banking channels to inform customers about personal data protection and data subject rights.

The Bank also provides consent forms that give details regarding the collection, use and disclosure of the customers’ personal data so that data subjects can deliberate before giving consent, before or during the data processing. However, giving such consent is the data subject’s choice and will not in any way be a requirement for using the Bank’s services. Additionally, we also monitor data used for secondary purposes, such as marketing, research and analysis for the purpose of improving products and services’ quality, which is a data usage permitted by the Bank’s personal data protection practices and allowed by laws. In 2022, approximately 60 percent of all customers have given consent for personal data used for secondary purposes.

Governance on Personal Data Protection

The Bank has clearly defined the governance structure of personal data protection by specifying roles and responsibilities of the Board of Directors, senior executives and related units as well as adopting risk management under the three lines of defense principle. In addition, we have established a Data Protection Office (DPO Office) under the Compliance Unit and appointed a Data Protection Officer (DPO) to be in charge of personal data protection at the Bank to ensure that the governance of personal data protection is effective and compliant with laws, the Bank’s policies and practices.

Guidelines for a Breach of Personal Data

The Bank has established guidelines, procedures and responsible persons to respond to a breach of personal data according to regulatory requirements and the Bank’s personal data protection policy to ensure clear understanding and proper compliance of related parties. All employees shall acknowledge and comply with a guideline accompanying the personal data protection policy. Failures to comply with the policy guideline may result in disciplinary actions, including a termination of employment. In addition, violation of the policy may be found criminally liable and be subjected to legal measures according to applicable laws and regulations.

Key Activities
In 2022, the Bank carried out the following key activities:

  • Requirements for all executives and employees to enroll in mandatory online courses including Personal Data Protection and Phishing.
  • Requirements for employees under related units to enroll in a role-specific curriculum on personal data protection.
  • Requirements for the Board of Directors to enhance their knowledge on IT security and cybersecurity management on a regular basis through their participation in training programs organized by internal units and external agencies which are held annually. In 2022, we provided various training courses including Cybersecurity Outlook, Management Guidelines for Building Organizational Resilience and the Application of the Personal Data Protection Act B.E. 2562 (PDPA).
  • Continuous communication of news and knowledge about cybersecurity through internal communication channels to ensure that employees are aware of emerging cyber threats
  • Launch of the PDPA Awareness Campaign to educate related parties on proper practices under the Personal Data Protection Act B.E. 2562 (PDPA) through articles, infographics and videos as well as providing channels to seek advice from experts.
  • Organizing the Annual Information Security and Cybersecurity Awareness Forum to share information and knowledge on IT security and cybersecurity to executives and employees. In 2022, the Bank organized an activity under the topic of Preparing for Security, Privacy and Emerging Technology Adoption with Dr. Kitti Kosavisutte, the Bank’s Security Management Manager as a speaker to share knowledge and experience related to cyber threats and countermeasures.


We are ready to help you.


We are ready to help you.

You are now leaving Bangkok Bank's website